Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
merd.msi

Overview

General Information

Sample name:merd.msi
Analysis ID:1558852
MD5:309abcad11b67d2498cf87c4e10ff30f
SHA1:0d805a684b889846a7b00cecc0ee84c7cf93398d
SHA256:c39abdca1a31b20fe06969a36102c784df7f63847ec930dfaf8c4bd97b4558bf
Tags:msiuser-pr0xylife
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Malware Callback Communication
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 1128 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\merd.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7028 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2404 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0EFDC05CDA91B8EDA63E72E36A36CCC4 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSIC93C.tmp (PID: 1280 cmdline: "C:\Windows\Installer\MSIC93C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface MD5: B9545ED17695A32FACE8C3408A6A3553)
  • rundll32.exe (PID: 2264 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1088 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Malware Callback Communication
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 94.232.40.38, DestinationIsIpv6: false, DestinationPort: 4438, EventID: 3, Image: C:\Windows\System32\rundll32.exe, Initiated: true, ProcessId: 1088, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49756

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIC93C.tmp, 00000004.00000000.2218211364.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, MSIC93C.tmp, 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, merd.msi, MSIC93C.tmp.2.dr, MSIC69C.tmp.2.dr, 3cc446.msi.2.dr
Source: Binary string: edb.pdb source: rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: merd.msi, MSIC62D.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: merd.msi, MSIC62D.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIC93C.tmp, 00000004.00000000.2218211364.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, MSIC93C.tmp, 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, merd.msi, MSIC93C.tmp.2.dr, MSIC69C.tmp.2.dr, 3cc446.msi.2.dr
Source: Binary string: edb.pdbH source: rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D6AF79 FindFirstFileExW,4_2_00D6AF79

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 94.232.40.38 4438Jump to behavior
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 46.249.49.83 4438Jump to behavior
Source: global trafficTCP traffic: 192.168.2.6:49756 -> 94.232.40.38:4438
Source: global trafficTCP traffic: 192.168.2.6:49984 -> 46.249.49.83:4438
Source: Joe Sandbox ViewASN Name: WELLWEBNL WELLWEBNL
Source: Joe Sandbox ViewASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: uayyau.com
Source: global trafficDNS traffic detected: DNS query: guaaug.com
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://t2.symcb.com0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://tl.symcd.com0&
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1865000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1865000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: rundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com/
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com/~
Source: rundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/
Source: rundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/almaz.php
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/almaz.phpl5
Source: rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/almaz.phpos.dll.muie43f
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/topaz.php
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guaaug.com:4438/topaz.php?m
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2594329499.0000023DD1844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com/
Source: rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/
Source: rundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/almaz.php
Source: rundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/almaz.phpO
Source: rundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/almaz.phpd
Source: rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/g.com:4438/almaz.phpos.dll.muie43f
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/topaz.php
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/topaz.php;
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/topaz.phpl
Source: rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/topaz.phpq
Source: rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uayyau.com:4438/topaz.phpx
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: https://www.advancedinstaller.com
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: https://www.thawte.com/cps0/
Source: merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Windows\System32\rundll32.exeCode function: 6_3_0000023DD319D2AD NtAllocateVirtualMemory,6_3_0000023DD319D2AD
Source: C:\Windows\System32\rundll32.exeCode function: 6_3_0000023DD319D31D NtProtectVirtualMemory,6_3_0000023DD319D31D
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93757924 NtAllocateVirtualMemory,6_2_00007FFD93757924
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B55C0 NtClose,NtTerminateThread,6_2_0000023DD31B55C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D45F0 NtDuplicateObject,6_2_0000023DD31D45F0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31BF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,NtClose,6_2_0000023DD31BF3A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D4BE0 NtProtectVirtualMemory,6_2_0000023DD31D4BE0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D4360 NtCreateThreadEx,6_2_0000023DD31D4360
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31A71B0 NtClose,6_2_0000023DD31A71B0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D51C0 NtReadVirtualMemory,6_2_0000023DD31D51C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B7A50 NtSetContextThread,6_2_0000023DD31B7A50
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B8149 NtSetContextThread,6_2_0000023DD31B8149
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D4FF0 NtQueueApcThread,6_2_0000023DD31D4FF0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D4740 NtFreeVirtualMemory,6_2_0000023DD31D4740
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3cc446.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC55F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5CD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5FD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC62D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F51335B5-861E-4317-91B1-6EA78A6DECF1}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC69C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC93C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIC55F.tmpJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D36A504_2_00D36A50
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D6F0324_2_00D6F032
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5C2CA4_2_00D5C2CA
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D692A94_2_00D692A9
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5E2704_2_00D5E270
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D684BD4_2_00D684BD
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5A5874_2_00D5A587
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D6D8D54_2_00D6D8D5
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D3C8704_2_00D3C870
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5A9154_2_00D5A915
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D549204_2_00D54920
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D60A484_2_00D60A48
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D39CC04_2_00D39CC0
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D65D6D4_2_00D65D6D
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936824406_2_00007FFD93682440
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937383906_2_00007FFD93738390
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936EF4206_2_00007FFD936EF420
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9372D2F06_2_00007FFD9372D2F0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936C82C86_2_00007FFD936C82C8
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936E22C76_2_00007FFD936E22C7
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936982B06_2_00007FFD936982B0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936B62806_2_00007FFD936B6280
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9372E3406_2_00007FFD9372E340
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936DE2606_2_00007FFD936DE260
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936AF3306_2_00007FFD936AF330
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9369D3106_2_00007FFD9369D310
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937162106_2_00007FFD93716210
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937371706_2_00007FFD93737170
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937022006_2_00007FFD93702200
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936EB1F06_2_00007FFD936EB1F0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937461506_2_00007FFD93746150
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936931506_2_00007FFD93693150
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936A31106_2_00007FFD936A3110
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936867A06_2_00007FFD936867A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936CC7906_2_00007FFD936CC790
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9371D8506_2_00007FFD9371D850
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937018576_2_00007FFD93701857
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937028206_2_00007FFD93702820
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9370A7B06_2_00007FFD9370A7B0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936828006_2_00007FFD93682800
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936EB6B06_2_00007FFD936EB6B0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937157106_2_00007FFD93715710
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9369E6A06_2_00007FFD9369E6A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936956806_2_00007FFD93695680
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937246906_2_00007FFD93724690
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936B35C06_2_00007FFD936B35C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936B85906_2_00007FFD936B8590
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F05806_2_00007FFD936F0580
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937035706_2_00007FFD93703570
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F15706_2_00007FFD936F1570
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F56506_2_00007FFD936F5650
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936BA6406_2_00007FFD936BA640
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F74A06_2_00007FFD936F74A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936B14906_2_00007FFD936B1490
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936D84806_2_00007FFD936D8480
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936BF4E06_2_00007FFD936BF4E0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936D7B806_2_00007FFD936D7B80
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93735C406_2_00007FFD93735C40
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93700C306_2_00007FFD93700C30
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93732B406_2_00007FFD93732B40
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936EDA706_2_00007FFD936EDA70
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9369CB206_2_00007FFD9369CB20
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93719AD06_2_00007FFD93719AD0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9368C9906_2_00007FFD9368C990
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9371CA306_2_00007FFD9371CA30
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93696A206_2_00007FFD93696A20
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936878D06_2_00007FFD936878D0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937349006_2_00007FFD93734900
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F98A06_2_00007FFD936F98A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936DB8A06_2_00007FFD936DB8A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937279506_2_00007FFD93727950
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9374B95C6_2_00007FFD9374B95C
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD9373F8606_2_00007FFD9373F860
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937310006_2_00007FFD93731000
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93737F706_2_00007FFD93737F70
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936BAEB06_2_00007FFD936BAEB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93689F206_2_00007FFD93689F20
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F1F106_2_00007FFD936F1F10
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93690DD06_2_00007FFD93690DD0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936D8DD06_2_00007FFD936D8DD0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936D5DB06_2_00007FFD936D5DB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936ECD906_2_00007FFD936ECD90
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936FFE306_2_00007FFD936FFE30
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93705E206_2_00007FFD93705E20
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93724DB06_2_00007FFD93724DB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936C7C7A6_2_00007FFD936C7C7A
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936A1C606_2_00007FFD936A1C60
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B55C06_2_0000023DD31B55C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B4DB06_2_0000023DD31B4DB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31CB5E06_2_0000023DD31CB5E0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C55E06_2_0000023DD31C55E0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31BB4E06_2_0000023DD31BB4E0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31A95006_2_0000023DD31A9500
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C45506_2_0000023DD31C4550
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31A5D606_2_0000023DD31A5D60
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C2BB06_2_0000023DD31C2BB0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C13A36_2_0000023DD31C13A3
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31CFBC06_2_0000023DD31CFBC0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31BCBE06_2_0000023DD31BCBE0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D14906_2_0000023DD31D1490
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B42A06_2_0000023DD31B42A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C82A06_2_0000023DD31C82A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31A99D06_2_0000023DD31A99D0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D02106_2_0000023DD31D0210
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C72206_2_0000023DD31C7220
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31BA1006_2_0000023DD31BA100
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B91206_2_0000023DD31B9120
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D28126_2_0000023DD31D2812
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31B16A06_2_0000023DD31B16A0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31BBED06_2_0000023DD31BBED0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31A66C06_2_0000023DD31A66C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C66E06_2_0000023DD31C66E0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31AA7306_2_0000023DD31AA730
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D1F406_2_0000023DD31D1F40
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31D2F606_2_0000023DD31D2F60
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD936A99C0 appears 40 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD936B0740 appears 167 times
Source: C:\Windows\System32\rundll32.exeCode function: String function: 00007FFD936CEA80 appears 127 times
Source: C:\Windows\Installer\MSIC93C.tmpCode function: String function: 00D53790 appears 39 times
Source: C:\Windows\Installer\MSIC93C.tmpCode function: String function: 00D5325F appears 103 times
Source: C:\Windows\Installer\MSIC93C.tmpCode function: String function: 00D53292 appears 70 times
Source: merd.msiBinary or memory string: OriginalFilenameviewer.exeF vs merd.msi
Source: merd.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs merd.msi
Source: sqx.dll.2.drStatic PE information: Section: .rsrc ZLIB complexity 0.9957094637423936
Source: classification engineClassification label: mal64.evad.winMSI@9/24@2/2
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D33860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,4_2_00D33860
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D34BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,4_2_00D34BA0
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D345B0 LoadResource,LockResource,SizeofResource,4_2_00D345B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLC84D.tmpJump to behavior
Source: C:\Windows\System32\rundll32.exeMutant created: NULL
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFCA61258E98C5C7E5.TMPJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
Source: rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\merd.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0EFDC05CDA91B8EDA63E72E36A36CCC4
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIC93C.tmp "C:\Windows\Installer\MSIC93C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0EFDC05CDA91B8EDA63E72E36A36CCC4Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIC93C.tmp "C:\Windows\Installer\MSIC93C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterfaceJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterfaceJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpSection loaded: sxs.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: merd.msiStatic file information: File size 2048000 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIC93C.tmp, 00000004.00000000.2218211364.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, MSIC93C.tmp, 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, merd.msi, MSIC93C.tmp.2.dr, MSIC69C.tmp.2.dr, 3cc446.msi.2.dr
Source: Binary string: edb.pdb source: rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: merd.msi, MSIC62D.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: merd.msi, MSIC62D.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIC93C.tmp, 00000004.00000000.2218211364.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, MSIC93C.tmp, 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmp, merd.msi, MSIC93C.tmp.2.dr, MSIC69C.tmp.2.dr, 3cc446.msi.2.dr
Source: Binary string: edb.pdbH source: rundll32.exe, 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmp, sqx.dll.2.dr
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93740290 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00007FFD93740290
Source: sqx.dll.2.drStatic PE information: real checksum: 0x11271d should be: 0x14702c
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5323C push ecx; ret 4_2_00D5324F
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD936F3B5F push D8E80007h; retf 6_2_00007FFD936F3B65

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIC93C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC55F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\sqx.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5FD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC93C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC62D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC55F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC5FD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC93C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC62D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,6_2_0000023DD31C4D00
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC55F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC5CD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\sqx.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC5FD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC62D.tmpJump to dropped file
Source: C:\Windows\Installer\MSIC93C.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-33353
Source: C:\Windows\Installer\MSIC93C.tmpAPI coverage: 6.6 %
Source: C:\Windows\System32\rundll32.exeAPI coverage: 8.5 %
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D6AF79 FindFirstFileExW,4_2_00D6AF79
Source: rundll32.exe, 00000006.00000003.4141521948.0000023DD184E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD184E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD184E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2594329499.0000023DD184E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31ACCE0 LdrGetProcedureAddress,6_2_0000023DD31ACCE0
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D3D0A5 IsDebuggerPresent,OutputDebugStringW,4_2_00D3D0A5
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93740290 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00007FFD93740290
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D62DCC mov ecx, dword ptr fs:[00000030h]4_2_00D62DCC
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D6AD78 mov eax, dword ptr fs:[00000030h]4_2_00D6AD78
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D32310 GetProcessHeap,4_2_00D32310
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIC93C.tmp "C:\Windows\Installer\MSIC93C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterfaceJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D533A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00D533A8
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D5353F SetUnhandledExceptionFilter,4_2_00D5353F
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D52968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00D52968
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D56E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00D56E1B
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD937412C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFD937412C0
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93740568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FFD93740568
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFD93746EC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFD93746EC8

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 94.232.40.38 4438Jump to behavior
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 46.249.49.83 4438Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\rundll32.exeThread register set: 1088 1Jump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D352F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,4_2_00D352F0
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D535A9 cpuid 4_2_00D535A9
Source: C:\Windows\Installer\MSIC93C.tmpCode function: EnumSystemLocalesW,4_2_00D6E0C6
Source: C:\Windows\Installer\MSIC93C.tmpCode function: EnumSystemLocalesW,4_2_00D6E1AC
Source: C:\Windows\Installer\MSIC93C.tmpCode function: EnumSystemLocalesW,4_2_00D6E111
Source: C:\Windows\Installer\MSIC93C.tmpCode function: EnumSystemLocalesW,4_2_00D67132
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00D6E237
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoEx,4_2_00D523F8
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoW,4_2_00D6E48A
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00D6E5B3
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoW,4_2_00D6E6B9
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetLocaleInfoW,4_2_00D676AF
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00D6E788
Source: C:\Windows\Installer\MSIC93C.tmpCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00D6DE24
Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00007FFD937522E0
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00007FFD93752718
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00007FFD93752648
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00007FFD93752B58
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00007FFD9374A9A8
Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,6_2_00007FFD9374AD3C
Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00007FFD93752D3C
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D537D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00D537D5
Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000023DD31C4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,6_2_0000023DD31C4D00
Source: C:\Windows\Installer\MSIC93C.tmpCode function: 4_2_00D67B1F GetTimeZoneInformation,4_2_00D67B1F

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		2
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets33
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
Masquerading		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Process Injection		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Rundll32		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
merd.msi0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\sqx.dll0%ReversingLabs
C:\Windows\Installer\MSIC55F.tmp0%ReversingLabs
C:\Windows\Installer\MSIC5CD.tmp0%ReversingLabs
C:\Windows\Installer\MSIC5FD.tmp0%ReversingLabs
C:\Windows\Installer\MSIC62D.tmp0%ReversingLabs
C:\Windows\Installer\MSIC93C.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://uayyau.com:4438/almaz.php0%Avira URL Cloudsafe
https://guaaug.com/~0%Avira URL Cloudsafe
https://uayyau.com:4438/almaz.phpd0%Avira URL Cloudsafe
https://guaaug.com:4438/almaz.phpos.dll.muie43f0%Avira URL Cloudsafe
https://guaaug.com:4438/almaz.phpl50%Avira URL Cloudsafe
https://uayyau.com:4438/topaz.php;0%Avira URL Cloudsafe
https://guaaug.com:4438/topaz.php?m0%Avira URL Cloudsafe
https://uayyau.com:4438/topaz.phpx0%Avira URL Cloudsafe
https://guaaug.com:4438/topaz.php0%Avira URL Cloudsafe
https://uayyau.com:4438/g.com:4438/almaz.phpos.dll.muie43f0%Avira URL Cloudsafe
https://uayyau.com:4438/topaz.phpl0%Avira URL Cloudsafe
https://uayyau.com:4438/almaz.phpO0%Avira URL Cloudsafe
https://guaaug.com/0%Avira URL Cloudsafe
https://uayyau.com:4438/topaz.php0%Avira URL Cloudsafe
https://guaaug.com:4438/0%Avira URL Cloudsafe
https://uayyau.com/0%Avira URL Cloudsafe
https://uayyau.com:4438/topaz.phpq0%Avira URL Cloudsafe
https://guaaug.com:4438/almaz.php0%Avira URL Cloudsafe
https://uayyau.com:4438/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
guaaug.com
46.249.49.83
truetrue
    		unknown
    uayyau.com
    		94.232.40.38
    		truetrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://uayyau.com:4438/almaz.phpdrundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://guaaug.com:4438/almaz.phpl5rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://guaaug.com:4438/topaz.phprundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://r10.o.lencr.org0#rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://uayyau.com:4438/almaz.phprundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://uayyau.com:4438/topaz.php;rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://guaaug.com:4438/almaz.phpos.dll.muie43frundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://guaaug.com/~rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://uayyau.com:4438/topaz.phpxrundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.thawte.com/cps0/merd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drfalse
          		high
          https://guaaug.com:4438/topaz.php?mrundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://uayyau.com:4438/g.com:4438/almaz.phpos.dll.muie43frundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://x1.c.lencr.org/0rundll32.exe, 00000006.00000002.4676778848.0000023DD1865000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://x1.i.lencr.org/0rundll32.exe, 00000006.00000002.4676778848.0000023DD1865000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.thawte.com/repository0Wmerd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drfalse
                		high
                https://uayyau.com:4438/almaz.phpOrundll32.exe, 00000006.00000003.2594329499.0000023DD180C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380302884.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://uayyau.com:4438/topaz.phplrundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.advancedinstaller.commerd.msi, MSIC93C.tmp.2.dr, MSIC62D.tmp.2.dr, MSIC69C.tmp.2.dr, MSIC55F.tmp.2.dr, MSIC5FD.tmp.2.dr, 3cc446.msi.2.dr, MSIC5CD.tmp.2.drfalse
                  		high
                  https://guaaug.com/rundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://guaaug.com:4438/rundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://uayyau.com:4438/topaz.phprundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://guaaug.com:4438/almaz.phprundll32.exe, 00000006.00000003.3380185924.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://uayyau.com:4438/rundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141571449.0000023DD180D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://uayyau.com:4438/topaz.phpqrundll32.exe, 00000006.00000003.4141435810.0000023DD185E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://r10.i.lencr.org/0rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD185E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4676778848.0000023DD17C8000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://uayyau.com/rundll32.exe, 00000006.00000002.4676778848.0000023DD1824000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4141521948.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3380256760.0000023DD182A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2594329499.0000023DD1844000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    94.232.40.38
                    		uayyau.comRussian Federation
                    		44477WELLWEBNLtrue
                    46.249.49.83
                    		guaaug.comNetherlands
                    		50673SERVERIUS-ASNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1558852
                    Start date and time:2024-11-19 21:25:12 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 57s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:merd.msi
                    Detection:MAL
                    Classification:mal64.evad.winMSI@9/24@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 94%
                    • Number of executed functions: 29
                    • Number of non-executed functions: 163
                    Cookbook Comments:
                    • Found application associated with file extension: .msi
                    • Override analysis time to 240s for rundll32

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: merd.msi

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WELLWEBNLmesh.exeGet hashmaliciousMeshAgentBrowse
                    • 94.232.43.185
                    mesh.exeGet hashmaliciousMeshAgentBrowse
                    • 94.232.43.185
                    Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                    • 94.232.43.213
                    81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                    • 94.232.45.36
                    JeZHGKJvrB.exeGet hashmaliciousUnknownBrowse
                    • 94.232.44.144
                    hFoVk4DJXG.exeGet hashmaliciousUnknownBrowse
                    • 94.232.44.144
                    JbZaDxFXF3.exeGet hashmaliciousNetSupport RATBrowse
                    • 94.232.42.28
                    file.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                    • 94.232.45.38
                    SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • 87.251.75.92
                    SecuriteInfo.com.BackDoor.SpyBotNET.62.21177.12908.exeGet hashmaliciousEICAR, PureLog Stealer, zgRATBrowse
                    • 94.232.45.38
                    SERVERIUS-ASNLhttps://www.packs.nl/tracktrace/?zendingnr=UT1301675937&pc6hnr=4813XCGet hashmaliciousPhisherBrowse
                    • 195.238.75.6
                    pitU5Y4aKy.jsGet hashmaliciousUnknownBrowse
                    • 188.119.112.115
                    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                    • 185.79.113.7
                    la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                    • 178.19.118.180
                    https://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse
                    • 178.21.23.182
                    SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                    • 91.210.175.3
                    SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                    • 91.210.175.3
                    81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                    • 46.249.49.17
                    Document-20-18-07.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                    • 188.119.112.7
                    Document-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                    • 188.119.112.7

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Windows\Installer\MSIC55F.tmpmedk.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                      lavi.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                        Document-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                          Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                            FW3x3p4eZ5.msiGet hashmaliciousBazar Loader, BruteRatelBrowse
                              Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                  Document-14-33-26.jsGet hashmaliciousUnknownBrowse
                                    net.msiGet hashmaliciousUnknownBrowse
                                      Document-14-33-26.jsGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Config.Msi\3cc448.rbs

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):1202
                                        Entropy (8bit):5.688971984316714
                                        Encrypted:false
                                        SSDEEP:24:JOgoMFI6bkwQrVRpU/eFzl4FPLQOMSDhiSg9sF+LK:8O1ILbhzlcPtD8Sgsd
                                        MD5:8DB27ACD92B73B446FC64A4AC08B2000
                                        SHA1:C5B9FBEC5E2609210563E64E3145DEC4A1637AC9
                                        SHA-256:71F0E1CB365C4839678F3C3674B8B83B781D60321641CF4529309705BA47B1C6
                                        SHA-512:7883B68A0443264D1BF4968FCF17411E2D57CA04A89F4D47EF5028DECF6294DD24931463BE4013BF4B1050B60C5897550392C7EDC766EF37922E9EDB690B70E9
                                        Malicious:false
                                        Reputation:low
                                        Preview:...@IXOS.@.....@G{sY.@.....@.....@.....@.....@.....@......&.{F51335B5-861E-4317-91B1-6EA78A6DECF1}..HangProduct..merd.msi.@.....@.....@.....@........&.{2FA1465C-CAAF-4714-9719-EBB4D60E3716}.....@.....@.....@.....@.......@.....@.....@.......@......HangProduct......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{F51335B5-861E-4317-91B1-6EA78A6DECF1}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{F51335B5-861E-4317-91B1-6EA78A6DECF1}.@......&.{AC9BABC1-3E75-4758-84F3-990895BA2360}&.{F51335B5-861E-4317-91B1-6EA78A6DECF1}.@........CreateFolders..Creating folders..Folder: [1]#.9.C:\Users\user\AppData\Roaming\Baware LTD\HangProduct\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..".C:\Users\user\AppData\Roaming\....).C:\Users\user\AppData\Roaming\sqx.dll....WriteRegistryValues..Writing system registry values..Key

                                        C:\Users\user\AppData\Roaming\sqx.dll

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1330688
                                        Entropy (8bit):6.910483690960765
                                        Encrypted:false
                                        SSDEEP:24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+
                                        MD5:DD862590D9E4EA1791DF147912AE4C8F
                                        SHA1:852D7A9EA4DB5FF4CD51A92447A8D5701CFB322B
                                        SHA-256:14FFCBBFB305287EA15264DF3363567F36A26917AE2018AF0F40E2009B8A7184
                                        SHA-512:3E9222D8BD91D3E53F5E378318A78A7C5AA12011272031F7C0D8C36C5B255DB1D0A168CC02E1159EB021DD18206352DD6DCB857FEFC2222937C467350DC6D568
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O............@.....@......@......~.....~.....~.. ..@................C..[..C.....C........r....C.....Rich...........PE..d......g.........." ...).j..........0................................................'....`A............................................L...\...(....................z..pS..............p...............................@............................................text....h.......j.................. ..`.rdata...).......*...n..............@..@.data...8N.......8..................@....pdata..............................@..@.rsrc................b..............@..@.reloc...............<..............@..B................................................................................................................................................................................................................................

                                        C:\Windows\Installer\3cc446.msi

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2FA1465C-CAAF-4714-9719-EBB4D60E3716}, Number of Words: 10, Subject: HangProduct, Author: Baware LTD, Name of Creating Application: HangProduct, Template: ;1033, Comments: This installer database contains the logic and data required to install HangProduct., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                        Category:dropped
                                        Size (bytes):2048000
                                        Entropy (8bit):7.403849976111386
                                        Encrypted:false
                                        SSDEEP:49152:ecS3YhW8zBQSc0ZnSKBZKumZr7AQkojSo0kzI8ZVE6VPbe:sYY0Zn3K/AQz3Tbx56
                                        MD5:309ABCAD11B67D2498CF87C4E10FF30F
                                        SHA1:0D805A684B889846A7B00CECC0EE84C7CF93398D
                                        SHA-256:C39ABDCA1A31B20FE06969A36102C784DF7F63847EC930DFAF8C4BD97B4558BF
                                        SHA-512:0F0C0F4A04AE65532A7F4C197CA22C371D904A5B3055E14BD537A3C092D8B4526A597564019395ED0B05D4FFBC6D9B450A8D267DE3906F88AC2D320F9C75BDD9
                                        Malicious:false
                                        Reputation:low
                                        Preview:......................>................... ...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...................................................................................................................................................................................................................................................................................................................................<...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...;...?...5...6...7...8...9...:.......=.......>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                        C:\Windows\Installer\MSIC55F.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):446944
                                        Entropy (8bit):6.403916470886214
                                        Encrypted:false
                                        SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                        MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                        SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                        SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                        SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: medk.msi, Detection: malicious, Browse
                                        • Filename: lavi.msi, Detection: malicious, Browse
                                        • Filename: Document-v09-42-38.js, Detection: malicious, Browse
                                        • Filename: Document-v05-53-20.js, Detection: malicious, Browse
                                        • Filename: FW3x3p4eZ5.msi, Detection: malicious, Browse
                                        • Filename: Document-19-06-38.js, Detection: malicious, Browse
                                        • Filename: Document-19-06-38.js, Detection: malicious, Browse
                                        • Filename: Document-14-33-26.js, Detection: malicious, Browse
                                        • Filename: net.msi, Detection: malicious, Browse
                                        • Filename: Document-14-33-26.js, Detection: malicious, Browse
                                        Reputation:moderate, very likely benign file
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIC5CD.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):446944
                                        Entropy (8bit):6.403916470886214
                                        Encrypted:false
                                        SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                        MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                        SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                        SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                        SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIC5FD.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):446944
                                        Entropy (8bit):6.403916470886214
                                        Encrypted:false
                                        SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                        MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                        SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                        SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                        SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIC62D.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):446944
                                        Entropy (8bit):6.403916470886214
                                        Encrypted:false
                                        SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                        MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                        SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                        SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                        SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\MSIC69C.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):400999
                                        Entropy (8bit):6.591672439536237
                                        Encrypted:false
                                        SSDEEP:6144:WMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1O:WMvZx0FlS68zBQSncb4ZPQTpAjZxqO1O
                                        MD5:0736BACC0CDCC5A0AB1A41F8324CEA21
                                        SHA1:A95CBBE32868BB040507DD4D4059627F200A84CF
                                        SHA-256:58E093E4938EBD3CF9FDFD5BF2D52C9C896FCA88838ECAFD0AE296245DBA342E
                                        SHA-512:457242871B382BBB34CBBE05CF242AC8771A6A954C885828B671F080395A9EFCF63170704DA9688D624632936DC754E4A67095748887CC000A04EC7346E9199C
                                        Malicious:false
                                        Preview:...@IXOS.@.....@G{sY.@.....@.....@.....@.....@.....@......&.{F51335B5-861E-4317-91B1-6EA78A6DECF1}..HangProduct..merd.msi.@.....@.....@.....@........&.{2FA1465C-CAAF-4714-9719-EBB4D60E3716}.....@.....@.....@.....@.......@.....@.....@.......@......HangProduct......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}9.C:\Users\user\AppData\Roaming\Baware LTD\HangProduct\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\Baware LTD\HangProduct\Version.@.......@.....@.....@......&.{AC9BABC1-3E75-4758-84F3-990895BA2360}).C:\Users\user\AppData\Roaming\sqx.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".9.C:\Users\user\AppData\Roaming\Baware LTD\HangProduct\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.N...@.....@......

                                        C:\Windows\Installer\MSIC93C.tmp

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):399328
                                        Entropy (8bit):6.589290025452677
                                        Encrypted:false
                                        SSDEEP:6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
                                        MD5:B9545ED17695A32FACE8C3408A6A3553
                                        SHA1:F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
                                        SHA-256:1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
                                        SHA-512:F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\SourceHash{F51335B5-861E-4317-91B1-6EA78A6DECF1}

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.161935060523795
                                        Encrypted:false
                                        SSDEEP:12:JSbX72FjJl6AGiLIlHVRpzh/7777777777777777777777777vDHFt9H/mp01l0G:JkQI53lfV8F
                                        MD5:B560AFA794C7B36BBD5B373C3B58062D
                                        SHA1:354AEC225AE9D97C2964AEB8850B888FD4BA04AD
                                        SHA-256:DC4132E88FDE1B24B4E5760573BFB3FE5184D2CC57EE8A86328A387B9EA38679
                                        SHA-512:62AF30483579AA8BEAA6728D4C3AC12C58D861B5150B11124CEA30A0B1951031F8DA7B473858773AC95F037EB9056E1CAF3E453DE84CDEB0D5DF73E346547D0B
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5399350567185328
                                        Encrypted:false
                                        SSDEEP:48:Wh8PhGuRc06WXJeFT5gplS8rAEbCywflS8nT:phG11FTuriwCN
                                        MD5:B2C66DA0CBD0DDAD5B8E1481E90AC919
                                        SHA1:160EE87EC5F221D5C9168C2A530452014247FD15
                                        SHA-256:C31A6457D7D1D2D9795A87FF77D7D241ECB4FD7999E641281A394EE15D9A7C38
                                        SHA-512:0E8533AC3BF423372865EC5978BE8F26AA3D6C0FBFC62B3AEAB6648B169211F7607D548A48460D95F946536A2CC5A508A483E67FD9DC0FBC2E82103910811C36
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):360001
                                        Entropy (8bit):5.36299747484991
                                        Encrypted:false
                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauY:zTtbmkExhMJCIpE5
                                        MD5:F64A518030A2B6FF06E95E3E11AEACE9
                                        SHA1:3FA676B9AD8FDD69EF62E648BB7B92A38FAF1F79
                                        SHA-256:DF5C9862BD5140919BBA9A84AA76DC9DBB8A1F506B24157FDB0584AFED57C25A
                                        SHA-512:CBD1E0776DBB34612E056CED180CD74D56A97EB9C79C862951F6543747DE27BB01FBD20B4789F1ED2A5A2600420FF0E2C331FD7DE645FA7403F1B8CE0C1EC326
                                        Malicious:false
                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                        C:\Windows\Temp\~DF108E98E8C64E0DB5.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF2370E72625049F52.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2368862934626572
                                        Encrypted:false
                                        SSDEEP:48:YixOuUAO+CFXJfT54plS8rAEbCywflS8nT:hOPh3TWriwCN
                                        MD5:B732389003BFE6288C6CF5CC4DB0DDC9
                                        SHA1:C4A0CCD6759A16AFC4AD5B05194777A0D00B78D7
                                        SHA-256:62E0BFBC50880FD49E033A5B4CABCCD494B04F91F2342368D736C8B92AA7245C
                                        SHA-512:181520062E71C3170A74E78E3F2086D761A4BF63312D0E687BEA5FD40E73F424A8944922C52DF850756839C467CA816EA2C7E045AF4B33EF488F4EF81D4F6F61
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF65DA1CF5E80E1B8F.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF6E6F90BBA1D4CA1B.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF82D76F858154FD51.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DF899D948960DE06E1.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5399350567185328
                                        Encrypted:false
                                        SSDEEP:48:Wh8PhGuRc06WXJeFT5gplS8rAEbCywflS8nT:phG11FTuriwCN
                                        MD5:B2C66DA0CBD0DDAD5B8E1481E90AC919
                                        SHA1:160EE87EC5F221D5C9168C2A530452014247FD15
                                        SHA-256:C31A6457D7D1D2D9795A87FF77D7D241ECB4FD7999E641281A394EE15D9A7C38
                                        SHA-512:0E8533AC3BF423372865EC5978BE8F26AA3D6C0FBFC62B3AEAB6648B169211F7607D548A48460D95F946536A2CC5A508A483E67FD9DC0FBC2E82103910811C36
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFBD6B1B0BAAAEA366.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFCA61258E98C5C7E5.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):73728
                                        Entropy (8bit):0.1294307822338413
                                        Encrypted:false
                                        SSDEEP:24:kdl6aTxk1CeipVk1C8k1CeipVk1CEAEVkyjCyK3VgwGQF+k2:GT4lS8OlS8rAEbCyw5
                                        MD5:39C5A7807ED74E8FF54B87F8B71B125C
                                        SHA1:5B3CD73D15A00A38F3BE9F60464D89BB27F25908
                                        SHA-256:9AC20A0D1924C1619D0DDA04E939B4C634B3C75F7E27C9F2C06455462E65E93B
                                        SHA-512:EDFD73FC4F0738E89AC67E6333E77A54198F6C1341D3A59A4BB5D621C2B1D91C1AB02DA9B0BD6C9E5464339F45D376AC2538EA5BCACFA923050186704432510C
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFD2688F7F4CE79A09.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2368862934626572
                                        Encrypted:false
                                        SSDEEP:48:YixOuUAO+CFXJfT54plS8rAEbCywflS8nT:hOPh3TWriwCN
                                        MD5:B732389003BFE6288C6CF5CC4DB0DDC9
                                        SHA1:C4A0CCD6759A16AFC4AD5B05194777A0D00B78D7
                                        SHA-256:62E0BFBC50880FD49E033A5B4CABCCD494B04F91F2342368D736C8B92AA7245C
                                        SHA-512:181520062E71C3170A74E78E3F2086D761A4BF63312D0E687BEA5FD40E73F424A8944922C52DF850756839C467CA816EA2C7E045AF4B33EF488F4EF81D4F6F61
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFD599A6B65BE4B77C.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):0.0686047878676832
                                        Encrypted:false
                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOoC9OGzLRCSHoVky6l0t/:2F0i8n0itFzDHFt9H/z01
                                        MD5:68F8D321048C2FE326F39557C30B5396
                                        SHA1:7555CB1D3EFC77CC9725BFF657B9A0DCEBA8B4CD
                                        SHA-256:2F19363E0C900B7D93B012592734370D8D567FCFC470797D7ECBC871B5B54137
                                        SHA-512:06D96FEFC0339DB13C817C7A00EA1A0B9CD32B0B872044BF5D1C4D97909277CDFDC0C60B8F6CF32C09233A0AE996E5502CB771EC0892B69E8DD0D609AA46B535
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFE6C2CF16164718C2.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):1.2368862934626572
                                        Encrypted:false
                                        SSDEEP:48:YixOuUAO+CFXJfT54plS8rAEbCywflS8nT:hOPh3TWriwCN
                                        MD5:B732389003BFE6288C6CF5CC4DB0DDC9
                                        SHA1:C4A0CCD6759A16AFC4AD5B05194777A0D00B78D7
                                        SHA-256:62E0BFBC50880FD49E033A5B4CABCCD494B04F91F2342368D736C8B92AA7245C
                                        SHA-512:181520062E71C3170A74E78E3F2086D761A4BF63312D0E687BEA5FD40E73F424A8944922C52DF850756839C467CA816EA2C7E045AF4B33EF488F4EF81D4F6F61
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\Temp\~DFE9B99C526BDF9E3C.TMP

                                        Download File
                                        Process:C:\Windows\System32\msiexec.exe
                                        File Type:Composite Document File V2 Document, Cannot read section info
                                        Category:dropped
                                        Size (bytes):20480
                                        Entropy (8bit):1.5399350567185328
                                        Encrypted:false
                                        SSDEEP:48:Wh8PhGuRc06WXJeFT5gplS8rAEbCywflS8nT:phG11FTuriwCN
                                        MD5:B2C66DA0CBD0DDAD5B8E1481E90AC919
                                        SHA1:160EE87EC5F221D5C9168C2A530452014247FD15
                                        SHA-256:C31A6457D7D1D2D9795A87FF77D7D241ECB4FD7999E641281A394EE15D9A7C38
                                        SHA-512:0E8533AC3BF423372865EC5978BE8F26AA3D6C0FBFC62B3AEAB6648B169211F7607D548A48460D95F946536A2CC5A508A483E67FD9DC0FBC2E82103910811C36
                                        Malicious:false
                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2FA1465C-CAAF-4714-9719-EBB4D60E3716}, Number of Words: 10, Subject: HangProduct, Author: Baware LTD, Name of Creating Application: HangProduct, Template: ;1033, Comments: This installer database contains the logic and data required to install HangProduct., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                        Entropy (8bit):7.403849976111386
                                        TrID:
                                        • Windows SDK Setup Transform Script (63028/2) 47.91%
                                        • Microsoft Windows Installer (60509/1) 46.00%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                        File name:merd.msi
                                        File size:2'048'000 bytes
                                        MD5:309abcad11b67d2498cf87c4e10ff30f
                                        SHA1:0d805a684b889846a7b00cecc0ee84c7cf93398d
                                        SHA256:c39abdca1a31b20fe06969a36102c784df7f63847ec930dfaf8c4bd97b4558bf
                                        SHA512:0f0c0f4a04ae65532a7f4c197ca22c371d904a5b3055e14bd537a3c092d8b4526a597564019395ed0b05d4ffbc6d9b450a8d267de3906f88ac2d320f9c75bdd9
                                        SSDEEP:49152:ecS3YhW8zBQSc0ZnSKBZKumZr7AQkojSo0kzI8ZVE6VPbe:sYY0Zn3K/AQz3Tbx56
                                        TLSH:4195E12233C6C537D96E01702A2AD76B5579FCB74B3140D7A3C8292E9EB44C1A639F93
                                        File Content Preview:........................>................... ...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M......................................................

                                        File Icon

                                        Icon Hash:2d2e3797b32b2b99

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 19, 2024 21:26:19.848424911 CET497564438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:26:19.853321075 CET44384975694.232.40.38192.168.2.6
                                        Nov 19, 2024 21:26:19.853542089 CET497564438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:26:19.869242907 CET497564438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:26:19.874181986 CET44384975694.232.40.38192.168.2.6
                                        Nov 19, 2024 21:26:52.165092945 CET497564438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:27:38.591818094 CET499844438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:27:38.596857071 CET44384998446.249.49.83192.168.2.6
                                        Nov 19, 2024 21:27:38.596961975 CET499844438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:27:38.597321033 CET499844438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:27:38.602215052 CET44384998446.249.49.83192.168.2.6
                                        Nov 19, 2024 21:28:10.758333921 CET499844438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:28:54.826247931 CET499864438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:28:54.831424952 CET44384998694.232.40.38192.168.2.6
                                        Nov 19, 2024 21:28:54.831959963 CET499864438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:28:54.832256079 CET499864438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:28:54.837193966 CET44384998694.232.40.38192.168.2.6
                                        Nov 19, 2024 21:29:26.883258104 CET499864438192.168.2.694.232.40.38
                                        Nov 19, 2024 21:29:53.940803051 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:29:53.946019888 CET44384998846.249.49.83192.168.2.6
                                        Nov 19, 2024 21:29:53.946130037 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:29:53.946485043 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:29:53.951412916 CET44384998846.249.49.83192.168.2.6
                                        Nov 19, 2024 21:30:17.705605030 CET44384998846.249.49.83192.168.2.6
                                        Nov 19, 2024 21:30:17.705655098 CET44384998846.249.49.83192.168.2.6
                                        Nov 19, 2024 21:30:17.705693007 CET44384998846.249.49.83192.168.2.6
                                        Nov 19, 2024 21:30:17.705792904 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:30:17.705832958 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:30:17.736217022 CET499884438192.168.2.646.249.49.83
                                        Nov 19, 2024 21:30:17.741180897 CET44384998846.249.49.83192.168.2.6

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 19, 2024 21:26:19.384254932 CET5260953192.168.2.61.1.1.1
                                        Nov 19, 2024 21:26:19.842051029 CET53526091.1.1.1192.168.2.6
                                        Nov 19, 2024 21:27:38.278565884 CET6179553192.168.2.61.1.1.1
                                        Nov 19, 2024 21:27:38.590754986 CET53617951.1.1.1192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 19, 2024 21:26:19.384254932 CET192.168.2.61.1.1.10x6eb0Standard query (0)uayyau.comA (IP address)IN (0x0001)false
                                        Nov 19, 2024 21:27:38.278565884 CET192.168.2.61.1.1.10xce10Standard query (0)guaaug.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 19, 2024 21:26:19.842051029 CET1.1.1.1192.168.2.60x6eb0No error (0)uayyau.com94.232.40.38A (IP address)IN (0x0001)false
                                        Nov 19, 2024 21:27:38.590754986 CET1.1.1.1192.168.2.60xce10No error (0)guaaug.com46.249.49.83A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:15:26:12
                                        Start date:19/11/2024
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\merd.msi"
                                        Imagebase:0x7ff6a1ce0000
                                        File size:69'632 bytes
                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:15:26:12
                                        Start date:19/11/2024
                                        Path:C:\Windows\System32\msiexec.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                        Imagebase:0x7ff6a1ce0000
                                        File size:69'632 bytes
                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:3
                                        Start time:15:26:12
                                        Start date:19/11/2024
                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 0EFDC05CDA91B8EDA63E72E36A36CCC4
                                        Imagebase:0x430000
                                        File size:59'904 bytes
                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:15:26:14
                                        Start date:19/11/2024
                                        Path:C:\Windows\Installer\MSIC93C.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Installer\MSIC93C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
                                        Imagebase:0xd30000
                                        File size:399'328 bytes
                                        MD5 hash:B9545ED17695A32FACE8C3408A6A3553
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:15:26:14
                                        Start date:19/11/2024
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
                                        Imagebase:0x6a0000
                                        File size:61'440 bytes
                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:15:26:14
                                        Start date:19/11/2024
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\sqx.dll, GetDbInterface
                                        Imagebase:0x7ff6c7e50000
                                        File size:71'680 bytes
                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:1.6%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:38.8%
                                          Total number of Nodes:384
                                          Total number of Limit Nodes:11
                                          execution_graph 33137 d53084 33138 d53090 __FrameHandler3::FrameUnwindToState 33137->33138 33163 d52de4 33138->33163 33140 d53097 33141 d531ea 33140->33141 33152 d530c1 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 33140->33152 33194 d533a8 4 API calls 2 library calls 33141->33194 33143 d531f1 33195 d62ed9 23 API calls __InternalCxxFrameHandler 33143->33195 33145 d531f7 33196 d62e9d 23 API calls __InternalCxxFrameHandler 33145->33196 33147 d531ff 33148 d530e0 33149 d53161 33171 d534c3 GetStartupInfoW _Getvals 33149->33171 33151 d53167 33172 d3cdb0 GetCommandLineW 33151->33172 33152->33148 33152->33149 33193 d62eb3 41 API calls 3 library calls 33152->33193 33164 d52ded 33163->33164 33197 d535a9 IsProcessorFeaturePresent 33164->33197 33166 d52df9 33198 d558dc 10 API calls 2 library calls 33166->33198 33168 d52dfe 33169 d52e02 33168->33169 33199 d558fb 7 API calls 2 library calls 33168->33199 33169->33140 33171->33151 33173 d3cdf8 33172->33173 33200 d31f80 LocalAlloc 33173->33200 33175 d3ce09 33201 d369a0 33175->33201 33177 d3ce58 33178 d3ce69 33177->33178 33179 d3ce5c 33177->33179 33209 d3c6a0 LocalAlloc LocalAlloc 33178->33209 33291 d36600 98 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 33179->33291 33182 d3ce65 33184 d3ceb0 ExitProcess 33182->33184 33183 d3ce72 33210 d3c870 33183->33210 33189 d3cea4 33293 d3cec0 LocalFree LocalFree 33189->33293 33190 d3ce9a 33292 d3cce0 CreateFileW SetFilePointer WriteFile CloseHandle 33190->33292 33193->33149 33194->33143 33195->33145 33196->33147 33197->33166 33198->33168 33199->33169 33200->33175 33202 d369f2 33201->33202 33203 d36a34 33202->33203 33206 d36a22 33202->33206 33204 d52937 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33203->33204 33205 d36a42 33204->33205 33205->33177 33294 d52937 33206->33294 33208 d36a30 33208->33177 33209->33183 33211 d3c889 33210->33211 33212 d3cb32 33210->33212 33211->33212 33213 d3cb92 33211->33213 33217 d36a50 33212->33217 33302 d36250 14 API calls 33213->33302 33215 d3cba2 RegOpenKeyExW 33215->33212 33216 d3cbc0 RegQueryValueExW 33215->33216 33216->33212 33218 d36aa3 GetCurrentProcess OpenProcessToken 33217->33218 33219 d36a84 33217->33219 33223 d36b09 33218->33223 33224 d36adf 33218->33224 33220 d52937 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33219->33220 33221 d36a9f 33220->33221 33221->33189 33221->33190 33303 d35de0 33223->33303 33225 d36b02 33224->33225 33226 d36af4 CloseHandle 33224->33226 33351 d357c0 GetCurrentProcess OpenProcessToken 33225->33351 33226->33225 33229 d36b20 33232 d31770 42 API calls 33229->33232 33230 d36b2e 33233 d36b32 33230->33233 33234 d36b3f 33230->33234 33232->33224 33236 d31770 42 API calls 33233->33236 33306 d35f40 ConvertSidToStringSidW 33234->33306 33235 d36c29 33238 d36ddb 33235->33238 33241 d36c43 33235->33241 33236->33224 33239 d32310 56 API calls 33238->33239 33242 d36e04 33239->33242 33356 d32310 33241->33356 33249 d346f0 52 API calls 33242->33249 33290 d36d8a 33242->33290 33257 d36e29 33249->33257 33250 d36b85 33337 d32e60 33250->33337 33253 d32e60 42 API calls 33255 d36bf5 33253->33255 33254 d36e59 33256 d32310 56 API calls 33254->33256 33343 d31770 33255->33343 33260 d36e68 33256->33260 33257->33254 33438 d34ac0 42 API calls 3 library calls 33257->33438 33258 d36cad 33261 d32310 56 API calls 33258->33261 33268 d346f0 52 API calls 33260->33268 33260->33290 33264 d36cc7 33261->33264 33269 d346f0 52 API calls 33264->33269 33264->33290 33265 d36c7c 33265->33258 33435 d34ac0 42 API calls 3 library calls 33265->33435 33266 d36c16 CloseHandle 33266->33225 33272 d36e8a 33268->33272 33278 d36ce9 33269->33278 33270 d36eb9 33271 d32310 56 API calls 33270->33271 33273 d36ec4 33271->33273 33272->33270 33439 d34ac0 42 API calls 3 library calls 33272->33439 33280 d346f0 52 API calls 33273->33280 33273->33290 33274 d36d19 33275 d32310 56 API calls 33274->33275 33277 d36d24 33275->33277 33281 d346f0 52 API calls 33277->33281 33277->33290 33278->33274 33436 d34ac0 42 API calls 3 library calls 33278->33436 33285 d36ee6 33280->33285 33284 d36d46 33281->33284 33282 d36f10 33441 d352f0 33282->33441 33286 d36d70 33284->33286 33437 d34ac0 42 API calls 3 library calls 33284->33437 33285->33282 33285->33285 33440 d34ac0 42 API calls 3 library calls 33285->33440 33389 d34ba0 33286->33389 33488 d311d0 RaiseException Concurrency::cancel_current_task 33290->33488 33291->33182 33292->33189 33293->33184 33295 d52940 IsProcessorFeaturePresent 33294->33295 33296 d5293f 33294->33296 33298 d529a5 33295->33298 33296->33208 33301 d52968 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33298->33301 33300 d52a88 33300->33208 33301->33300 33302->33215 33489 d35e40 GetTokenInformation 33303->33489 33307 d35fd2 33306->33307 33308 d35fac 33306->33308 33309 d324c0 47 API calls 33307->33309 33311 d324c0 47 API calls 33308->33311 33310 d35fc9 33309->33310 33312 d36003 33310->33312 33313 d35ff5 LocalFree 33310->33313 33311->33310 33314 d324c0 33312->33314 33313->33312 33318 d324fd 33314->33318 33320 d324d1 codecvt 33314->33320 33315 d325f5 33500 d32770 42 API calls 33315->33500 33317 d32515 33321 d325f0 33317->33321 33322 d32566 LocalAlloc 33317->33322 33318->33315 33318->33317 33318->33321 33324 d32582 33318->33324 33319 d325fa 33501 d57027 41 API calls 2 library calls 33319->33501 33320->33250 33499 d32d70 RaiseException Concurrency::cancel_current_task 33321->33499 33322->33319 33326 d32577 33322->33326 33328 d32586 LocalAlloc 33324->33328 33334 d32593 codecvt 33324->33334 33326->33334 33328->33334 33333 d325e5 33333->33250 33334->33319 33334->33333 33335 d325d8 33334->33335 33335->33333 33336 d325de LocalFree 33335->33336 33336->33333 33338 d32eb7 33337->33338 33339 d32e8d 33337->33339 33338->33253 33339->33337 33340 d32eaa 33339->33340 33502 d57027 41 API calls 2 library calls 33339->33502 33340->33338 33341 d32eb0 LocalFree 33340->33341 33341->33338 33344 d317c1 33343->33344 33345 d3179b 33343->33345 33344->33225 33344->33266 33346 d317ba LocalFree 33345->33346 33347 d317e5 33345->33347 33348 d317b4 33345->33348 33346->33344 33503 d57027 41 API calls 2 library calls 33347->33503 33348->33344 33348->33346 33352 d357e1 33351->33352 33353 d357e7 GetTokenInformation 33351->33353 33352->33235 33354 d35816 33353->33354 33355 d3581e CloseHandle 33353->33355 33354->33355 33355->33235 33357 d32348 33356->33357 33358 d3239c 33356->33358 33504 d52c98 6 API calls 33357->33504 33370 d32427 33358->33370 33507 d52c98 6 API calls 33358->33507 33361 d32352 33361->33358 33363 d3235e GetProcessHeap 33361->33363 33362 d323b6 33362->33370 33508 d52faa 44 API calls 33362->33508 33505 d52faa 44 API calls 33363->33505 33365 d3238b 33506 d52c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33365->33506 33368 d32416 33509 d52c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33368->33509 33370->33290 33371 d346f0 33370->33371 33372 d34700 33371->33372 33374 d34766 33371->33374 33372->33374 33510 d3d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33372->33510 33374->33265 33375 d34730 FindResourceExW 33376 d3471a 33375->33376 33376->33374 33376->33375 33379 d34771 33376->33379 33511 d345b0 LoadResource LockResource SizeofResource 33376->33511 33512 d3d156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33376->33512 33379->33374 33380 d34775 FindResourceW 33379->33380 33380->33374 33381 d34783 33380->33381 33513 d345b0 LoadResource LockResource SizeofResource 33381->33513 33383 d34790 33383->33374 33514 d57383 41 API calls 3 library calls 33383->33514 33385 d347e2 33385->33265 33386 d347d1 33386->33385 33515 d311d0 RaiseException Concurrency::cancel_current_task 33386->33515 33390 d357c0 4 API calls 33389->33390 33391 d34bed 33390->33391 33392 d34bf3 33391->33392 33393 d34c15 CoInitialize CoCreateInstance 33391->33393 33396 d352f0 89 API calls 33392->33396 33394 d34c58 VariantInit 33393->33394 33395 d34c4f 33393->33395 33398 d34c9e 33394->33398 33397 d34c0d 33395->33397 33399 d35187 CoUninitialize 33395->33399 33396->33397 33401 d52937 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33397->33401 33400 d34cb1 IUnknown_QueryService 33398->33400 33409 d34ca8 VariantClear 33398->33409 33399->33397 33404 d34ce0 33400->33404 33400->33409 33402 d351a7 33401->33402 33402->33290 33405 d34d31 IUnknown_QueryInterface_Proxy 33404->33405 33404->33409 33406 d34d5a 33405->33406 33405->33409 33407 d34d7f IUnknown_QueryInterface_Proxy 33406->33407 33406->33409 33408 d34da8 CoAllowSetForegroundWindow 33407->33408 33407->33409 33410 d34dc2 SysAllocString 33408->33410 33411 d34e28 SysAllocString 33408->33411 33409->33395 33414 d34df8 SysAllocString 33410->33414 33415 d34def 33410->33415 33411->33410 33413 d351b0 _com_issue_error 33411->33413 33520 d311d0 RaiseException Concurrency::cancel_current_task 33413->33520 33417 d34e3d VariantInit 33414->33417 33418 d34e1d 33414->33418 33415->33413 33415->33414 33422 d34ebd 33417->33422 33418->33413 33418->33417 33420 d34ec1 VariantClear VariantClear VariantClear VariantClear SysFreeString 33420->33409 33422->33420 33428 d34f1b 33422->33428 33423 d324c0 47 API calls 33423->33428 33426 d32e60 42 API calls 33426->33428 33427 d34fd5 OpenProcess WaitForSingleObject 33427->33428 33430 d3500b GetExitCodeProcess 33427->33430 33428->33420 33428->33422 33428->33423 33428->33426 33428->33427 33431 d351ab 33428->33431 33432 d3506e LocalFree 33428->33432 33433 d35025 CloseHandle 33428->33433 33516 d312f0 49 API calls 2 library calls 33428->33516 33517 d33860 119 API calls 2 library calls 33428->33517 33518 d34270 10 API calls 33428->33518 33430->33428 33519 d57027 41 API calls 2 library calls 33431->33519 33432->33428 33433->33428 33435->33258 33436->33274 33437->33286 33438->33254 33439->33270 33440->33282 33442 d35361 33441->33442 33521 d35d30 33442->33521 33444 d3537b 33445 d35d30 41 API calls 33444->33445 33446 d3538b 33445->33446 33525 d359c0 33446->33525 33448 d357b0 33544 d311d0 RaiseException Concurrency::cancel_current_task 33448->33544 33450 d3539b 33450->33448 33533 d57852 33450->33533 33454 d353e1 33455 d35d30 41 API calls 33454->33455 33468 d353f5 33455->33468 33456 d354cc 33457 d3551d GetForegroundWindow 33456->33457 33482 d35529 33456->33482 33457->33482 33458 d355f7 ShellExecuteExW 33459 d35612 33458->33459 33460 d35609 33458->33460 33462 d35646 33459->33462 33464 d35625 ShellExecuteExW 33459->33464 33542 d35890 6 API calls 33460->33542 33471 d356fd 33462->33471 33472 d3566c GetModuleHandleW GetProcAddress 33462->33472 33463 d35493 GetWindowsDirectoryW 33540 d35b10 70 API calls 33463->33540 33464->33462 33466 d3563d 33464->33466 33543 d35890 6 API calls 33466->33543 33467 d354b4 33541 d35b10 70 API calls 33467->33541 33468->33456 33468->33463 33473 d35721 33471->33473 33474 d3570e WaitForSingleObject GetExitCodeProcess 33471->33474 33476 d3568a AllowSetForegroundWindow 33472->33476 33536 d35940 33473->33536 33474->33473 33476->33471 33477 d35698 33476->33477 33477->33471 33478 d356a1 GetModuleHandleW GetProcAddress 33477->33478 33479 d356b4 33478->33479 33480 d356fa 33478->33480 33485 d356c8 Sleep EnumWindows 33479->33485 33486 d356ed 33479->33486 33480->33471 33482->33458 33483 d52937 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33484 d357a8 33483->33484 33484->33290 33485->33479 33485->33486 33613 d35830 GetWindowThreadProcessId GetWindowLongW 33485->33613 33486->33480 33487 d356f3 BringWindowToTop 33486->33487 33487->33480 33490 d35e18 33489->33490 33491 d35ebe GetLastError 33489->33491 33490->33229 33490->33230 33491->33490 33492 d35ec9 33491->33492 33493 d35f0e GetTokenInformation 33492->33493 33494 d35ee9 33492->33494 33495 d35ed9 _Getvals 33492->33495 33493->33490 33498 d360d0 45 API calls 3 library calls 33494->33498 33495->33493 33497 d35ef2 33497->33493 33498->33497 33504->33361 33505->33365 33506->33358 33507->33362 33508->33368 33509->33370 33510->33376 33511->33376 33512->33376 33513->33383 33514->33386 33516->33428 33517->33428 33518->33428 33522 d35d6e 33521->33522 33524 d35d7d 33522->33524 33545 d34a10 41 API calls 4 library calls 33522->33545 33524->33444 33526 d359f8 33525->33526 33528 d35a03 33525->33528 33527 d35d30 41 API calls 33526->33527 33529 d35a01 33527->33529 33530 d32310 56 API calls 33528->33530 33531 d35a1a 33528->33531 33529->33450 33530->33531 33546 d35a60 42 API calls 33531->33546 33547 d57869 33533->33547 33537 d35971 33536->33537 33538 d3572d 33536->33538 33537->33538 33539 d35981 CloseHandle 33537->33539 33538->33483 33539->33538 33540->33467 33541->33456 33542->33459 33543->33462 33545->33524 33546->33529 33552 d57078 33547->33552 33553 d57096 33552->33553 33559 d5708f 33552->33559 33553->33559 33597 d657cc 41 API calls 3 library calls 33553->33597 33555 d570b7 33598 d65ab7 41 API calls __Getcoll 33555->33598 33557 d570cd 33599 d65b15 41 API calls __cftoe 33557->33599 33560 d576d9 33559->33560 33561 d576f3 33560->33561 33562 d57709 ___crtLCMapStringW 33560->33562 33600 d57370 14 API calls __dosmaperr 33561->33600 33562->33561 33565 d57720 33562->33565 33564 d576f8 33601 d57017 41 API calls __cftoe 33564->33601 33567 d57702 33565->33567 33602 d65c2a 6 API calls 2 library calls 33565->33602 33572 d52937 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 33567->33572 33569 d5776e 33570 d5778f 33569->33570 33571 d57778 33569->33571 33574 d577a5 33570->33574 33575 d57794 33570->33575 33603 d57370 14 API calls __dosmaperr 33571->33603 33576 d353d3 33572->33576 33579 d57826 33574->33579 33581 d577cc 33574->33581 33587 d577b9 __alloca_probe_16 33574->33587 33605 d57370 14 API calls __dosmaperr 33575->33605 33576->33448 33576->33454 33577 d5777d 33604 d57370 14 API calls __dosmaperr 33577->33604 33610 d57370 14 API calls __dosmaperr 33579->33610 33606 d65bdc 15 API calls 2 library calls 33581->33606 33583 d5782b 33611 d57370 14 API calls __dosmaperr 33583->33611 33586 d577d2 33586->33579 33586->33587 33587->33579 33589 d577e6 33587->33589 33607 d65c2a 6 API calls 2 library calls 33589->33607 33591 d57802 33592 d57809 33591->33592 33593 d5781a 33591->33593 33608 d5b762 41 API calls 2 library calls 33592->33608 33609 d57370 14 API calls __dosmaperr 33593->33609 33596 d57813 33612 d52326 14 API calls std::locale::_Locimp::~_Locimp 33596->33612 33597->33555 33598->33557 33599->33559 33600->33564 33601->33567 33602->33569 33603->33577 33604->33567 33605->33564 33606->33586 33607->33591 33608->33596 33609->33596 33610->33583 33611->33596 33612->33567 33614 d6591d GetLastError 33615 d65933 33614->33615 33616 d65939 33614->33616 33649 d675d7 6 API calls std::_Locinfo::_Locinfo_ctor 33615->33649 33620 d6593d SetLastError 33616->33620 33637 d67616 33616->33637 33624 d65972 33626 d67616 __dosmaperr 6 API calls 33624->33626 33625 d65983 33627 d67616 __dosmaperr 6 API calls 33625->33627 33628 d65980 33626->33628 33629 d6598f 33627->33629 33650 d653b8 14 API calls 2 library calls 33628->33650 33630 d65993 33629->33630 33631 d659aa 33629->33631 33634 d67616 __dosmaperr 6 API calls 33630->33634 33651 d655fa 14 API calls __dosmaperr 33631->33651 33634->33628 33635 d659b5 33652 d653b8 14 API calls 2 library calls 33635->33652 33653 d673c6 33637->33653 33640 d67650 TlsSetValue 33641 d65955 33641->33620 33642 d670bb 33641->33642 33647 d670c8 __cftoe 33642->33647 33643 d67108 33662 d57370 14 API calls __dosmaperr 33643->33662 33644 d670f3 RtlAllocateHeap 33646 d6596a 33644->33646 33644->33647 33646->33624 33646->33625 33647->33643 33647->33644 33661 d6bf83 EnterCriticalSection LeaveCriticalSection __cftoe 33647->33661 33649->33616 33650->33620 33651->33635 33652->33620 33654 d673f4 33653->33654 33658 d673f0 33653->33658 33654->33658 33660 d672fb LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_InitializeCriticalSectionEx 33654->33660 33656 d67408 33657 d6740e GetProcAddress 33656->33657 33656->33658 33657->33658 33659 d6741e std::_Locinfo::_Locinfo_ctor 33657->33659 33658->33640 33658->33641 33659->33658 33660->33656 33661->33647 33662->33646

                                          Executed Functions

                                          Function 00D34BA0 Relevance: 36.5, APIs: 24, Instructions: 502comCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 d34ba0-d34bf1 call d357c0 3 d34bf3-d34c10 call d352f0 0->3 4 d34c15-d34c4d CoInitialize CoCreateInstance 0->4 13 d35190-d351aa call d52937 3->13 5 d34c58-d34ca6 VariantInit 4->5 6 d34c4f-d34c53 4->6 16 d34cb1-d34cd5 IUnknown_QueryService 5->16 17 d34ca8-d34cac 5->17 8 d35169-d35172 6->8 11 d35174-d35176 8->11 12 d3517a-d35185 8->12 11->12 14 d35187 CoUninitialize 12->14 15 d3518d 12->15 14->15 15->13 21 d34ce0-d34cfa 16->21 22 d34cd7-d34cdb 16->22 19 d3514b-d35154 17->19 24 d35156-d35158 19->24 25 d3515c-d35167 VariantClear 19->25 28 d34d05-d34d26 21->28 29 d34cfc-d34d00 21->29 23 d3513a-d35143 22->23 23->19 26 d35145-d35147 23->26 24->25 25->8 26->19 33 d34d31-d34d4f IUnknown_QueryInterface_Proxy 28->33 34 d34d28-d34d2c 28->34 30 d35129-d35132 29->30 30->23 31 d35134-d35136 30->31 31->23 35 d34d51-d34d55 33->35 36 d34d5a-d34d74 33->36 37 d35118-d35121 34->37 38 d35107-d35110 35->38 42 d34d76-d34d7a 36->42 43 d34d7f-d34d9d IUnknown_QueryInterface_Proxy 36->43 37->30 39 d35123-d35125 37->39 38->37 41 d35112-d35114 38->41 39->30 41->37 44 d350f6-d350ff 42->44 45 d34da8-d34dc0 CoAllowSetForegroundWindow 43->45 46 d34d9f-d34da3 43->46 44->38 50 d35101-d35103 44->50 48 d34dc2-d34dc4 45->48 49 d34e28-d34e35 SysAllocString 45->49 47 d350e5-d350ee 46->47 47->44 51 d350f0-d350f2 47->51 52 d34dca-d34ded SysAllocString 48->52 53 d34e3b 49->53 54 d351ba-d35201 call d311d0 49->54 50->38 51->44 55 d34df8-d34e1b SysAllocString 52->55 56 d34def-d34df2 52->56 53->52 64 d35203-d35205 54->64 65 d35209-d35217 54->65 59 d34e3d-d34ebf VariantInit 55->59 60 d34e1d-d34e20 55->60 56->55 58 d351b0-d351b5 call d3cf40 56->58 58->54 67 d34ec1-d34ec5 59->67 68 d34eca-d34ece 59->68 60->58 63 d34e26 60->63 63->59 64->65 69 d350a0-d350df VariantClear * 4 SysFreeString 67->69 70 d34ed4 68->70 71 d3509c 68->71 69->47 72 d34ed6-d34f0c 70->72 71->69 73 d34f10-d34f19 72->73 73->73 74 d34f1b-d34fa2 call d324c0 call d312f0 call d33860 call d32e60 * 2 73->74 85 d34fa4-d34fa8 74->85 86 d34faa 74->86 87 d34fb1-d34fb3 85->87 86->87 88 d35036-d35046 87->88 89 d34fb9-d34fc3 87->89 92 d35048-d35057 88->92 93 d3508d-d35096 88->93 90 d34fd5-d35009 OpenProcess WaitForSingleObject 89->90 91 d34fc5-d34fd3 call d34270 89->91 97 d35013-d35023 90->97 98 d3500b-d3500d GetExitCodeProcess 90->98 91->90 94 d3506a-d3506c 92->94 95 d35059-d35064 92->95 93->71 93->72 100 d35075-d35086 94->100 101 d3506e-d3506f LocalFree 94->101 95->94 99 d351ab call d57027 95->99 97->88 103 d35025-d3502c CloseHandle 97->103 98->97 99->58 100->93 101->100 103->88
                                          APIs
                                            • Part of subcall function 00D357C0: GetCurrentProcess.KERNEL32(00000008,?,F8F9577D,?,-00000010), ref: 00D357D0
                                            • Part of subcall function 00D357C0: OpenProcessToken.ADVAPI32(00000000), ref: 00D357D7
                                          • CoInitialize.OLE32(00000000), ref: 00D34C15
                                          • CoCreateInstance.OLE32(00D772B0,00000000,00000004,00D85104,00000000,?), ref: 00D34C45
                                          • CoUninitialize.COMBASE ref: 00D35187
                                          • _com_issue_error.COMSUPP ref: 00D351B5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
                                          • String ID:
                                          • API String ID: 928366108-0
                                          • Opcode ID: d9bc2a6494e1efc216ff9934e9f9e39ada23c54a1ce9bad085de6f082b7e3dd3
                                          • Instruction ID: 68bb7f6c02c6691f0c8a2807ffd7f935c775d75e2c4f93677d2d4d2557fa7f47
                                          • Opcode Fuzzy Hash: d9bc2a6494e1efc216ff9934e9f9e39ada23c54a1ce9bad085de6f082b7e3dd3
                                          • Instruction Fuzzy Hash: 1B229F70E04388DFEF11CFA8D948BADBBB4AF45304F148199E809EB391D7759A49CB61
                                          Function 00D36A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 105 d36a50-d36a82 106 d36aa3-d36add GetCurrentProcess OpenProcessToken 105->106 107 d36a84-d36aa2 call d52937 105->107 111 d36b09-d36b1e call d35de0 106->111 112 d36adf-d36af2 106->112 118 d36b20-d36b2c call d31770 111->118 119 d36b2e-d36b30 111->119 113 d36b02-d36b04 112->113 114 d36af4-d36afb CloseHandle 112->114 116 d36c24-d36c2b call d357c0 113->116 114->113 128 d36c31-d36c35 116->128 129 d36ddb-d36e06 call d32310 116->129 118->112 122 d36b32-d36b3d call d31770 119->122 123 d36b3f-d36ba5 call d35f40 call d324c0 119->123 122->112 143 d36ba7-d36ba9 123->143 144 d36bdb 123->144 128->129 133 d36c3b-d36c3d 128->133 138 d36f96-d36fa0 call d311d0 129->138 139 d36e0c-d36e2b call d346f0 129->139 133->129 134 d36c43-d36c59 call d32310 133->134 134->138 145 d36c5f-d36c7e call d346f0 134->145 161 d36e59-d36e6a call d32310 139->161 162 d36e2d-d36e2f 139->162 149 d36c88-d36c8a 143->149 150 d36baf-d36bb8 143->150 146 d36bdd-d36c14 call d32e60 * 2 call d31770 144->146 171 d36c80-d36c82 145->171 172 d36cad-d36cc9 call d32310 145->172 146->116 184 d36c16-d36c1d CloseHandle 146->184 149->146 150->144 153 d36bba-d36bbc 150->153 157 d36bbf 153->157 157->144 158 d36bc1-d36bc4 157->158 158->149 165 d36bca-d36bd9 158->165 161->138 181 d36e70-d36e8c call d346f0 161->181 163 d36e31-d36e33 162->163 164 d36e35-d36e3a 162->164 169 d36e4f-d36e54 call d34ac0 163->169 170 d36e40-d36e49 164->170 165->144 165->157 169->161 170->170 176 d36e4b-d36e4d 170->176 178 d36c84-d36c86 171->178 179 d36c8f-d36c91 171->179 172->138 186 d36ccf-d36ceb call d346f0 172->186 176->169 183 d36ca3-d36ca8 call d34ac0 178->183 185 d36c94-d36c9d 179->185 194 d36eb9-d36ec6 call d32310 181->194 195 d36e8e-d36e90 181->195 183->172 184->116 185->185 188 d36c9f-d36ca1 185->188 203 d36d19-d36d26 call d32310 186->203 204 d36ced-d36cef 186->204 188->183 194->138 208 d36ecc-d36ee8 call d346f0 194->208 198 d36e92-d36e94 195->198 199 d36e96-d36e9b 195->199 200 d36eaf-d36eb4 call d34ac0 198->200 201 d36ea0-d36ea9 199->201 200->194 201->201 206 d36eab-d36ead 201->206 203->138 214 d36d2c-d36d48 call d346f0 203->214 209 d36cf1-d36cf3 204->209 210 d36cf5-d36cfa 204->210 206->200 222 d36f10-d36f47 call d352f0 208->222 223 d36eea-d36eec 208->223 212 d36d0f-d36d14 call d34ac0 209->212 213 d36d00-d36d09 210->213 212->203 213->213 216 d36d0b-d36d0d 213->216 230 d36d70-d36d85 call d34ba0 214->230 231 d36d4a-d36d4c 214->231 216->212 235 d36f51-d36f65 222->235 236 d36f49-d36f4c 222->236 226 d36ef2-d36ef4 223->226 227 d36eee-d36ef0 223->227 228 d36ef7-d36f00 226->228 232 d36f06-d36f0b call d34ac0 227->232 228->228 233 d36f02-d36f04 228->233 240 d36d8a-d36da4 230->240 237 d36d52-d36d54 231->237 238 d36d4e-d36d50 231->238 232->222 233->232 242 d36f67-d36f6a 235->242 243 d36f6f-d36f76 235->243 236->235 244 d36d57-d36d60 237->244 241 d36d66-d36d6b call d34ac0 238->241 245 d36da6-d36da9 240->245 246 d36dae-d36dc2 240->246 241->230 242->243 249 d36f79-d36f84 243->249 244->244 247 d36d62-d36d64 244->247 245->246 250 d36dc4-d36dc7 246->250 251 d36dcc-d36dd6 246->251 247->241 252 d36f86-d36f89 249->252 253 d36f8e 249->253 250->251 251->249 252->253 253->138
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00D36AC8
                                          • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00D36AD5
                                          • CloseHandle.KERNEL32(00000000), ref: 00D36AF5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Process$CloseCurrentHandleOpenToken
                                          • String ID: S-1-5-18
                                          • API String ID: 4052875653-4289277601
                                          • Opcode ID: cb60788cff8f75c7bc9a9e9dfcbf5fda4f1573b9104f9ab8f8571893abb037ea
                                          • Instruction ID: 1e9e1053f7a15194e58130e1733ccf18e299e384bd977e246a24c844532f67e1
                                          • Opcode Fuzzy Hash: cb60788cff8f75c7bc9a9e9dfcbf5fda4f1573b9104f9ab8f8571893abb037ea
                                          • Instruction Fuzzy Hash: 3302AD70901209AFDF14DFA4C9557AEBBB5EF05314F18C658E842AB285EB34EE05CBB0
                                          Function 00D357C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 254 d357c0-d357df GetCurrentProcess OpenProcessToken 255 d357e1-d357e6 254->255 256 d357e7-d35814 GetTokenInformation 254->256 257 d35816-d3581b 256->257 258 d3581e-d3582e CloseHandle 256->258 257->258
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000008,?,F8F9577D,?,-00000010), ref: 00D357D0
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00D357D7
                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00D3580C
                                          • CloseHandle.KERNEL32(?), ref: 00D35822
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                          • String ID:
                                          • API String ID: 215268677-0
                                          • Opcode ID: 2557ea6489cf467e5972bc5c61cd33cff93e65f3de98dd8e7cf0205d99386e00
                                          • Instruction ID: c157c213b8bd2997285f682a9eff94391c883e1730c5cea763b1f44c196f69b5
                                          • Opcode Fuzzy Hash: 2557ea6489cf467e5972bc5c61cd33cff93e65f3de98dd8e7cf0205d99386e00
                                          • Instruction Fuzzy Hash: 4CF01274148301ABE7109F10EC45B9A7BF8BB44700F548C19F984C2260E379955CDB73
                                          Function 00D3CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCommandLineW.KERNEL32(F8F9577D,?,?,?,?,?,?,?,?,?,00D756D5,000000FF), ref: 00D3CDE8
                                            • Part of subcall function 00D31F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00D34251,F8F9577D,00000000,?,00000000,?,?,?,00D74400,000000FF,?), ref: 00D31F9D
                                          • ExitProcess.KERNEL32 ref: 00D3CEB1
                                            • Part of subcall function 00D36600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00D3667E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AllocCommandCreateExitFileLineLocalProcess
                                          • String ID: Full command line:
                                          • API String ID: 1878577176-831861440
                                          • Opcode ID: e9f51c0600f97c4a670f052313a4e8f3a09f66c3320e481358a395ceac69183d
                                          • Instruction ID: 2c2a71a4995f1f392dc081b2294e513a0539e1c385badd1c11301e11d65e0ce2
                                          • Opcode Fuzzy Hash: e9f51c0600f97c4a670f052313a4e8f3a09f66c3320e481358a395ceac69183d
                                          • Instruction Fuzzy Hash: A821DE71A20214ABCB15FB60DC46BAE73B5EF44740F148568F406AB296EF749A08C7B2
                                          Function 00D35E40 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 291 d35e40-d35ebc GetTokenInformation 292 d35f20-d35f33 291->292 293 d35ebe-d35ec7 GetLastError 291->293 293->292 294 d35ec9-d35ed7 293->294 295 d35ed9-d35edc 294->295 296 d35ede 294->296 297 d35f0b 295->297 298 d35ee0-d35ee7 296->298 299 d35f0e-d35f1a GetTokenInformation 296->299 297->299 300 d35ef7-d35f08 call d54080 298->300 301 d35ee9-d35ef5 call d360d0 298->301 299->292 300->297 301->299
                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00D35E18,F8F9577D,?), ref: 00D35EB4
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00D35E18,F8F9577D,?), ref: 00D35EBE
                                          • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00D35E18,F8F9577D,?), ref: 00D35F1A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InformationToken$ErrorLast
                                          • String ID:
                                          • API String ID: 2567405617-0
                                          • Opcode ID: 9f28e3b738639a34d04e4ee009387a152ff22718572b259320452b2beae6729c
                                          • Instruction ID: 6578913922c72c44fc62a82be21cd9ad9c98af19e37bb42b4308fa4225d4bb8f
                                          • Opcode Fuzzy Hash: 9f28e3b738639a34d04e4ee009387a152ff22718572b259320452b2beae6729c
                                          • Instruction Fuzzy Hash: 79317A71A00605AFDB24CF98DC45BAFBBF9FB44714F10492AE415A7284E7B1A9048BA0
                                          Function 00D6591D Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 306 d6591d-d65931 GetLastError 307 d65933-d6593b call d675d7 306->307 308 d6594d-d65957 call d67616 306->308 315 d6593d-d65946 307->315 316 d65948 307->316 313 d6595d-d65965 call d670bb 308->313 314 d65959-d6595b 308->314 319 d6596a-d65970 313->319 317 d659c2-d659cd SetLastError 314->317 315->317 316->308 320 d65972-d65981 call d67616 319->320 321 d65983-d65991 call d67616 319->321 326 d659a2-d659a8 call d653b8 320->326 327 d65993-d659a1 call d67616 321->327 328 d659aa-d659bf call d655fa call d653b8 321->328 335 d659c1 326->335 327->326 328->335 335->317
                                          APIs
                                          • GetLastError.KERNEL32(00000000,00000000,00D57375,00D65458,?,00D56CE7,00000000,00D63841,00000000,?,?,?,00D6363B,?,00000000,00000004), ref: 00D65921
                                          • SetLastError.KERNEL32(00000000), ref: 00D659C3
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID:
                                          • API String ID: 1452528299-0
                                          • Opcode ID: d169d3261a0c37ea1b97f4b84fb6e41d1fb96a57ebc9e99832695a188258d96d
                                          • Instruction ID: a8c3d50a6cb6c7134b8d48e9980af6dde3cb7a8400f81e1f736ef10b967a7001
                                          • Opcode Fuzzy Hash: d169d3261a0c37ea1b97f4b84fb6e41d1fb96a57ebc9e99832695a188258d96d
                                          • Instruction Fuzzy Hash: 8011C471229B16EFDB102BB8FCCAE2A2658DB017F8F240531F505D12E5FF618C859AB1
                                          Function 00D670BB Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 338 d670bb-d670c6 339 d670d4-d670da 338->339 340 d670c8-d670d2 338->340 342 d670f3-d67104 RtlAllocateHeap 339->342 343 d670dc-d670dd 339->343 340->339 341 d67108-d67113 call d57370 340->341 347 d67115-d67117 341->347 345 d67106 342->345 346 d670df-d670e6 call d65245 342->346 343->342 345->347 346->341 351 d670e8-d670f1 call d6bf83 346->351 351->341 351->342
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,?,?,?,00D6596A,00000001,00000364,?,00000006,000000FF,?,00D56CE7,00000000,00D63841,00000000), ref: 00D670FC
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: d02bc99b29069f16cfe345b83168bb0336a6ce7197a126a145b898a049789675
                                          • Instruction ID: 65b173e2ecd6c1419b0a07f59d82d516522909550f3748d207b63e5d9e278cf1
                                          • Opcode Fuzzy Hash: d02bc99b29069f16cfe345b83168bb0336a6ce7197a126a145b898a049789675
                                          • Instruction Fuzzy Hash: 82F0E23124C7286BEB325B269C02B5B776DEF527B5B184022FC18DA190CE24EC4086F1

                                          Non-executed Functions

                                          Function 00D352F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402libraryloadersleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 419 d352f0-d353a8 call d363a0 call d35d30 * 2 call d359c0 428 d357b0-d357ba call d311d0 419->428 429 d353ae-d353bd 419->429 430 d353c9-d353db call d57852 429->430 431 d353bf-d353c7 call d349a0 429->431 430->428 438 d353e1-d3540a call d35d30 430->438 431->430 441 d35414-d35419 438->441 442 d3540c-d3540f 438->442 443 d354cf-d3551b 441->443 444 d3541f-d35429 441->444 442->441 446 d35529-d3552b 443->446 447 d3551d-d35526 GetForegroundWindow 443->447 445 d35430-d35436 444->445 448 d35456-d35458 445->448 449 d35438-d3543b 445->449 450 d35531-d35535 446->450 451 d355f7-d35607 ShellExecuteExW 446->451 447->446 454 d3545b-d3545d 448->454 452 d35452-d35454 449->452 453 d3543d-d35445 449->453 455 d35540-d3554c 450->455 456 d35537-d3553e 450->456 457 d35614-d35616 451->457 458 d35609-d35612 call d35890 451->458 452->454 453->448 463 d35447-d35450 453->463 464 d35493-d354cc GetWindowsDirectoryW call d35b10 * 2 454->464 465 d3545f 454->465 459 d35550-d3555d 455->459 456->455 456->456 461 d35646-d35666 call d35b30 457->461 462 d35618-d3561e 457->462 458->457 459->459 466 d3555f-d3556b 459->466 485 d356fd-d35702 461->485 486 d3566c-d35696 GetModuleHandleW GetProcAddress AllowSetForegroundWindow 461->486 468 d35620-d35623 462->468 469 d35625-d3563b ShellExecuteExW 462->469 463->445 463->452 464->443 472 d35464-d3546a 465->472 473 d35570-d3557d 466->473 468->461 468->469 469->461 474 d3563d-d35641 call d35890 469->474 477 d3548a-d3548c 472->477 478 d3546c-d3546f 472->478 473->473 481 d3557f-d355f5 call d364a0 * 5 473->481 474->461 482 d3548f-d35491 477->482 479 d35471-d35479 478->479 480 d35486-d35488 478->480 479->477 487 d3547b-d35484 479->487 480->482 481->451 482->443 482->464 490 d35721-d35744 call d35940 485->490 491 d35704-d3570c 485->491 486->485 498 d35698-d3569f 486->498 487->472 487->480 500 d35746-d35749 490->500 501 d3574e-d35762 490->501 491->490 493 d3570e-d3571b WaitForSingleObject GetExitCodeProcess 491->493 493->490 498->485 502 d356a1-d356b2 GetModuleHandleW GetProcAddress 498->502 500->501 505 d35764-d35767 501->505 506 d3576c-d35781 501->506 503 d356b4-d356c1 502->503 504 d356fa 502->504 514 d356c3-d356c6 503->514 504->485 505->506 508 d35783-d35786 506->508 509 d3578b-d357af call d52937 506->509 508->509 517 d356c8-d356eb Sleep EnumWindows 514->517 518 d356ef-d356f1 514->518 517->514 520 d356ed 517->520 518->504 521 d356f3-d356f4 BringWindowToTop 518->521 520->521 521->504
                                          APIs
                                          • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00D3549C
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 00D3551D
                                          • ShellExecuteExW.SHELL32(?), ref: 00D35601
                                          • ShellExecuteExW.SHELL32(?), ref: 00D35637
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00D3567C
                                          • GetProcAddress.KERNEL32(00000000), ref: 00D35685
                                          • AllowSetForegroundWindow.USER32(00000000), ref: 00D3568B
                                          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00D356AB
                                          • GetProcAddress.KERNEL32(00000000), ref: 00D356AE
                                          • Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00D356CA
                                          • EnumWindows.USER32(00D35830,?), ref: 00D356DF
                                          • BringWindowToTop.USER32(00000000), ref: 00D356F4
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00D35711
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00D3571B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
                                          • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
                                          • API String ID: 697762045-2796270252
                                          • Opcode ID: 6444a7837404fc9c8c6875007302a54a6081d499a7a2d9259a174d6973e504e1
                                          • Instruction ID: 0af73b4c8c4bedb03f5bcf6d2005306b7bc173ec38f81ea4355f1647b8a64838
                                          • Opcode Fuzzy Hash: 6444a7837404fc9c8c6875007302a54a6081d499a7a2d9259a174d6973e504e1
                                          • Instruction Fuzzy Hash: 1AE1CF71A00B099BCF14EFA8E885BAEB7B5EF44710F584168E815EB399E7309D45CB70
                                          Function 00D3C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00D3CBB6
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00D8E6D0,00000800), ref: 00D3CBD3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: OpenQueryValue
                                          • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
                                          • API String ID: 4153817207-482544602
                                          • Opcode ID: 7c0892eac46561cb74daac00db25f93ace6d166fc9e5d359addd845b97901f0a
                                          • Instruction ID: dac5220a5d2c91b336f4de4cd8f45c632c13fd2e9612ab3e1bc006e2909e21c8
                                          • Opcode Fuzzy Hash: 7c0892eac46561cb74daac00db25f93ace6d166fc9e5d359addd845b97901f0a
                                          • Instruction Fuzzy Hash: D8C1D3356243168ACB34AF24D80137AB3A1FF95740F5DA459E889EB294E771CD82CBB1
                                          Function 00D6DE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • GetACP.KERNEL32(?,?,?,?,?,?,00D642D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D6DEE5
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00D642D9,?,?,?,00000055,?,-00000050,?,?), ref: 00D6DF10
                                          • _wcschr.LIBVCRUNTIME ref: 00D6DFA4
                                          • _wcschr.LIBVCRUNTIME ref: 00D6DFB2
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00D6E073
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                          • String ID: utf8
                                          • API String ID: 4147378913-905460609
                                          • Opcode ID: 1e09aea60966b332749a461292587b2f8a98fa56b4a0790b07246798cedba275
                                          • Instruction ID: b4affa9a7b8336d26d57f21a437511806660c6522d1cb4392e639be4fda6ac9c
                                          • Opcode Fuzzy Hash: 1e09aea60966b332749a461292587b2f8a98fa56b4a0790b07246798cedba275
                                          • Instruction Fuzzy Hash: E871E275B00306ABDB24AB75DC46BBB73A9EF54700F184429F946DB181FBB1E9408BB1
                                          Function 00D33860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,F8F9577D,?), ref: 00D338CB
                                          • CloseHandle.KERNEL32(00000000), ref: 00D3390B
                                          • Process32FirstW.KERNEL32(?,00000000), ref: 00D3395F
                                          • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D3397A
                                          • CloseHandle.KERNEL32(00000000), ref: 00D33A8E
                                          • Process32NextW.KERNEL32(?,00000000), ref: 00D33AA2
                                          • CloseHandle.KERNEL32(?), ref: 00D33AF0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 708755948-0
                                          • Opcode ID: bd81a317d137f6e955de8c89f4b49dd915a17f8871e170fda3abe3660d284d2f
                                          • Instruction ID: 382b3deb052a266e0b7a3686f4d9168cad8434f2a70b6a2f300454d06dcd3f18
                                          • Opcode Fuzzy Hash: bd81a317d137f6e955de8c89f4b49dd915a17f8871e170fda3abe3660d284d2f
                                          • Instruction Fuzzy Hash: FAA1F8B1901249DFDF10CFA9D989BDEBBF8BF48304F148559E805AB290D7B49A44CBA0
                                          Function 00D6F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: a44f1db5edfdd4ebd7fcd279388f4be2e3d682b5ac474d1c78fbe7f44c7e2754
                                          • Instruction ID: 277ae299f11e658f7da72f47ad02767e4d474baf29306d290656e10374b13b56
                                          • Opcode Fuzzy Hash: a44f1db5edfdd4ebd7fcd279388f4be2e3d682b5ac474d1c78fbe7f44c7e2754
                                          • Instruction Fuzzy Hash: FCD23B72E086288FDB65CF28DD407EAB7B5EB44305F1441EAD84DE7240EB74AE858F61
                                          Function 00D6E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00D6E8D1,00000002,00000000,?,?,?,00D6E8D1,?,00000000), ref: 00D6E64C
                                          • GetLocaleInfoW.KERNEL32(?,20001004,00D6E8D1,00000002,00000000,?,?,?,00D6E8D1,?,00000000), ref: 00D6E675
                                          • GetACP.KERNEL32(?,?,00D6E8D1,?,00000000), ref: 00D6E68A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: a1e528d7dfda3c938a32b29e891ff44753dcf02a05e6fb6d074727bd245496bb
                                          • Instruction ID: 9e4811b553b5be67a4fdd86051b17c850ef96bef9b8841a634676e6616f9af93
                                          • Opcode Fuzzy Hash: a1e528d7dfda3c938a32b29e891ff44753dcf02a05e6fb6d074727bd245496bb
                                          • Instruction Fuzzy Hash: 3D21803A740201ABDB34CF94C904A97B7A6AF74B64B5A8C64E90AD7210F732DD41C7B0
                                          Function 00D39CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: _swprintf$FreeLocal
                                          • String ID:
                                          • API String ID: 2429749586-0
                                          • Opcode ID: 1f20af11f4d4e42ad72ff1c16cf878e0f78b0d5efe4f644f2786b5333a102585
                                          • Instruction ID: 0bf0288d47d2d60ed9470a79f8828092ae217f36268ea73d34e3cb4017ab56af
                                          • Opcode Fuzzy Hash: 1f20af11f4d4e42ad72ff1c16cf878e0f78b0d5efe4f644f2786b5333a102585
                                          • Instruction Fuzzy Hash: 28F1AB71E10219ABDF18DFA8DC51BAEBBB5FF48300F144229F901AB280D775A945CBB1
                                          Function 00D6E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00D6E894
                                          • IsValidCodePage.KERNEL32(00000000), ref: 00D6E8DD
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00D6E8EC
                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D6E934
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D6E953
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                          • String ID:
                                          • API String ID: 415426439-0
                                          • Opcode ID: 97b9bd2dbe9cb798588924d04343d7c594c9d583aa796d1f194dbcb4100d82c5
                                          • Instruction ID: 39b51eb7404094a03db5f7eca5621abe25ce6d5444a3916a4b1d620238024ad5
                                          • Opcode Fuzzy Hash: 97b9bd2dbe9cb798588924d04343d7c594c9d583aa796d1f194dbcb4100d82c5
                                          • Instruction Fuzzy Hash: 45516C75A00215AFEF20DFA9DC45ABE73B8EF88701F184469A904E7190E770D9448BB0
                                          Function 00D65D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: _strrchr
                                          • String ID:
                                          • API String ID: 3213747228-0
                                          • Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                          • Instruction ID: fba1a4bfe9c4d8a30ba234c2ab1139d87b12ac5e2fad5e5a8e4c2f0f80c711a4
                                          • Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                          • Instruction Fuzzy Hash: C4B176729046469FDF15CF68D881BEEBBE5EF19300F18816AE944AB346D235DE41CBB0
                                          Function 00D533A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D533B4
                                          • IsDebuggerPresent.KERNEL32 ref: 00D53480
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D534A0
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00D534AA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                          • String ID:
                                          • API String ID: 254469556-0
                                          • Opcode ID: e902cff5b1af8cfe9b929638c398db2db355cc715eb479a4ea292f6d9aa2ac1f
                                          • Instruction ID: 4a6805c18798fa872fe5df490f56c706e6d7e0dd4f8ed2a07b56ca9dfac93033
                                          • Opcode Fuzzy Hash: e902cff5b1af8cfe9b929638c398db2db355cc715eb479a4ea292f6d9aa2ac1f
                                          • Instruction Fuzzy Hash: 29314B75D0531C9BDF10DFA4D9897CDBBB8AF04305F1040AAE90CA7250EB719B898F55
                                          Function 00D3D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D3C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,F8F9577D,?,00D73D30,000000FF), ref: 00D3C657
                                            • Part of subcall function 00D3C630: GetLastError.KERNEL32(?,00000000,00000000,F8F9577D,?,00D73D30,000000FF), ref: 00D3C661
                                          • IsDebuggerPresent.KERNEL32(?,?,00D88AF0), ref: 00D3D0D8
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00D88AF0), ref: 00D3D0E7
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D3D0E2
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3511171328-631824599
                                          • Opcode ID: 778747724339ebdce3ba6c544ddc0201fd0c9f9958e2a8aa880e8963536757bc
                                          • Instruction ID: 9570fcadceb129a119a79a03875eaca4b474fabfb9e0fc1668e6ef6e4f33cf8e
                                          • Opcode Fuzzy Hash: 778747724339ebdce3ba6c544ddc0201fd0c9f9958e2a8aa880e8963536757bc
                                          • Instruction Fuzzy Hash: A3E06D702047418FD324AF28E8057427BE5AF10740F048C6DE899D2751EBB0D4888FB1
                                          Function 00D6E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D6E28B
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D6E2D5
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D6E39B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InfoLocale$ErrorLast
                                          • String ID:
                                          • API String ID: 661929714-0
                                          • Opcode ID: 73edb37d71f1b759e7ee977f2655dab17cfe14e0e7082e87e191bfda19c8e3e1
                                          • Instruction ID: 9733f08d2757c9b9039e7a1e88d7394bf69d907fb01161682d2a8e24ac0572a3
                                          • Opcode Fuzzy Hash: 73edb37d71f1b759e7ee977f2655dab17cfe14e0e7082e87e191bfda19c8e3e1
                                          • Instruction Fuzzy Hash: E2617D755402179FEB289F28CC82BBA77A8EF14301F184179ED15C6285EB74E995CB70
                                          Function 00D56E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D56F13
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D56F1D
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00D56F2A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 06dacea8debb2adb42adbdb12b9470e4cd72aa785084f03b6e75b5c1aedb60a5
                                          • Instruction ID: bf1784c16cf828099a7fe5e1af20b6da413c4c74c7cbbe89ff7562ed66135be1
                                          • Opcode Fuzzy Hash: 06dacea8debb2adb42adbdb12b9470e4cd72aa785084f03b6e75b5c1aedb60a5
                                          • Instruction Fuzzy Hash: 7E31C4749013189BCF21DF68D98978DBBB8FF18311F5041EAE81CA7290E7709B858F65
                                          Function 00D345B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadResource.KERNEL32(00000000,00000000,F8F9577D,00000001,00000000,?,00000000,00D74460,000000FF,?,00D3474D,00D33778,?,00000000,00000000,?), ref: 00D345DB
                                          • LockResource.KERNEL32(00000000,?,00000000,00D74460,000000FF,?,00D3474D,00D33778,?,00000000,00000000,?,?,?,?,00D33778), ref: 00D345E6
                                          • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00D74460,000000FF,?,00D3474D,00D33778,?,00000000,00000000,?,?,?), ref: 00D345F4
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Resource$LoadLockSizeof
                                          • String ID:
                                          • API String ID: 2853612939-0
                                          • Opcode ID: 58d56d7eea8961bb08f65483632ff81242927abdfc51393e5ef088f9e691070b
                                          • Instruction ID: 29c164cc55123ea2e542704b1a0ba97a9dd81d3bb46ef283fa39950f98bda4cf
                                          • Opcode Fuzzy Hash: 58d56d7eea8961bb08f65483632ff81242927abdfc51393e5ef088f9e691070b
                                          • Instruction Fuzzy Hash: 5D11C632A046549BC7368F59DC56BA6B7FCE786725F04492AEC1AD3350FA39AC04C6B0
                                          Function 00D5E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                          • Instruction ID: 0f7089270ef6a0c45f619945ad441dadc278d29246624721ae38c93ffa5c77e6
                                          • Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                          • Instruction Fuzzy Hash: 56F13171E002199FDF18DF69C9806ADB7B1FF58315F198669EC15AB381D730AE05CB90
                                          Function 00D67B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00D67F64,00000000,00000000,00000000), ref: 00D67E23
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InformationTimeZone
                                          • String ID:
                                          • API String ID: 565725191-0
                                          • Opcode ID: 578ded824dd5540df46ef77bfdd9b2ead35dc81badc027dbbeda4d47e59d8781
                                          • Instruction ID: 4e85f5704c76af2ae63693baccef496c10c9c24f85248638305922edebd52e1d
                                          • Opcode Fuzzy Hash: 578ded824dd5540df46ef77bfdd9b2ead35dc81badc027dbbeda4d47e59d8781
                                          • Instruction Fuzzy Hash: 63C10772D04219ABDB10AF68DC02ABE77B9EF04758F684556F941EB291F7709E40CBB0
                                          Function 00D684BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D684B8,?,?,00000008,?,?,00D714E4,00000000), ref: 00D686EA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: 2f3de50dd0fea78b1014dba81ce19307d09f9ba558364a0ffe8e3c492b874a42
                                          • Instruction ID: 80937ada352e4c502e7d54bac5d10496573d8023ed9b7984cc590a2d4c67933f
                                          • Opcode Fuzzy Hash: 2f3de50dd0fea78b1014dba81ce19307d09f9ba558364a0ffe8e3c492b874a42
                                          • Instruction Fuzzy Hash: F4B15B31610608CFDB14CF28C48AB657BE0FF45365F298658E9DACF2A1CB35E992DB50
                                          Function 00D535A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D535BF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-0
                                          • Opcode ID: b593f6ac3c4c6b29f18bfa1fcb723f11990055b00c3cc26ed003c65da2797eb4
                                          • Instruction ID: 6e0b958e031807eca1b3eea51a500b9cb47ea6e48597cfef5e47125c8f2066ec
                                          • Opcode Fuzzy Hash: b593f6ac3c4c6b29f18bfa1fcb723f11990055b00c3cc26ed003c65da2797eb4
                                          • Instruction Fuzzy Hash: B4514DB1920315DBDB15CF99E8817A9BBF1FB48395F28852AD805EB390D3759A04CF70
                                          Function 00D6AF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2200adf52cc6ec222a9a72f90f95b4876b83171244052334dc49e6ede1435f66
                                          • Instruction ID: 61a8eb8d4e334e03853563b18943fa23050fb5b2feefcff27dfff9648324819b
                                          • Opcode Fuzzy Hash: 2200adf52cc6ec222a9a72f90f95b4876b83171244052334dc49e6ede1435f66
                                          • Instruction Fuzzy Hash: 6931A472900219AFCB20DFA9CC859BBB7BDEF85350F184159F955D7244EA31EE448B70
                                          Function 00D5A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: dc01120422f646036edc847d2b26656a15c0348fd82d1da7973f7d37d8c02f6b
                                          • Instruction ID: 32383404a9dce7c939604f4bd0dada3be4c078879bc8934b392d5129f50489a9
                                          • Opcode Fuzzy Hash: dc01120422f646036edc847d2b26656a15c0348fd82d1da7973f7d37d8c02f6b
                                          • Instruction Fuzzy Hash: A3C19E745006668FCF28CE2CC494A7ABBB1BF49312F284719DD9697251D730ED4ACB72
                                          Function 00D6E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D6E4DE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale
                                          • String ID:
                                          • API String ID: 3736152602-0
                                          • Opcode ID: 4c4532bb400f8b580836a17f8f4356bc8531fdbba159e21ae222d6459acd5567
                                          • Instruction ID: 589624585d4e260c871f3e67ee89570316dd711057bbda412c8c3a1fb334c627
                                          • Opcode Fuzzy Hash: 4c4532bb400f8b580836a17f8f4356bc8531fdbba159e21ae222d6459acd5567
                                          • Instruction Fuzzy Hash: B021BE36614206ABDF28AF24DC42ABA73ACEF14319F14007AFD06C6241FB34ED458B70
                                          Function 00D6E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • EnumSystemLocalesW.KERNEL32(00D6E237,00000001,00000000,?,-00000050,?,00D6E868,00000000,?,?,?,00000055,?), ref: 00D6E183
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 90908e30413ae4e123a995ec113b04ee07a0c91c7a5f18fd37091e677c405c49
                                          • Instruction ID: 34aeda3f7ff525ef0ae2887782ce248ee2c38b783df7344014570ac6f2057f28
                                          • Opcode Fuzzy Hash: 90908e30413ae4e123a995ec113b04ee07a0c91c7a5f18fd37091e677c405c49
                                          • Instruction Fuzzy Hash: A511E93E2007019FDB189F39C8A15BAB792FF84759B19442DE94687B40D3757942DB60
                                          Function 00D6E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D6E453,00000000,00000000,?), ref: 00D6E6E5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale
                                          • String ID:
                                          • API String ID: 3736152602-0
                                          • Opcode ID: 94a173a05d32a8403e1b691019631adc42a23f6527cf5b0f010f26576d4c731b
                                          • Instruction ID: 5786c531415f1a0ed213e78bb211f3406a65c96584a70faf2db92bbdd1b1ca17
                                          • Opcode Fuzzy Hash: 94a173a05d32a8403e1b691019631adc42a23f6527cf5b0f010f26576d4c731b
                                          • Instruction Fuzzy Hash: 61F0CD3A600212BFDB289B64CC09BFA7758EB40754F1D0834EC15E3180EA74FD41C6B0
                                          Function 00D6E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • EnumSystemLocalesW.KERNEL32(00D6E48A,00000001,?,?,-00000050,?,00D6E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00D6E1F6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: d4e1ba0e5ad9674c03e39d8a0176fe679e76963c42c4d72228c7f2379f35a304
                                          • Instruction ID: 5863b8e22f93e5a17839486586b3cde9c1721b9e55841d1b9df7420c7929747b
                                          • Opcode Fuzzy Hash: d4e1ba0e5ad9674c03e39d8a0176fe679e76963c42c4d72228c7f2379f35a304
                                          • Instruction Fuzzy Hash: 35F0463A2003046FCB245F349C85A7A7B95EF81728F08442CF9058BA80D6B1AC42DB70
                                          Function 00D67132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D61C9A: EnterCriticalSection.KERNEL32(-00D8DE50,?,00D63576,?,00D8A078,0000000C,00D63841,?), ref: 00D61CA9
                                          • EnumSystemLocalesW.KERNEL32(00D67125,00000001,00D8A1D8,0000000C,00D67554,00000000), ref: 00D6716A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: a756249f9410f3c60ac9501c6d73f9907fd82438dbe809212d3f3fd20567b0bf
                                          • Instruction ID: 25ee4bbf607207ec4213b5bf366b943fe30c54d0bd14f2f453d4ddc34464362c
                                          • Opcode Fuzzy Hash: a756249f9410f3c60ac9501c6d73f9907fd82438dbe809212d3f3fd20567b0bf
                                          • Instruction Fuzzy Hash: 7DF01472A54304DFD700EF98E846B9877E0FB49726F00456AF814DB2A0DB7549448F70
                                          Function 00D6E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D657CC: GetLastError.KERNEL32(?,00000008,00D6AD4C), ref: 00D657D0
                                            • Part of subcall function 00D657CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D65872
                                          • EnumSystemLocalesW.KERNEL32(00D6E01F,00000001,?,?,?,00D6E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D6E0FD
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem
                                          • String ID:
                                          • API String ID: 2417226690-0
                                          • Opcode ID: 563324015de152051b0d1aaf395c04ee4cf7ca91519926bcdc251b2e4bee5f7e
                                          • Instruction ID: cf368727f3a914a3489ecd1c07a36b546063e3ce566527eccb52182dae14b33e
                                          • Opcode Fuzzy Hash: 563324015de152051b0d1aaf395c04ee4cf7ca91519926bcdc251b2e4bee5f7e
                                          • Instruction Fuzzy Hash: 23F0E53A3003059BCB04AF35D84566A7F95EFC1760F0A4068EA09CB651C6759882DBB0
                                          Function 00D523F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00D500E2,00000000,00000000,00000004,00D4ED14,00000000,00000004,00D4F127,00000000,00000000), ref: 00D52410
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: fe0e8e77dacc9c1c2274829aa4c403d9ae85c585b54be420f3c86a2591450512
                                          • Instruction ID: 6f00c1f75ac451f045879dc6f3e362aa317eec11d372bc8b6653af2ced657569
                                          • Opcode Fuzzy Hash: fe0e8e77dacc9c1c2274829aa4c403d9ae85c585b54be420f3c86a2591450512
                                          • Instruction Fuzzy Hash: 4FE0D832654208BADF158BB89E0FFBA76A8D72274BF544151ED02D40D1DAA1CB48A171
                                          Function 00D676AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00D64E3F,?,20001004,00000000,00000002,?,?,00D64441), ref: 00D676E3
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 22d8fa6381b1a8572b7850a7ad1181e98cfe4f3a794641099402786e14b3381c
                                          • Instruction ID: 4e9dc0384db424436ad17c774cc6157a7c8e3682cf4a89c78723624bcb02bb81
                                          • Opcode Fuzzy Hash: 22d8fa6381b1a8572b7850a7ad1181e98cfe4f3a794641099402786e14b3381c
                                          • Instruction Fuzzy Hash: 86E04F3250861CBBCF122F61DC08AAE3F26EF44754F044420FC0566221DB318D60ABF9
                                          Function 00D5353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00D53077), ref: 00D53544
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: fcf3b4e45ccd7849303724b5ce376133601f0f72488898b6ee03341e859441f1
                                          • Instruction ID: 38a63439b17e964a9bf8f6a30e4d69faf2cb86253311c0b26d6ae3dacb3d0707
                                          • Opcode Fuzzy Hash: fcf3b4e45ccd7849303724b5ce376133601f0f72488898b6ee03341e859441f1
                                          • Instruction Fuzzy Hash:
                                          Function 00D32310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D52C98: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CA3
                                            • Part of subcall function 00D52C98: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CE0
                                          • GetProcessHeap.KERNEL32 ref: 00D32365
                                            • Part of subcall function 00D52C4E: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C58
                                            • Part of subcall function 00D52C4E: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C8B
                                            • Part of subcall function 00D52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D52D02
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                          • String ID:
                                          • API String ID: 325507722-0
                                          • Opcode ID: 4543cc5f9c53047f08f0bc2c90930d7b886e071fbe770704416daa0ab0333a4b
                                          • Instruction ID: d30a0196e1e194be31e2ae8c379129b901462ee7357d890489e8e9329daece24
                                          • Opcode Fuzzy Hash: 4543cc5f9c53047f08f0bc2c90930d7b886e071fbe770704416daa0ab0333a4b
                                          • Instruction Fuzzy Hash: 3B2148B09117009FD710EF58E947B6977B0EB26B25F104A19E825D73E2F77459088FB2
                                          Function 00D60A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AllocHeap
                                          • String ID:
                                          • API String ID: 4292702814-0
                                          • Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                          • Instruction ID: f7a3867e605b7395fdbc3742f5e55b0d0c98a88dbeeb617425b85324d61d3f79
                                          • Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                          • Instruction Fuzzy Hash: EB32A174A0021ADFCF24CF98C991ABEBBB5EF45304F284169DD45A7345D732AE46CBA0
                                          Function 00D692A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34efc92768b07e8f81876d43b3489ccc92bac719398864f3642b4e127f288110
                                          • Instruction ID: c1c32d1bbc549ab95ae450a54eb3fd1526893339c69f3116581b12b3d1297dac
                                          • Opcode Fuzzy Hash: 34efc92768b07e8f81876d43b3489ccc92bac719398864f3642b4e127f288110
                                          • Instruction Fuzzy Hash: 0D32CF21D29F414ED7239638CC72339A28CAFA77D4F15D727E81AB5AA9EB39C4C34510
                                          Function 00D5A915 Relevance: .4, Instructions: 388COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68126a65d3271e204df597893411a73f9f0e3e0bea9a828cb0ec4949fce1fbaf
                                          • Instruction ID: f0d2d93929abd4b720522e990138ba389a5d931f40af5dd66c783d368a7f430f
                                          • Opcode Fuzzy Hash: 68126a65d3271e204df597893411a73f9f0e3e0bea9a828cb0ec4949fce1fbaf
                                          • Instruction Fuzzy Hash: F0E168746006258FCF24CF6CC580A6AB7B1EF49312B68475ADC969B291D730AD49CF72
                                          Function 00D6D8D5 Relevance: .3, Instructions: 327COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                          • String ID:
                                          • API String ID: 3471368781-0
                                          • Opcode ID: 8da91d4d94e3e8893b0cdca0af8b0bf6296213369150b7baaa1eca3bca976f08
                                          • Instruction ID: 29c198ed5af8434395c6e01d82360eb4a36cfd5ee1f4198d000a1663b9377dc6
                                          • Opcode Fuzzy Hash: 8da91d4d94e3e8893b0cdca0af8b0bf6296213369150b7baaa1eca3bca976f08
                                          • Instruction Fuzzy Hash: D5B10875A007458BCB34DF68DC92AB7B3BAEF54308F18452DE983C6584EA75E945CB30
                                          Function 00D5C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                          • Instruction ID: 904a0710ce5b4bfd0b858db74d21a5462160a14ab4d18057ba1c824cb08dc40a
                                          • Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                          • Instruction Fuzzy Hash: B8518371E00219AFDF14CF99C941AAEBBB1EF88310F198059EC15AB201D734AE54DBA1
                                          Function 00D54920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: 954669a9b17c9f4b5cb9a1e6c37e6fe2b9309f10672e93772881661c2862da9d
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: 51113F7720404143DE04C52DC4BA5B7E395DBD632F72C436DCC914B754D622D9CC9E22
                                          Function 00D6AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                          • Instruction ID: 4aa593ffae58c76eef011879d0f8bb354828bd7a12344592ee3b0eba34999eed
                                          • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                          • Instruction Fuzzy Hash: 4DE08C72A11238EBCB14DB9CCA0498AF3ECEB84B01B15049AF601E3500D670DE00DBF1
                                          Function 00D62DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                          • Instruction ID: df47a5c3ce578a2046593e2b1975d8c223f10129538a2c81f42c8dc391b3f3b4
                                          • Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                          • Instruction Fuzzy Hash: 74C08C34000F0047CE2989148AB13B83354F791792F88058CC4830BA86C51EAC83DE71
                                          Function 00D50116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 523 d50116-d5013f call d5325f call d4edf2 528 d50141-d5014d call d38c20 523->528 529 d5019d-d501a2 523->529 537 d5014f-d50151 528->537 538 d5018a-d5019a call d4e843 call d3f3d9 528->538 531 d501a4-d501b2 call d38c20 529->531 532 d501f1-d501f3 529->532 544 d501b4 531->544 545 d501dd-d501eb call d4e8d8 call d3f3d9 531->545 535 d50390-d50392 532->535 536 d501f9-d50207 call d38c20 532->536 541 d50450-d50455 call d5323c 535->541 542 d50398-d503a6 call d38c20 535->542 552 d50325-d5038a call d4e96d call d3f3d9 call d38c20 call d4ea02 call d3f3d9 call d38c20 call d4eb2c call d3f3d9 call d38c20 call d4ea97 call d3f3d9 536->552 553 d5020d 536->553 543 d50154 call d36330 537->543 538->529 562 d50422-d5044d call d4ebc1 call d3f3d9 call d38c20 call d4ec56 call d3f3d9 542->562 563 d503a8 542->563 550 d50159-d50161 543->550 551 d501b6 call d36330 544->551 588 d501ee 545->588 558 d50163-d50177 call d52344 550->558 559 d50179 550->559 560 d501bb-d501c1 551->560 659 d5038d 552->659 561 d5020f call d36330 553->561 574 d5017b-d50188 call d3f3d9 558->574 559->574 572 d501c3-d501cc 560->572 573 d501ce 560->573 575 d50214-d5021a 561->575 562->541 576 d503aa call d36330 563->576 581 d501d0-d501db call d3f3d9 572->581 573->581 574->529 583 d50227 575->583 584 d5021c-d50225 575->584 585 d503af-d503bc 576->585 581->588 591 d50229-d50240 call d3f3d9 call d38c20 583->591 584->591 592 d503be-d503c9 call d4eceb 585->592 593 d503cb 585->593 588->532 613 d50242 call d36330 591->613 594 d503cd-d503e8 call d3f3d9 call d38c20 592->594 593->594 618 d503ea call d36330 594->618 617 d50247-d5024d 613->617 621 d5024f-d50259 617->621 622 d5025b 617->622 623 d503ef-d503f7 618->623 626 d5025d-d50274 call d3f3d9 call d38c20 621->626 622->626 627 d50413 623->627 628 d503f9-d50411 call d500ed 623->628 643 d50277 call d36330 626->643 633 d50415-d50420 call d3f3d9 627->633 628->633 633->541 646 d5027c-d5028b 643->646 648 d502b2 646->648 649 d5028d-d502b0 call d4ffea 646->649 650 d502b4-d502d1 call d3f3d9 call d38c20 648->650 649->650 661 d502d4 call d36330 650->661 659->535 662 d502d9-d502e8 661->662 663 d50310 662->663 664 d502ea-d5030e call d4ffea 662->664 666 d50312-d50323 call d3f3d9 663->666 664->666 666->659
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D5011D
                                          • collate.LIBCPMT ref: 00D50126
                                            • Part of subcall function 00D4EDF2: __EH_prolog3_GS.LIBCMT ref: 00D4EDF9
                                            • Part of subcall function 00D4EDF2: __Getcoll.LIBCPMT ref: 00D4EE5D
                                          • __Getcoll.LIBCPMT ref: 00D5016C
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50180
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50195
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D501D3
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D501E6
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D5022C
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50260
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D5031B
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D5032E
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D5034B
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50368
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50385
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D502BD
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • numpunct.LIBCPMT ref: 00D503C4
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D503D4
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50418
                                            • Part of subcall function 00D36330: LocalAlloc.KERNEL32(00000040,?,00D40E04,00000020,?,?,00D39942,00000000,F8F9577D,?,?,?,?,00D750DD,000000FF), ref: 00D36336
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D5042B
                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D50448
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                          • String ID:
                                          • API String ID: 3717464618-0
                                          • Opcode ID: e1b043f75f5a821a04aae7562f0c4f4aef88c13133fb6d6d90f6dcbb5808d5ad
                                          • Instruction ID: e657b1c2a5420e7772274fb9dbe6abe61fd77dba8a747f02191a837dec502a89
                                          • Opcode Fuzzy Hash: e1b043f75f5a821a04aae7562f0c4f4aef88c13133fb6d6d90f6dcbb5808d5ad
                                          • Instruction Fuzzy Hash: 0191D371D023156BEB207BB48C46B7F7EA9EF41760F18842DFC49A7281EB70890497B2
                                          Function 00D36600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 670 d36600-d36667 call d33170 call d370a0 675 d3666b-d36698 CreateFileW call d32e60 670->675 676 d36669 670->676 679 d366a1-d366bd 675->679 680 d3669a-d3669c 675->680 676->675 682 d36707-d3671a 679->682 683 d366bf-d366c2 679->683 681 d3696c-d3699f call d32e60 call d52937 680->681 686 d36720-d36728 682->686 683->682 685 d366c4-d366dd WideCharToMultiByte 683->685 689 d36705 685->689 690 d366df-d36703 LocalAlloc WideCharToMultiByte 685->690 686->686 687 d3672a-d36730 686->687 691 d36736-d3673c 687->691 692 d367bc-d367f5 WriteFile CloseHandle 687->692 689->682 690->682 696 d36743-d36746 691->696 697 d3673e-d36741 691->697 694 d368a1-d368a6 692->694 695 d367fb-d36819 692->695 704 d3694e-d36965 LocalFree 694->704 705 d368ac-d368c0 call d370a0 694->705 699 d36872-d3688e call d364a0 695->699 700 d3681b-d36835 MultiByteToWideChar 695->700 702 d36748-d3674b 696->702 703 d3674d-d36750 696->703 697->696 701 d367a6-d367a8 697->701 716 d36893-d3689a 699->716 717 d36890-d36891 LocalFree 699->717 706 d36837-d36867 LocalAlloc MultiByteToWideChar 700->706 707 d36869-d3686c 700->707 712 d367ad-d367b6 701->712 702->701 702->703 709 d36752-d36755 703->709 710 d36757-d3675e 703->710 704->681 720 d368c2 705->720 721 d368c4-d368ed ShellExecuteW call d32e60 705->721 706->707 707->699 709->701 709->710 714 d36760-d36762 710->714 712->691 712->692 718 d36764-d3676a 714->718 719 d3676e-d36773 714->719 716->694 717->716 718->714 722 d3676c 718->722 719->701 723 d36775-d367a4 719->723 720->721 726 d36902-d36905 721->726 727 d368ef-d368ff call d36fb0 721->727 722->723 723->712 726->704 729 d36907-d3691b call d370a0 726->729 727->726 733 d3691f-d3693f ShellExecuteW call d32e60 729->733 734 d3691d 729->734 733->704 737 d36941-d3694b call d36fb0 733->737 734->733 737->704
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00D3667E
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D366D7
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D366E2
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D366FE
                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00D749E5,000000FF), ref: 00D367DB
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D749E5,000000FF), ref: 00D367E7
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00D749E5), ref: 00D3682F
                                          • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00D749E5,000000FF), ref: 00D3684A
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00D749E5), ref: 00D36867
                                          • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00D749E5,000000FF), ref: 00D36891
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00D368D8
                                          • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00D3692A
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D749E5,000000FF), ref: 00D3695C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                          • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                          • API String ID: 2199533872-3004881174
                                          • Opcode ID: 0c5024933b262edd8c34b1d57f8d7394b5783fa2b39acf4dbd6cbe83f24c2bd9
                                          • Instruction ID: 928ad9bcdc2300c42729aa3b381714fdc602f4067c009400ddd97168cea4a320
                                          • Opcode Fuzzy Hash: 0c5024933b262edd8c34b1d57f8d7394b5783fa2b39acf4dbd6cbe83f24c2bd9
                                          • Instruction Fuzzy Hash: E7B128B1904249AFEB20DF64CC46BEFBBB5EF45700F548169E504AB2C1E7709A48CBB1
                                          Function 00D52B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 740 d52b8c-d52bad InitializeCriticalSectionAndSpinCount GetModuleHandleW 741 d52bc0-d52bdc GetProcAddress * 2 740->741 742 d52baf-d52bbe GetModuleHandleW 740->742 744 d52bf0-d52c04 CreateEventW 741->744 745 d52bde-d52be0 741->745 742->741 743 d52c06-d52c20 call d533a8 DeleteCriticalSection 742->743 750 d52c22-d52c23 CloseHandle 743->750 751 d52c29 743->751 744->743 746 d52bed-d52bef 744->746 745->744 748 d52be2-d52be8 745->748 748->746 750->751
                                          APIs
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(00D8DD3C,00000FA0,?,?,00D52B6A), ref: 00D52B98
                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D52B6A), ref: 00D52BA3
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D52B6A), ref: 00D52BB4
                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D52BC6
                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D52BD4
                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D52B6A), ref: 00D52BF7
                                          • DeleteCriticalSection.KERNEL32(00D8DD3C,00000007,?,?,00D52B6A), ref: 00D52C13
                                          • CloseHandle.KERNEL32(00000000,?,?,00D52B6A), ref: 00D52C23
                                          Strings
                                          • WakeAllConditionVariable, xrefs: 00D52BCC
                                          • SleepConditionVariableCS, xrefs: 00D52BC0
                                          • kernel32.dll, xrefs: 00D52BAF
                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D52B9E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                          • API String ID: 2565136772-3242537097
                                          • Opcode ID: ecc3a00b0c527a6afde6eca5b451eecc0969c179ab562945b9c6a297617af4d3
                                          • Instruction ID: 6af120e133791eadec48580226a84209cf286db85bdcab29cb1b799547aaecb3
                                          • Opcode Fuzzy Hash: ecc3a00b0c527a6afde6eca5b451eecc0969c179ab562945b9c6a297617af4d3
                                          • Instruction Fuzzy Hash: 27017171A45311AFDB212F75AC0DE6A3B799F52B52B094C11BD08D23E4FA74C888CB71
                                          Function 00D55CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 752 d55caf-d55cda call d56c18 755 d55ce0-d55ce3 752->755 756 d56053-d56058 call d62a07 752->756 755->756 757 d55ce9-d55cf2 755->757 759 d55def-d55df5 757->759 760 d55cf8-d55cfc 757->760 763 d55dfd-d55e0b 759->763 760->759 762 d55d02-d55d09 760->762 764 d55d21-d55d26 762->764 765 d55d0b-d55d12 762->765 766 d55e11-d55e15 763->766 767 d55fbc-d55fbf 763->767 764->759 771 d55d2c-d55d34 call d5596a 764->771 765->764 768 d55d14-d55d1b 765->768 766->767 772 d55e1b-d55e22 766->772 769 d55fc1-d55fc4 767->769 770 d55fe2-d55feb call d5596a 767->770 768->759 768->764 769->756 773 d55fca-d55fdf call d56059 769->773 770->756 788 d55fed-d55ff1 770->788 771->788 789 d55d3a-d55d53 call d5596a * 2 771->789 775 d55e24-d55e2b 772->775 776 d55e3a-d55e40 772->776 773->770 775->776 780 d55e2d-d55e34 775->780 782 d55e46-d55e6d call d5395b 776->782 783 d55f58-d55f5c 776->783 780->767 780->776 782->783 794 d55e73-d55e76 782->794 785 d55f5e-d55f67 call d54754 783->785 786 d55f68-d55f74 783->786 785->786 786->770 792 d55f76-d55f7a 786->792 789->756 810 d55d59-d55d5f 789->810 796 d55f8c-d55f94 792->796 797 d55f7c-d55f84 792->797 799 d55e79-d55e8e 794->799 801 d55f96-d55fa9 call d5596a * 2 796->801 802 d55fab-d55fb8 call d566be 796->802 797->770 800 d55f86-d55f8a 797->800 805 d55e94-d55e97 799->805 806 d55f39-d55f4c 799->806 800->770 800->796 825 d55ff2 call d63980 801->825 818 d56017-d5602c call d5596a * 2 802->818 819 d55fba 802->819 805->806 812 d55e9d-d55ea5 805->812 806->799 811 d55f52-d55f55 806->811 815 d55d61-d55d65 810->815 816 d55d8b-d55d93 call d5596a 810->816 811->783 812->806 817 d55eab-d55ebf 812->817 815->816 821 d55d67-d55d6e 815->821 835 d55d95-d55db5 call d5596a * 2 call d566be 816->835 836 d55df7-d55dfa 816->836 822 d55ec2-d55ed2 817->822 848 d56031-d5604e call d53b4e call d565be call d5677b call d56535 818->848 849 d5602e 818->849 819->770 826 d55d70-d55d77 821->826 827 d55d82-d55d85 821->827 828 d55ed4-d55ee7 call d5618f 822->828 829 d55efa-d55f07 822->829 839 d55ff7-d56012 call d54754 call d5633a call d53e5a 825->839 826->827 833 d55d79-d55d80 826->833 827->756 827->816 845 d55ee9-d55eef 828->845 846 d55f0b-d55f33 call d55c2f 828->846 829->822 838 d55f09 829->838 833->816 833->827 835->836 865 d55db7-d55dbc 835->865 836->763 843 d55f36 838->843 839->818 843->806 845->828 852 d55ef1-d55ef7 845->852 846->843 848->756 849->848 852->829 865->825 867 d55dc2-d55dd5 call d56352 865->867 867->839 872 d55ddb-d55de7 867->872 872->825 873 d55ded 872->873 873->867
                                          APIs
                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00D55DAC
                                          • type_info::operator==.LIBVCRUNTIME ref: 00D55DCE
                                          • ___TypeMatch.LIBVCRUNTIME ref: 00D55EDD
                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00D55FAF
                                          • _UnwindNestedFrames.LIBCMT ref: 00D56033
                                          • CallUnexpected.LIBVCRUNTIME ref: 00D5604E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                          • String ID: csm$csm$csm
                                          • API String ID: 2123188842-393685449
                                          • Opcode ID: 0f3aa70c7e5a6ff633f28bea5adb03b501f1f0250c4c6aae501727bc184e7573
                                          • Instruction ID: eb533a9d7015cac5719d20954687d0d150e4890d03e4d50233a73ed1844c7ed3
                                          • Opcode Fuzzy Hash: 0f3aa70c7e5a6ff633f28bea5adb03b501f1f0250c4c6aae501727bc184e7573
                                          • Instruction Fuzzy Hash: A5B18D31800609EFCF16DFA4E8919AEB7B5FF14312B18405AEC156B21AD730DA59CFB1
                                          Function 00D34270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000400,00000000,?,F8F9577D,?,?,?), ref: 00D342D2
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,F8F9577D,?,?,?), ref: 00D342F3
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F8F9577D,?,?,?), ref: 00D34326
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F8F9577D,?,?,?), ref: 00D34337
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D34355
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D34371
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D34399
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D343B5
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D343D3
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D343EF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CloseHandle$Process$OpenTimes
                                          • String ID:
                                          • API String ID: 1711917922-0
                                          • Opcode ID: ddf10ff6c8f1eb506629baa22121c7fee64c624f3262df37af8ba882cba72623
                                          • Instruction ID: 7ae6d0d45c78dfd43ee735dd7dc0b344605d30b0c5aee6313675664897258fdb
                                          • Opcode Fuzzy Hash: ddf10ff6c8f1eb506629baa22121c7fee64c624f3262df37af8ba882cba72623
                                          • Instruction Fuzzy Hash: FE516A71D02218EBDB10DF99D984BAEBBB8FF48714F284219E514B7380D7786D058BB4
                                          Function 00D4BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4BBC4
                                            • Part of subcall function 00D4254E: __EH_prolog3.LIBCMT ref: 00D42555
                                            • Part of subcall function 00D4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D4255F
                                            • Part of subcall function 00D4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D425D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1538362411-2891247106
                                          • Opcode ID: 10028f2df7126c64ee4e720c86bb1ff6cd997c5b52d55357387f8c7c5a79135b
                                          • Instruction ID: 82b1492965250c034a9adafd8bb8146c123898e2e5a8288c00d2186f9d64473a
                                          • Opcode Fuzzy Hash: 10028f2df7126c64ee4e720c86bb1ff6cd997c5b52d55357387f8c7c5a79135b
                                          • Instruction Fuzzy Hash: 86B19F7150010AAFCF19DF68CD99EFE3BA9EF64324F08411AFA4AA6251D731DA14DB70
                                          Function 00D50C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D50CA4
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392A0
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392C2
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D392EA
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D39422
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: ecf96af47eb2f10da33b246e619a359d55e7e9444222f4ae36ab82198bbe8fe4
                                          • Instruction ID: a59414329689dc9f477c01f1dddd31252a6572ac0d551aeb4208401c1d0a9613
                                          • Opcode Fuzzy Hash: ecf96af47eb2f10da33b246e619a359d55e7e9444222f4ae36ab82198bbe8fe4
                                          • Instruction Fuzzy Hash: A3B1AD7550020AAFCF29DF68C95AEBE3FB9EF04342F18441AFD46A6291D631D918DB70
                                          Function 00D4BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4BF85
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38657
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38679
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D386A1
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3880E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                          • API String ID: 1383202999-2891247106
                                          • Opcode ID: d5ab505d0fc1cae5d55eb07965fae73d8a1cb41a12234b8cece71e1c22dce53d
                                          • Instruction ID: b20cd1c760aa23a209b8a11d81cf340a15de033d3d6fa294e8240bc7c88ce36a
                                          • Opcode Fuzzy Hash: d5ab505d0fc1cae5d55eb07965fae73d8a1cb41a12234b8cece71e1c22dce53d
                                          • Instruction Fuzzy Hash: 37B1CF7251120AAFCF59DFA8C899DFE3BB9FB09340F085119FA46A2252D671CE10DB70
                                          Function 00D48555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4855C
                                          • _Maklocstr.LIBCPMT ref: 00D485C5
                                          • _Maklocstr.LIBCPMT ref: 00D485D7
                                          • _Maklocchr.LIBCPMT ref: 00D485EF
                                          • _Maklocchr.LIBCPMT ref: 00D485FF
                                          • _Getvals.LIBCPMT ref: 00D48621
                                            • Part of subcall function 00D41CD4: _Maklocchr.LIBCPMT ref: 00D41D03
                                            • Part of subcall function 00D41CD4: _Maklocchr.LIBCPMT ref: 00D41D19
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                          • String ID: false$true
                                          • API String ID: 3549167292-2658103896
                                          • Opcode ID: fd19d2440b3ce30fa8d8b4a4959444bad1172c697c1fa838de40ca61ba1c6546
                                          • Instruction ID: 8c2da693189414b5a3923dc9649d9d256a0fe9d5bd4b9a1294dcf2c85532fca5
                                          • Opcode Fuzzy Hash: fd19d2440b3ce30fa8d8b4a4959444bad1172c697c1fa838de40ca61ba1c6546
                                          • Instruction Fuzzy Hash: 0A2192B5D00304ABDF14EFA4D886ACE7BB8EF05750F048156F9149F242EA70C544CBB1
                                          Function 00D39730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::locale::_Init.LIBCPMT ref: 00D39763
                                            • Part of subcall function 00D40C94: __EH_prolog3.LIBCMT ref: 00D40C9B
                                            • Part of subcall function 00D40C94: std::_Lockit::_Lockit.LIBCPMT ref: 00D40CA6
                                            • Part of subcall function 00D40C94: std::locale::_Setgloballocale.LIBCPMT ref: 00D40CC1
                                            • Part of subcall function 00D40C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00D40D17
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3978A
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D397F0
                                          • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00D3984A
                                            • Part of subcall function 00D3F57A: __EH_prolog3.LIBCMT ref: 00D3F581
                                            • Part of subcall function 00D3F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3F5C8
                                            • Part of subcall function 00D3F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3F620
                                            • Part of subcall function 00D3F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3F654
                                            • Part of subcall function 00D3F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00D3F6A8
                                          • LocalFree.KERNEL32(00000000,00000000,?,00D854B1,00000000), ref: 00D399BF
                                          • __cftoe.LIBCMT ref: 00D39B0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
                                          • String ID: bad locale name
                                          • API String ID: 3103716676-1405518554
                                          • Opcode ID: 12d62754de03b3ce9a4f8fab2d9c1b96506e07bb911c65c801f2d37ce1a2ca37
                                          • Instruction ID: f00719450899024e54aa2b9930d3a6d0936d90ad7c620606bd8af25d87489510
                                          • Opcode Fuzzy Hash: 12d62754de03b3ce9a4f8fab2d9c1b96506e07bb911c65c801f2d37ce1a2ca37
                                          • Instruction Fuzzy Hash: F7F19A71D01249DFDB10CFA8D894BAEFBB5EF49304F244169E845AB381E7B59A04CBA1
                                          Function 00D33C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D336D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D33735
                                            • Part of subcall function 00D336D0: _wcschr.LIBVCRUNTIME ref: 00D337C6
                                          • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00D33CA8
                                          • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00D33D01
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00D33D7A
                                          • ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00D33EB1
                                          • GetLastError.KERNEL32 ref: 00D33F34
                                          • FreeLibrary.KERNEL32(?), ref: 00D33F7B
                                          Strings
                                          • NtQueryInformationProcess, xrefs: 00D33CA2
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
                                          • String ID: NtQueryInformationProcess
                                          • API String ID: 566592816-2781105232
                                          • Opcode ID: efdf9a786d044b041dd20954f8dc1c4144e4fa7f6b46b63eb27447f4419084ba
                                          • Instruction ID: 7cd29aabbfe5442b2d4f592d0e62c78111b9f7b7e9d7badd5974b0abfe02a4e1
                                          • Opcode Fuzzy Hash: efdf9a786d044b041dd20954f8dc1c4144e4fa7f6b46b63eb27447f4419084ba
                                          • Instruction Fuzzy Hash: 2FA16B70904759DEDB20CF64CD49BAEBBF0EF48704F244599E449A7280E7B59A88CF61
                                          Function 00D340B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,40000022,F8F9577D,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D34154
                                          • LocalAlloc.KERNEL32(00000040,3FFFFFFF,F8F9577D,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D34177
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D34217
                                          • OpenProcess.KERNEL32(00000400,00000000,?,F8F9577D,?,?,?), ref: 00D342D2
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,F8F9577D,?,?,?), ref: 00D342F3
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F8F9577D,?,?,?), ref: 00D34326
                                          • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F8F9577D,?,?,?), ref: 00D34337
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D34355
                                          • CloseHandle.KERNEL32(00000000,?,F8F9577D,?,?,?), ref: 00D34371
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Process$Local$AllocCloseHandleOpenTimes$Free
                                          • String ID:
                                          • API String ID: 1424318461-0
                                          • Opcode ID: 9c3b69c1a68f781a62caf86ddb450b90800719ea3d5dc9771fe428f1c66ccdce
                                          • Instruction ID: 04a8cefb9a8bba589c55af3676ac5f5a92b1c8e4c9de9da42bad6952627d196c
                                          • Opcode Fuzzy Hash: 9c3b69c1a68f781a62caf86ddb450b90800719ea3d5dc9771fe428f1c66ccdce
                                          • Instruction Fuzzy Hash: 0581AD75E002099FCB14CFA8D985BAEBBB4FB48310F244229E925F7390D774A940CBB4
                                          Function 00D5266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00D526F8
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D52786
                                          • __alloca_probe_16.LIBCMT ref: 00D527B0
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D527F8
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D52812
                                          • __alloca_probe_16.LIBCMT ref: 00D52838
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D52875
                                          • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00D52892
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                          • String ID:
                                          • API String ID: 3603178046-0
                                          • Opcode ID: fb07cc79814090754c00e5f506b980c68d26f9911101bc974d1fa3551b51f9bd
                                          • Instruction ID: ea162dba9163c200a5bc56676d4c3142330d80b42b48b30f9472f6ba68badad7
                                          • Opcode Fuzzy Hash: fb07cc79814090754c00e5f506b980c68d26f9911101bc974d1fa3551b51f9bd
                                          • Instruction Fuzzy Hash: A1716072900205ABDF219FA4CC85AFE7FB6EF5A752F280119ED44A6250DB31C94CCBB0
                                          Function 00D5215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00D521A3
                                          • __alloca_probe_16.LIBCMT ref: 00D521CF
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00D5220E
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D5222B
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00D5226A
                                          • __alloca_probe_16.LIBCMT ref: 00D52287
                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D522C9
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00D522EC
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                          • String ID:
                                          • API String ID: 2040435927-0
                                          • Opcode ID: c96bea9185febc6d1302d807f42610f8c3513248be2d627e0823d0f8b5bd94d7
                                          • Instruction ID: f7a43bd0fd14b284f5b55f85a84440d96f6c0ec6dedcb4d93a267981a58a5e20
                                          • Opcode Fuzzy Hash: c96bea9185febc6d1302d807f42610f8c3513248be2d627e0823d0f8b5bd94d7
                                          • Instruction Fuzzy Hash: 2F519E7250020AABEF204F64CC85FBB7BA9EF46752F154428FE15A6150DB34CD189B70
                                          Function 00D38610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D38657
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D38679
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D386A1
                                          • LocalAlloc.KERNEL32(00000040,00000044,00000000,F8F9577D,?,00000000), ref: 00D386F9
                                          • __Getctype.LIBCPMT ref: 00D3877B
                                          • std::_Facet_Register.LIBCPMT ref: 00D387E4
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3880E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                          • String ID:
                                          • API String ID: 2372200979-0
                                          • Opcode ID: 0bb6298bd7414045771a181161b37aace7be367328c68d561ece1c3c14aa2d88
                                          • Instruction ID: fdc5f25d8ad3a1f7985376821b537ddd467ea1ff0a96123211bd5c0d301d9162
                                          • Opcode Fuzzy Hash: 0bb6298bd7414045771a181161b37aace7be367328c68d561ece1c3c14aa2d88
                                          • Instruction Fuzzy Hash: 1761BDB1D00744DFDB11CF68C941B9ABBF4EF14314F248259E845AB391EB74AA44CBB1
                                          Function 00D39270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D392A0
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D392C2
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D392EA
                                          • LocalAlloc.KERNEL32(00000040,00000018,00000000,F8F9577D,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D39342
                                          • __Getctype.LIBCPMT ref: 00D393BD
                                          • std::_Facet_Register.LIBCPMT ref: 00D393F8
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D39422
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                          • String ID:
                                          • API String ID: 2372200979-0
                                          • Opcode ID: 8f020188f66a9f63981e8c4847490e988640d9862dd658726366b1cf27466efb
                                          • Instruction ID: 4d59c7686fb04c84400b6d2c09b1c8a3f43577f7acdea7a636c7ccaf8bc90fb4
                                          • Opcode Fuzzy Hash: 8f020188f66a9f63981e8c4847490e988640d9862dd658726366b1cf27466efb
                                          • Instruction Fuzzy Hash: AF51BAB1904209DFCB11CF68C854B9EBBF4EF14714F248559E846AB391E7B0AA44CBB0
                                          Function 00D53F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00D53F57
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00D53F5F
                                          • _ValidateLocalCookies.LIBCMT ref: 00D53FE8
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00D54013
                                          • _ValidateLocalCookies.LIBCMT ref: 00D54068
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 6143f761e1a15792067c696ee9226eccb4a21b87c95809c12a6279c543c04b52
                                          • Instruction ID: 84efbcc3ebf5dade8baf9ac062a40d6e721ca03b9b219e4477bafc14e6c32641
                                          • Opcode Fuzzy Hash: 6143f761e1a15792067c696ee9226eccb4a21b87c95809c12a6279c543c04b52
                                          • Instruction Fuzzy Hash: 6E41B034E002089BCF10DF68C885A9EBBB5EF04369F188155ED189B392D731DA59CFB1
                                          Function 00D672FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,00D67408,00D63841,0000000C,?,00000000,00000000,?,00D67632,00000021,FlsSetValue,00D7BD58,00D7BD60,?), ref: 00D673BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 3664257935-537541572
                                          • Opcode ID: 1ffe33bf06f7ed360bd7bcc06932eaf9187e0cb56c9a761efc50d5c93cfdd68a
                                          • Instruction ID: 9e2aacf5e80ca63bab0abd4689427c406c46a889daccc9403298ccab4dd95d9c
                                          • Opcode Fuzzy Hash: 1ffe33bf06f7ed360bd7bcc06932eaf9187e0cb56c9a761efc50d5c93cfdd68a
                                          • Instruction Fuzzy Hash: 0421A232A09319ABDB219BA5EC45A5A3768DB41774F280620ED69E7390EB30ED00D6F0
                                          Function 00D3B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B531
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B54F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B577
                                          • LocalAlloc.KERNEL32(00000040,0000000C,00000000,F8F9577D,?,00000000,00000000), ref: 00D3B5CF
                                          • std::_Facet_Register.LIBCPMT ref: 00D3B6B7
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B6E1
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                          • String ID:
                                          • API String ID: 3931714976-0
                                          • Opcode ID: 2d48748a42f42aebf3822dd528d2cb3997c4be17c17fce503bb5bb859382c2b3
                                          • Instruction ID: fd5baf7108694d4ab7539f1c1b9a5427045a371b012863e078dbcfe9849e2756
                                          • Opcode Fuzzy Hash: 2d48748a42f42aebf3822dd528d2cb3997c4be17c17fce503bb5bb859382c2b3
                                          • Instruction Fuzzy Hash: 9A51BF71900348DFDB11CF58C8817AEBBB4FF10324F24855AE955AB392E7B59A04CBB1
                                          Function 00D3B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B731
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B74F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B777
                                          • LocalAlloc.KERNEL32(00000040,00000008,00000000,F8F9577D,?,00000000,00000000), ref: 00D3B7CF
                                          • std::_Facet_Register.LIBCPMT ref: 00D3B863
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B88D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                          • String ID:
                                          • API String ID: 3931714976-0
                                          • Opcode ID: 385ca43bd9593518fdbc2509aead74ae134cfc154e3be252baa187be19c050c5
                                          • Instruction ID: 5ea05bcf9b8f71faec7bd1493932807a4f4a7fed748756c2b881a11b0414ef0a
                                          • Opcode Fuzzy Hash: 385ca43bd9593518fdbc2509aead74ae134cfc154e3be252baa187be19c050c5
                                          • Instruction Fuzzy Hash: 1C518BB1904314DFCB11CF58C885B9EBBB4EF54324F24855EE955AB381E7B0AE04CBA0
                                          Function 00D60351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16
                                          • String ID: a/p$am/pm
                                          • API String ID: 3509577899-3206640213
                                          • Opcode ID: 8ee1921f75e61e89cd13db7f5a9b0200c0d8cae136765ee915469bfe68b1c35d
                                          • Instruction ID: af5a96a5a53e022f22c88e87daf052f264a65a878dec678f034a5d3c6ef31a91
                                          • Opcode Fuzzy Hash: 8ee1921f75e61e89cd13db7f5a9b0200c0d8cae136765ee915469bfe68b1c35d
                                          • Instruction Fuzzy Hash: EDC1BB35900206DBDB249FA8C989ABBBFB0FF55700F284049E946AB650D735ED41CFB1
                                          Function 00D55978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00D5596F,00D54900,00D5358F), ref: 00D55986
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D55994
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D559AD
                                          • SetLastError.KERNEL32(00000000,00D5596F,00D54900,00D5358F), ref: 00D559FF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 50287118d4775fdc63bd7ff61b883e26c760a142c47664fcf55b704337cd4d92
                                          • Instruction ID: 742b89be5b835e0d5ba81660cebc219b5e6296c151c1860c3c69e5f9bde5e616
                                          • Opcode Fuzzy Hash: 50287118d4775fdc63bd7ff61b883e26c760a142c47664fcf55b704337cd4d92
                                          • Instruction Fuzzy Hash: 2501F532229B11DFAF2226B4BC95A6E2754DB007B73300329FC14D52E4FE258C485EB0
                                          Function 00D33230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempFileNameW.KERNEL32(?,URL,00000000,?,F8F9577D,?,00000004), ref: 00D33294
                                          • MoveFileW.KERNEL32(?,00000000), ref: 00D3354A
                                          • DeleteFileW.KERNEL32(?), ref: 00D33592
                                            • Part of subcall function 00D31A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00D31AF7
                                            • Part of subcall function 00D31A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00D31B7D
                                            • Part of subcall function 00D32E60: LocalFree.KERNEL32(?,F8F9577D,?,?,00D73C40,000000FF,?,00D31242,F8F9577D,?,?,00D73C75,000000FF), ref: 00D32EB1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: FileLocal$Free$AllocDeleteMoveNameTemp
                                          • String ID: URL$url
                                          • API String ID: 853893950-346267919
                                          • Opcode ID: 4a8b4a1396db3200a47119310bc7ffc4ecf3fa2e761721dcda1aea17bb5877aa
                                          • Instruction ID: d78a1a615cc28eafab354368c22bfe99e17f88087c1709a192f2810e7458da91
                                          • Opcode Fuzzy Hash: 4a8b4a1396db3200a47119310bc7ffc4ecf3fa2e761721dcda1aea17bb5877aa
                                          • Instruction Fuzzy Hash: 85C16970D142689ADB24DF28CD98BEDB7B4FF14304F1442D9D409A7291EBB46B88CFA1
                                          Function 00D336D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D33735
                                          • GetLastError.KERNEL32(?,?,?,00D74215,000000FF), ref: 00D3381A
                                            • Part of subcall function 00D32310: GetProcessHeap.KERNEL32 ref: 00D32365
                                            • Part of subcall function 00D346F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00D33778,-00000010,?,?,?,00D74215,000000FF), ref: 00D34736
                                          • _wcschr.LIBVCRUNTIME ref: 00D337C6
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00D74215,000000FF), ref: 00D337DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                          • String ID: ntdll.dll
                                          • API String ID: 3941625479-2227199552
                                          • Opcode ID: 4e252727b136279c586d0596ad9c7fc48d907be0fc476faf06d47110d50d8f92
                                          • Instruction ID: a89947665c8adb095d4e93762893204003755622740bcfaa170447890425d909
                                          • Opcode Fuzzy Hash: 4e252727b136279c586d0596ad9c7fc48d907be0fc476faf06d47110d50d8f92
                                          • Instruction Fuzzy Hash: CD418271A00605AFDB10DFA8DD45BAEB7B4FF14310F144529E916D7281EBB4AA04CBB1
                                          Function 00D3621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00D31A20: LocalFree.KERNEL32(?), ref: 00D31A42
                                            • Part of subcall function 00D53E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00D31434,?,?,00D3D341,00D31434,00D88B5C,?,00D31434,?,00000000), ref: 00D53EBA
                                          • GetCurrentProcess.KERNEL32(F8F9577D,F8F9577D,?,?,00000000,00D74981,000000FF), ref: 00D362EB
                                            • Part of subcall function 00D52C98: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CA3
                                            • Part of subcall function 00D52C98: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CE0
                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D362B0
                                          • GetProcAddress.KERNEL32(00000000), ref: 00D362B7
                                            • Part of subcall function 00D52C4E: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C58
                                            • Part of subcall function 00D52C4E: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C8B
                                            • Part of subcall function 00D52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D52D02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
                                          • String ID: IsWow64Process$kernel32
                                          • API String ID: 1333104975-3789238822
                                          • Opcode ID: 08850b79f5a0e190ccd7c994840d7a8e042672984aeb078ee30985cfa74bd27e
                                          • Instruction ID: 9ddcc414e833224a5e7b1184100101b18f74d0c9c98ea794e895e1fe1ea5190c
                                          • Opcode Fuzzy Hash: 08850b79f5a0e190ccd7c994840d7a8e042672984aeb078ee30985cfa74bd27e
                                          • Instruction Fuzzy Hash: B521AE71945315EFCB10EFA4DD06BAEB7A8FB14B11F140A25E915D32D0EB74A9048B71
                                          Function 00D48451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Mpunct$GetvalsH_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2204710431-1686923651
                                          • Opcode ID: 27ddbc791f437d028aa761d242cc23b90b65c113a0b13003804bd46ea1bf1b8b
                                          • Instruction ID: 0d1948f39c1b35d9d442017511bf4f17153812c9240e34a71e448861aa680d54
                                          • Opcode Fuzzy Hash: 27ddbc791f437d028aa761d242cc23b90b65c113a0b13003804bd46ea1bf1b8b
                                          • Instruction Fuzzy Hash: 38218EB1904B926FDB25DF75C49077FBEE8AB08341F04495AE499C7A42E774E601CBB0
                                          Function 00D36250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(F8F9577D,F8F9577D,?,?,00000000,00D74981,000000FF), ref: 00D362EB
                                            • Part of subcall function 00D52C98: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CA3
                                            • Part of subcall function 00D52C98: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52CE0
                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D362B0
                                          • GetProcAddress.KERNEL32(00000000), ref: 00D362B7
                                            • Part of subcall function 00D52C4E: EnterCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C58
                                            • Part of subcall function 00D52C4E: LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C8B
                                            • Part of subcall function 00D52C4E: RtlWakeAllConditionVariable.NTDLL ref: 00D52D02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                          • String ID: IsWow64Process$kernel32
                                          • API String ID: 2056477612-3789238822
                                          • Opcode ID: 2119897c1927a79df9648376c9ead2ba6a0719deb4e10d7e275c92f4800778e0
                                          • Instruction ID: 02b108a8b6c95e6874397e04b431ddee551b5e0d7ae3439c0eeae23a9834af6f
                                          • Opcode Fuzzy Hash: 2119897c1927a79df9648376c9ead2ba6a0719deb4e10d7e275c92f4800778e0
                                          • Instruction Fuzzy Hash: 1F11AE72905714EFCB10DF54DD06BA9B3A8FB15710F040A2AE815D33C0E775A904CB71
                                          Function 00D569E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00D56AA3,?,?,00D8DDCC,00000000,?,00D56BCE,00000004,InitializeCriticalSectionEx,00D797E8,InitializeCriticalSectionEx,00000000), ref: 00D56A72
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID: api-ms-
                                          • API String ID: 3664257935-2084034818
                                          • Opcode ID: 3dcada5acd5a9de74c773670a6f5ff479e6c239e26a8318938fc82fbbad41011
                                          • Instruction ID: 6fa59976f9540650ced6a8cfbfa68c04f11dd7ca5f57ac17a0fc8b341ef14540
                                          • Opcode Fuzzy Hash: 3dcada5acd5a9de74c773670a6f5ff479e6c239e26a8318938fc82fbbad41011
                                          • Instruction Fuzzy Hash: 6711A732A04325ABCF228B689C41B5933A49F11772F584660FD15FB380E670ED0486F5
                                          Function 00D62DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F8F9577D,?,?,00000000,00D76A6C,000000FF,?,00D62DC1,?,?,00D62D95,?), ref: 00D62E23
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D62E35
                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00D76A6C,000000FF,?,00D62DC1,?,?,00D62D95,?), ref: 00D62E57
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: aa91c874c10e8b5c05bda6faf534a01b9ea68b69849a34fd065158414d8c6e6f
                                          • Instruction ID: eca1078d977016497aee073fcafe75caf21f229c33266efd0e6386e85f968709
                                          • Opcode Fuzzy Hash: aa91c874c10e8b5c05bda6faf534a01b9ea68b69849a34fd065158414d8c6e6f
                                          • Instruction Fuzzy Hash: 5A01A232918B19EFCB128F44CC05FAEBBB8FB04B11F044525F815E23A0EB759900CBA0
                                          Function 00D66DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                          Download Yara Rule
                                          APIs
                                          • __alloca_probe_16.LIBCMT ref: 00D66E40
                                          • __alloca_probe_16.LIBCMT ref: 00D66F01
                                          • __freea.LIBCMT ref: 00D66F68
                                            • Part of subcall function 00D65BDC: HeapAlloc.KERNEL32(00000000,00000000,00D63841,?,00D6543A,?,00000000,?,00D56CE7,00000000,00D63841,00000000,?,?,?,00D6363B), ref: 00D65C0E
                                          • __freea.LIBCMT ref: 00D66F7D
                                          • __freea.LIBCMT ref: 00D66F8D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16$AllocHeap
                                          • String ID:
                                          • API String ID: 1096550386-0
                                          • Opcode ID: 89267be49f109e04e1dc5d5daa38f1d32d70b58856732e7102f7a95e01ef0473
                                          • Instruction ID: eccebd133fbdad5392a04da82dd684611e144c53879184a4ee0ce5df2da98463
                                          • Opcode Fuzzy Hash: 89267be49f109e04e1dc5d5daa38f1d32d70b58856732e7102f7a95e01ef0473
                                          • Instruction Fuzzy Hash: B2518F72600206AFEF219FA5EC81EBF7AA9EF44754B194129FD08D7251E736DC148B70
                                          Function 00D3B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B8DD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3B900
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B928
                                          • std::_Facet_Register.LIBCPMT ref: 00D3B98D
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B9B7
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                          • String ID:
                                          • API String ID: 459529453-0
                                          • Opcode ID: 353b4e34f88c1abbd57e256175467594505f7eddb6fb44c8dfcc1bbcb9cb5211
                                          • Instruction ID: 1b24d62d0dc883dfce1508fb2f327d0d91950e7bda3457c56855ccd4c5fa57ad
                                          • Opcode Fuzzy Hash: 353b4e34f88c1abbd57e256175467594505f7eddb6fb44c8dfcc1bbcb9cb5211
                                          • Instruction Fuzzy Hash: E431B271900218DFCB11DF58D981BAEBBB4EF24324F14456AEA45AB3A1D731AE05CFB1
                                          Function 00D35890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,?,76C14450,00D35646,?,?,?,?,?), ref: 00D35898
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                          • API String ID: 1452528299-1782174991
                                          • Opcode ID: edbd98f55e7ed09742e377c427beaeb90492a292486aa67070805a7d28715aaf
                                          • Instruction ID: e335ae33b864ef1886d0a86a2212025b874b311ec739c91bd9b5856ebfa1d729
                                          • Opcode Fuzzy Hash: edbd98f55e7ed09742e377c427beaeb90492a292486aa67070805a7d28715aaf
                                          • Instruction Fuzzy Hash: BE11A556A10625D7CB302F6CE800376A2F4DF54764F69047FD889D7395FAB58C8183B4
                                          Function 00D41C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Maklocstr$Maklocchr
                                          • String ID:
                                          • API String ID: 2020259771-0
                                          • Opcode ID: ca0a44f410539524c728cdde3be64dcf539c8e81c884c1e3308bac8653d63ed5
                                          • Instruction ID: 1522dc086b173a08ee754e143d2613c2f165026646e730a7493c8f45759e373a
                                          • Opcode Fuzzy Hash: ca0a44f410539524c728cdde3be64dcf539c8e81c884c1e3308bac8653d63ed5
                                          • Instruction Fuzzy Hash: 78118FB5940784BBE720DBA4C881F12B7ACEF04350F080529F6558BA41D264FC9487B9
                                          Function 00D3D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D3D883
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3D88D
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • numpunct.LIBCPMT ref: 00D3D8C7
                                          • std::_Facet_Register.LIBCPMT ref: 00D3D8DE
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3D8FE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID:
                                          • API String ID: 743221004-0
                                          • Opcode ID: d1d261f8c6b1ad9043c331a10839de29f031020c909e4c79bec4ebb7e46c9951
                                          • Instruction ID: 1973edbf4cd072908dbc05c9ff6aaf0338007eecc93f6e6651a844c8d45f622c
                                          • Opcode Fuzzy Hash: d1d261f8c6b1ad9043c331a10839de29f031020c909e4c79bec4ebb7e46c9951
                                          • Instruction Fuzzy Hash: 65117C359006199BCF05AB64A8516AEB766EF84710F280459F811AB2D1DF74AE05CBB1
                                          Function 00D422FA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42301
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4230B
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • codecvt.LIBCPMT ref: 00D42345
                                          • std::_Facet_Register.LIBCPMT ref: 00D4235C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4237C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: 7e4190d73c829d089cc73b6ac69be7dc71e92bbf4404fcc98c4e5c87385e0f03
                                          • Instruction ID: a363f0d476dec4274b84c81888c67940a1ee3d2c11c8c37d57d7fe18ec2f43d6
                                          • Opcode Fuzzy Hash: 7e4190d73c829d089cc73b6ac69be7dc71e92bbf4404fcc98c4e5c87385e0f03
                                          • Instruction Fuzzy Hash: FD01DE35900619DBCF04EBA4E845ABEBBB1EF80720F690509F910AB3D1DF749E048BB1
                                          Function 00D4238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42396
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D423A0
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • codecvt.LIBCPMT ref: 00D423DA
                                          • std::_Facet_Register.LIBCPMT ref: 00D423F1
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42411
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: 9db6a2c304998a938b2974ed34d62db485594797ca5796ce9b5d528b1eb367ce
                                          • Instruction ID: 4d66fdf3ea0d315f6132d02a4833059b7a952df7dc210a00c6000ee494d38ae2
                                          • Opcode Fuzzy Hash: 9db6a2c304998a938b2974ed34d62db485594797ca5796ce9b5d528b1eb367ce
                                          • Instruction Fuzzy Hash: A501A9359002199BCB04AB64D845ABEBBB1EF80710F280819F814AB3D2DFB49E05CBB1
                                          Function 00D424B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D424C0
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D424CA
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • collate.LIBCPMT ref: 00D42504
                                          • std::_Facet_Register.LIBCPMT ref: 00D4251B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4253B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: a37f9e2ca86b785ec1c95ea2c1407ccface4ed6168ed627b01973e240f5daec8
                                          • Instruction ID: a7bc5abeb50203813289759e999bc5de30775a9ef224ca73c5ff7955c1e59f37
                                          • Opcode Fuzzy Hash: a37f9e2ca86b785ec1c95ea2c1407ccface4ed6168ed627b01973e240f5daec8
                                          • Instruction Fuzzy Hash: 5701DE31900619DBCB09FB64D855ABEBBB1EF84720F690809F814AB3D1DF709E048BB1
                                          Function 00D42424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4242B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42435
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • collate.LIBCPMT ref: 00D4246F
                                          • std::_Facet_Register.LIBCPMT ref: 00D42486
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D424A6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 387b09d23b08ad0f49695077386cf108507db714ca8dda200eecbb9cb9a40d5c
                                          • Instruction ID: 5e29156ed960cdc066fe1bacc04b75dbe7d5fcfdd2af3af2a46862fb729c84a0
                                          • Opcode Fuzzy Hash: 387b09d23b08ad0f49695077386cf108507db714ca8dda200eecbb9cb9a40d5c
                                          • Instruction Fuzzy Hash: 48018C35900619DBCB05EB64E8416BEBBA1EF94720F690409F914AB3D2EF749E04CBB1
                                          Function 00D425E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D425EA
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D425F4
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • messages.LIBCPMT ref: 00D4262E
                                          • std::_Facet_Register.LIBCPMT ref: 00D42645
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42665
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: e57918cb980dac0777eb40055e7e6ccddce0fc16b0a5db9c1ec38775755a2204
                                          • Instruction ID: 18c1b4137a543beca2a214b7962a79d960d339b873a0d59c9ba449d622fcd3bc
                                          • Opcode Fuzzy Hash: e57918cb980dac0777eb40055e7e6ccddce0fc16b0a5db9c1ec38775755a2204
                                          • Instruction Fuzzy Hash: C701A9359002199BCB05BB64A851ABEBBA1EF84310F694409F814AB3D2DF709E008BB1
                                          Function 00D4254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42555
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4255F
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • ctype.LIBCPMT ref: 00D42599
                                          • std::_Facet_Register.LIBCPMT ref: 00D425B0
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D425D0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                          • String ID:
                                          • API String ID: 83828444-0
                                          • Opcode ID: 6845abc20fff93c89f7fd495b052cda73811f35351472376cb1f56eee87eef9b
                                          • Instruction ID: 0814ade7d10b885cd470894f4197d2967f7cc22c4d81d5605e8b7caaf205df5d
                                          • Opcode Fuzzy Hash: 6845abc20fff93c89f7fd495b052cda73811f35351472376cb1f56eee87eef9b
                                          • Instruction Fuzzy Hash: B101CC31900259DBCB04EB64D851ABEBBB1EF84320F694819F811AB3D2DF709E44CBB1
                                          Function 00D3D6BD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D3D6C4
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3D6CE
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • codecvt.LIBCPMT ref: 00D3D708
                                          • std::_Facet_Register.LIBCPMT ref: 00D3D71F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3D73F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                          • String ID:
                                          • API String ID: 712880209-0
                                          • Opcode ID: 966f6c02c3760ea8d22273bdadce1820398a96eb54dba9cf81ae1c9c5628758b
                                          • Instruction ID: b6a1b60687e43c60e493ee1fb2179af6f0c3559ece25e64eac98daf1477ec4fe
                                          • Opcode Fuzzy Hash: 966f6c02c3760ea8d22273bdadce1820398a96eb54dba9cf81ae1c9c5628758b
                                          • Instruction Fuzzy Hash: 3401D275900615DBCB05EB60E841AAE7B72FF80710F290809F801AB3D2DF709E048BB1
                                          Function 00D42678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4267F
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42689
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • messages.LIBCPMT ref: 00D426C3
                                          • std::_Facet_Register.LIBCPMT ref: 00D426DA
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D426FA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: d15a70cf1c2df0175795c1e7e7ad1787620baf754d0ceab2e1a27fd963585755
                                          • Instruction ID: 72e7e295931d42d72f3a348dcaf85223508e81805dd7aa86264d08b466e0a49a
                                          • Opcode Fuzzy Hash: d15a70cf1c2df0175795c1e7e7ad1787620baf754d0ceab2e1a27fd963585755
                                          • Instruction Fuzzy Hash: 5901AD359006159BCB05BB64D841ABEBB61EF84710F294449F910AB3D1DF709E058BB1
                                          Function 00D4E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4E8DF
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4E8E9
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • messages.LIBCPMT ref: 00D4E923
                                          • std::_Facet_Register.LIBCPMT ref: 00D4E93A
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4E95A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                          • String ID:
                                          • API String ID: 2750803064-0
                                          • Opcode ID: 7608e76573751a8c0135cca5da153e8dc3c95061b38a19807132a5f440958f6c
                                          • Instruction ID: e6b0c0b602b0f59e7514202f96be3c4af0fc2ec91c9b538067ec3e1e40897c68
                                          • Opcode Fuzzy Hash: 7608e76573751a8c0135cca5da153e8dc3c95061b38a19807132a5f440958f6c
                                          • Instruction Fuzzy Hash: B1018035900625EBCF05EB649841ABEBBA1FF84710F290549F914AB3D2DF749E048BB5
                                          Function 00D4E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4E84A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4E854
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • collate.LIBCPMT ref: 00D4E88E
                                          • std::_Facet_Register.LIBCPMT ref: 00D4E8A5
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4E8C5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                          • String ID:
                                          • API String ID: 1007100420-0
                                          • Opcode ID: 4b875aa3ded2bdf18b0239d23e398132c776ce04e02a8b2cad84ecc01114032f
                                          • Instruction ID: ee475e74c3834ed00889d767c054dbca325b62d6f73bb38d4f88896d1e0df73d
                                          • Opcode Fuzzy Hash: 4b875aa3ded2bdf18b0239d23e398132c776ce04e02a8b2cad84ecc01114032f
                                          • Instruction Fuzzy Hash: BF018035900629EFCF05FB649841AAEB7A1FF84710F284519F914AB3D1DF709E048BB1
                                          Function 00D429F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D429FD
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42A07
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D42A41
                                          • std::_Facet_Register.LIBCPMT ref: 00D42A58
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42A78
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 5911add7f246eca999914202752bf2292c28f66e563ed4bb672e673fbff22424
                                          • Instruction ID: 61d77e76d99c7d2e61a88d505f3eff745884128bb6bd247ba3a4a835fdc8fe60
                                          • Opcode Fuzzy Hash: 5911add7f246eca999914202752bf2292c28f66e563ed4bb672e673fbff22424
                                          • Instruction Fuzzy Hash: A401D275900225DBCF15FB64D8426BE77A1EF84320F690509F910AB3D2DF709E018BB1
                                          Function 00D42961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42968
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42972
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D429AC
                                          • std::_Facet_Register.LIBCPMT ref: 00D429C3
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D429E3
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 6aa0d4ea810e93a12c7a5f158a20bedd05e526c7f8f70acfb3e902c7324f2030
                                          • Instruction ID: 97f202e14a08769d5c6c85d91e8270133bbc2cf89eded5f47111e0e6f06050af
                                          • Opcode Fuzzy Hash: 6aa0d4ea810e93a12c7a5f158a20bedd05e526c7f8f70acfb3e902c7324f2030
                                          • Instruction Fuzzy Hash: E601DE71900619DBCB04FB64D842ABEBBA1EF84320F290509F910AB3D2DF709E008FB1
                                          Function 00D4EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4EA9E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4EAA8
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D4EAE2
                                          • std::_Facet_Register.LIBCPMT ref: 00D4EAF9
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EB19
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: d874a4f0569a36c29f06994b986c70f2aeec34c5156c888310cbba190fb5ce38
                                          • Instruction ID: e6e3d452543ceba307579546d9ec00e3c5c251d9036e0ca33c7b58691e656844
                                          • Opcode Fuzzy Hash: d874a4f0569a36c29f06994b986c70f2aeec34c5156c888310cbba190fb5ce38
                                          • Instruction Fuzzy Hash: 0C01C031900619EBCB14FB60D841AAEB761FF80320F280849F815AB3D2DF709E048BB1
                                          Function 00D42A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42A92
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42A9C
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D42AD6
                                          • std::_Facet_Register.LIBCPMT ref: 00D42AED
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42B0D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: ea2f8e71d0462c68a32a95a2551b38cf76e94de1f1ace98afa74da09c7d84c22
                                          • Instruction ID: a123a34368bcdb37e1cd2a208e7ba04124aa8aebc111a055a094644cd436ad63
                                          • Opcode Fuzzy Hash: ea2f8e71d0462c68a32a95a2551b38cf76e94de1f1ace98afa74da09c7d84c22
                                          • Instruction Fuzzy Hash: C801C435900615DFCB15FB649841ABE77A1EF84310F284909F904AB3D2DF709E00CBB1
                                          Function 00D42B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42B27
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42B31
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D42B6B
                                          • std::_Facet_Register.LIBCPMT ref: 00D42B82
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42BA2
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: f51e305d62279013f4bea9df4e5e2b9ba6ba824a7dee4f4ed881a23e8230036a
                                          • Instruction ID: 63c13113fe55fae09400565b0f4cf67a40f2d19fd9a6c2db0297a73a9ed5a685
                                          • Opcode Fuzzy Hash: f51e305d62279013f4bea9df4e5e2b9ba6ba824a7dee4f4ed881a23e8230036a
                                          • Instruction Fuzzy Hash: B7016D35900615DBCB15EB64D841ABE7B72EF84720F690409F914AB3D6DF709E048BB1
                                          Function 00D4EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4EB33
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4EB3D
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • moneypunct.LIBCPMT ref: 00D4EB77
                                          • std::_Facet_Register.LIBCPMT ref: 00D4EB8E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EBAE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                          • String ID:
                                          • API String ID: 419941038-0
                                          • Opcode ID: 4f141a18dbc7ca757c374e0887b46cd37929818437b0740e1dca70649f0dbd9d
                                          • Instruction ID: 0d38ef1f78fe6a2b997f208c218f8c3e91523db9d76ffa6afa4a13d65d588fd8
                                          • Opcode Fuzzy Hash: 4f141a18dbc7ca757c374e0887b46cd37929818437b0740e1dca70649f0dbd9d
                                          • Instruction Fuzzy Hash: BE01AD31900625EBCB04FB6098816AEB761FF84310F290809F815AB3D2DF709E048BB1
                                          Function 00D42D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42D7B
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42D85
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • numpunct.LIBCPMT ref: 00D42DBF
                                          • std::_Facet_Register.LIBCPMT ref: 00D42DD6
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42DF6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                          • String ID:
                                          • API String ID: 743221004-0
                                          • Opcode ID: ee686249b258a2bbba51b4ba73effef3227d440e8b08ad6de75b63403a84579f
                                          • Instruction ID: 26b842dcff6eda1332cc22cf4d6f5143b85ffc3384ce65b87635ca3ce278e75b
                                          • Opcode Fuzzy Hash: ee686249b258a2bbba51b4ba73effef3227d440e8b08ad6de75b63403a84579f
                                          • Instruction Fuzzy Hash: 7801C035900615DBCB04FBA0D8416BEBBA1FF84310F690819F814AB3D2DF709E018BB1
                                          Function 00D52C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C58
                                          • LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,00D32427,00D8E638,00D76B40), ref: 00D52C8B
                                          • RtlWakeAllConditionVariable.NTDLL ref: 00D52D02
                                          • SetEvent.KERNEL32(?,00D32427,00D8E638,00D76B40), ref: 00D52D0C
                                          • ResetEvent.KERNEL32(?,00D32427,00D8E638,00D76B40), ref: 00D52D18
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                          • String ID:
                                          • API String ID: 3916383385-0
                                          • Opcode ID: e5c4a84204230f53dedb62e09c4c4d10771cc6b19e272c4b58efe52907e71331
                                          • Instruction ID: 23b6b2652201b02f3d9f9c3a746f2defa5168842af5424d08afde641f66ac8b4
                                          • Opcode Fuzzy Hash: e5c4a84204230f53dedb62e09c4c4d10771cc6b19e272c4b58efe52907e71331
                                          • Instruction Fuzzy Hash: D2014631924320DFCB15AF18FC08AA97B76FB49761705486AF806C33B1EB305881CBB0
                                          Function 00D3BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,00000018,F8F9577D,?,00000000), ref: 00D3BBA3
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00D3BD7F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AllocConcurrency::cancel_current_taskLocal
                                          • String ID: false$true
                                          • API String ID: 3924972193-2658103896
                                          • Opcode ID: befcd241a0ed5b7b1e865a0d0e7cf941f08133746daf66fe30ea73a85138b3ab
                                          • Instruction ID: a0a1736b71e2d976b5ed55f8ca6d92edac3d7cec7ffa5669cf9d9aa9bbdd3e31
                                          • Opcode Fuzzy Hash: befcd241a0ed5b7b1e865a0d0e7cf941f08133746daf66fe30ea73a85138b3ab
                                          • Instruction Fuzzy Hash: B46190B1D00748DFDB10DFA4C841BDEB7B8FF14304F14825AE955AB281E7B5AA48CBA1
                                          Function 00D4D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4D3D2
                                            • Part of subcall function 00D4254E: __EH_prolog3.LIBCMT ref: 00D42555
                                            • Part of subcall function 00D4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D4255F
                                            • Part of subcall function 00D4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D425D0
                                          • _Find_elem.LIBCPMT ref: 00D4D46E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: %.0Lf$0123456789-
                                          • API String ID: 2544715827-3094241602
                                          • Opcode ID: 7e525c015af282cd505e1f5412b4a50b77c8ce7306fb9e2ad15b73e6208da2bc
                                          • Instruction ID: 39e642009bbaa512272d910ad82fae44f5d79958392156acc5e2a9d22d14eed5
                                          • Opcode Fuzzy Hash: 7e525c015af282cd505e1f5412b4a50b77c8ce7306fb9e2ad15b73e6208da2bc
                                          • Instruction Fuzzy Hash: 79414931900218DFCF15DFA8C880ADDBBB5FF08314F540159E909AB255DB70AA5ACBB5
                                          Function 00D4D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4D676
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38657
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38679
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D386A1
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3880E
                                          • _Find_elem.LIBCPMT ref: 00D4D712
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 3042121994-2494171821
                                          • Opcode ID: ddafda86304f197a8fc974f27ed167aa6487443603c2b27399bde4aea142b636
                                          • Instruction ID: 429d3cfd4e073a489f4f9cb2994b8292210140109818825c60786b177eda08ec
                                          • Opcode Fuzzy Hash: ddafda86304f197a8fc974f27ed167aa6487443603c2b27399bde4aea142b636
                                          • Instruction Fuzzy Hash: 89419A71900218DFCF01EFA8C880ADEBBB6FF08310F100059E815AB256DB30EA56CBB5
                                          Function 00D5175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D51761
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392A0
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392C2
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D392EA
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D39422
                                          • _Find_elem.LIBCPMT ref: 00D517FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                          • String ID: 0123456789-$0123456789-
                                          • API String ID: 3042121994-2494171821
                                          • Opcode ID: 85cf7b298d1d63180868f222ac4e81bef9cdd1025876fc0899481dbe6d785fa6
                                          • Instruction ID: 489c7f1478bf675512693417e8863b5ba60d973896cac275abc0a0872bb8d280
                                          • Opcode Fuzzy Hash: 85cf7b298d1d63180868f222ac4e81bef9cdd1025876fc0899481dbe6d785fa6
                                          • Instruction Fuzzy Hash: 8F415B35900209EFCF15DFA8D881A9EBBB5FF08315F10415AEC11AB252DB70DA5ACBB5
                                          Function 00D48386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4838D
                                            • Part of subcall function 00D41C42: _Maklocstr.LIBCPMT ref: 00D41C62
                                            • Part of subcall function 00D41C42: _Maklocstr.LIBCPMT ref: 00D41C7F
                                            • Part of subcall function 00D41C42: _Maklocstr.LIBCPMT ref: 00D41C9C
                                            • Part of subcall function 00D41C42: _Maklocchr.LIBCPMT ref: 00D41CAE
                                            • Part of subcall function 00D41C42: _Maklocchr.LIBCPMT ref: 00D41CC1
                                          • _Mpunct.LIBCPMT ref: 00D4841A
                                          • _Mpunct.LIBCPMT ref: 00D48434
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 2939335142-1686923651
                                          • Opcode ID: 640425d25679b7f5c97c57065f6cf06d8e0574939e497759445536531a8c545a
                                          • Instruction ID: 12750cbdcbfa20bee5bab52280685941b7d4a41efaeb26dfa2fcf173510f0085
                                          • Opcode Fuzzy Hash: 640425d25679b7f5c97c57065f6cf06d8e0574939e497759445536531a8c545a
                                          • Instruction Fuzzy Hash: 23219CB1804B926FDB25DF75C89063BBEE8EB08341F04055AE499C7A42E730E601CBB0
                                          Function 00D4FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Mpunct$H_prolog3
                                          • String ID: $+xv
                                          • API String ID: 4281374311-1686923651
                                          • Opcode ID: f0647e5d4deb86e9799c4051c6a4a1769194a9739e36491b8325993afa55e30d
                                          • Instruction ID: 1d7fd67131ac4f946c1c15ff2a0547381d9d06b5bc1cb0697f9e06220bf13d39
                                          • Opcode Fuzzy Hash: f0647e5d4deb86e9799c4051c6a4a1769194a9739e36491b8325993afa55e30d
                                          • Instruction Fuzzy Hash: A12192B1904B926FDB25DF79C49177BBEF8AB08301F04451AE899C7A42E774E605CBB0
                                          Function 00D324C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D31434,?,00000000), ref: 00D32569
                                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D31434,?,00000000), ref: 00D32589
                                          • LocalFree.KERNEL32(?,00D31434,?,00000000), ref: 00D325DF
                                          • CloseHandle.KERNEL32(00000000,F8F9577D,?,00000000,00D73C40,000000FF,00000008,?,?,?,?,00D31434,?,00000000), ref: 00D32633
                                          • LocalFree.KERNEL32(?,F8F9577D,?,00000000,00D73C40,000000FF,00000008,?,?,?,?,00D31434), ref: 00D32647
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree$CloseHandle
                                          • String ID:
                                          • API String ID: 1291444452-0
                                          • Opcode ID: 2ad0897ec73678e375a86e803bd7753b641b99e458363434b9827546add0ad69
                                          • Instruction ID: 9282dcaac64fb1898910c2f2b27a053d211872d31df1a2c51b831619c3ad93a3
                                          • Opcode Fuzzy Hash: 2ad0897ec73678e375a86e803bd7753b641b99e458363434b9827546add0ad69
                                          • Instruction Fuzzy Hash: 4F41F972A003119BC7149F38DC94B7ABBE8EB45361F24462AF966C76D0EB30D94487B0
                                          Function 00D71D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleOutputCP.KERNEL32(F8F9577D,?,00000000,?), ref: 00D71DFE
                                            • Part of subcall function 00D6A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00D66F5E,?,00000000,-00000008), ref: 00D6AA67
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D72059
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D720A1
                                          • GetLastError.KERNEL32 ref: 00D72144
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                          • String ID:
                                          • API String ID: 2112829910-0
                                          • Opcode ID: e8d0b3e28ee0a1ff9722b35fd9b5eac2196a206f48bae8ac4b437991fd7a8616
                                          • Instruction ID: d02966af6414eefad856f53dc8f3abc9ea8905fc174bfe6e568a9a3af10d9d6e
                                          • Opcode Fuzzy Hash: e8d0b3e28ee0a1ff9722b35fd9b5eac2196a206f48bae8ac4b437991fd7a8616
                                          • Instruction Fuzzy Hash: 9DD14875D002989FCB15CFA8D880AADBBB5FF09310F18856AE959EB351E730A945CF60
                                          Function 00D435F7 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: ee6f11969fcb13c358f93094a7620807c318a4af2e0926fc271b31e761a25227
                                          • Instruction ID: 5133458ffcdf0891f589d8c4436e05c53362dae1b4609b47b88befc0547ad8e8
                                          • Opcode Fuzzy Hash: ee6f11969fcb13c358f93094a7620807c318a4af2e0926fc271b31e761a25227
                                          • Instruction Fuzzy Hash: 53B138B5D00249AFDF15DF98C881AEEBBB9FF48310F184019E845AB255D730AE56CBB0
                                          Function 00D3DA6F Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: _strcspn$H_prolog3_ctype
                                          • String ID:
                                          • API String ID: 838279627-0
                                          • Opcode ID: 3bbc77846cf4d9c6fcfcc556a5916f41b024ff3fb2fcbe46ca68cca7deacb6e4
                                          • Instruction ID: 54044dbbe88c72d0a78e818e787204cc353bb6981d5207c6681ff4785c6e421a
                                          • Opcode Fuzzy Hash: 3bbc77846cf4d9c6fcfcc556a5916f41b024ff3fb2fcbe46ca68cca7deacb6e4
                                          • Instruction Fuzzy Hash: 84B13975D002499FDF14DF98D981AEEBBBAEF08310F184029E845AB216D770AE46CF71
                                          Function 00D55A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: AdjustPointer
                                          • String ID:
                                          • API String ID: 1740715915-0
                                          • Opcode ID: 4f7a011b0f607108bbec2824a9b12a0f0a9407b3f1e8a85dd7d1449a03bd68e3
                                          • Instruction ID: dcea22c1f5385a09dd4f2e1286c94f4b0cfa694b6fa351f6971f9ae9fbe0947d
                                          • Opcode Fuzzy Hash: 4f7a011b0f607108bbec2824a9b12a0f0a9407b3f1e8a85dd7d1449a03bd68e3
                                          • Instruction Fuzzy Hash: FF51D372600B069FDF2A8F14E865B7A77B4EF04312F184629ED4587299E731EC88C7B0
                                          Function 00D624E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf5b659e7c6a56aedaa6d2ba1ba68e7e6e25da88532113a95781700ff308d7bd
                                          • Instruction ID: 52b27bcdc0b478d9ec4ae22b960407dabdd1797ef244ba3c39652ba789740add
                                          • Opcode Fuzzy Hash: cf5b659e7c6a56aedaa6d2ba1ba68e7e6e25da88532113a95781700ff308d7bd
                                          • Instruction Fuzzy Hash: C821CA31604A06AF9B30AFA4DCA2C7A77A8EF443607144925FC2697290EB30ED009BB0
                                          Function 00D36FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00D36FB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                          • API String ID: 1452528299-1781106413
                                          • Opcode ID: 10eddc1690507864194c91e70c6f42fbdcc87c5848e9d2f57f4a41a684ebc407
                                          • Instruction ID: 23d07343b8052513a2a9ec9eeb6a6f7489efd979780e5135e68a0ea5ee0297c5
                                          • Opcode Fuzzy Hash: 10eddc1690507864194c91e70c6f42fbdcc87c5848e9d2f57f4a41a684ebc407
                                          • Instruction Fuzzy Hash: 8E21A449B1062187CB342F38D40137AA6F0EF54754F69487FE8C8D7390FA698C8283B5
                                          Function 00D3CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,F8F9577D), ref: 00D3CD1C
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D3CD3C
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D3CD6D
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D3CD86
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandlePointerWrite
                                          • String ID:
                                          • API String ID: 3604237281-0
                                          • Opcode ID: dab1eaa827b5e7270560c563412c272ea7afa27433bff7c211ce007c5cc503c4
                                          • Instruction ID: 1d9e66d272614107c517c2de1c4e2e9d16ca5d59a8b6aa3df8e75c7eac66f92a
                                          • Opcode Fuzzy Hash: dab1eaa827b5e7270560c563412c272ea7afa27433bff7c211ce007c5cc503c4
                                          • Instruction Fuzzy Hash: 92217F70941315ABD7209F54DC09FAEBBB8EB05B14F104669F515B73D0E7B46A0487F4
                                          Function 00D3D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D3D7EE
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3D7F8
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D3D849
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3D869
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 05b5c7cd1b36022b3d8d2efe0ea8b485fb4a8d5d7028fb03713f80f77f3426de
                                          • Instruction ID: 64f0a0d34d4fe987e562ff23c6e5211c5034434456e2b36cf3157895d449fb6e
                                          • Opcode Fuzzy Hash: 05b5c7cd1b36022b3d8d2efe0ea8b485fb4a8d5d7028fb03713f80f77f3426de
                                          • Instruction Fuzzy Hash: 6101C031900615DBCB15FB64E8426BEBBA2EF80720F280409F901AB3D1DF70AE01CBB1
                                          Function 00D427A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D427A9
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D427B3
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42804
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42824
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 3dc17a689873089709b46d9c2d161b923b9688cd7ed80cbf0df8024e46c9bdba
                                          • Instruction ID: c4c80b0b35564c1805e4ce052ae4ca219591b5ad9b81cdc9c4b50d0a143181f9
                                          • Opcode Fuzzy Hash: 3dc17a689873089709b46d9c2d161b923b9688cd7ed80cbf0df8024e46c9bdba
                                          • Instruction Fuzzy Hash: AE01C035900215DBCB05EBA49841ABE7771FF84720F680409F904AB3D2DF709E05CBB1
                                          Function 00D3D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D3D759
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3D763
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D3D7B4
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D3D7D4
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: c26d4bf274053acdd8176895571712870e5c50ef8e3606492918299cd70a75bb
                                          • Instruction ID: b8ccf9375fe250a875eaeb736ea327aff59c0b2b6e39394b8593c138345d04b6
                                          • Opcode Fuzzy Hash: c26d4bf274053acdd8176895571712870e5c50ef8e3606492918299cd70a75bb
                                          • Instruction Fuzzy Hash: 5C01C075900215DFCB04EB60A8416AEB7A2EF80310F280809F916AB3D1DF709E048BB1
                                          Function 00D4270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42714
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4271E
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4276F
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4278F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 9e1c6a4ec1d1f3d1cdaf041efe6a03675f546246656439a1cde8c3f9b97822e3
                                          • Instruction ID: 93afcae08c6006f3a904a929ff87fa8b37fb5e04e90ee246f777ae7b9636f08d
                                          • Opcode Fuzzy Hash: 9e1c6a4ec1d1f3d1cdaf041efe6a03675f546246656439a1cde8c3f9b97822e3
                                          • Instruction Fuzzy Hash: B401CC75900219DBCB08FB649845ABEBBB1FF84711F280909F814AB3D2DF709E058BB1
                                          Function 00D428CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D428D3
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D428DD
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4292E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4294E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 7b4841df9411f378d053653a854c50f3b0f3bd4ad3a5ebcd834c171cf1105f60
                                          • Instruction ID: 4f8fe09ca9431c77ba29d0fb3d6e5b391d0e107d25b58c73e3f86eb9fab335ee
                                          • Opcode Fuzzy Hash: 7b4841df9411f378d053653a854c50f3b0f3bd4ad3a5ebcd834c171cf1105f60
                                          • Instruction Fuzzy Hash: 2F01D231900615DBCB04EB64D851ABE7BB2EF84720F280809F914AB3D2DF709E058BB1
                                          Function 00D42837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4283E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42848
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42899
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D428B9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: da5e55ea88c417d2868f2b570093fcf8e31c98e10bcd1a9d5fdaf1561419a235
                                          • Instruction ID: 85a3fbf081bd452f0a172e12b5cd447c290cbb6ca3fd60ea84d893e9518975db
                                          • Opcode Fuzzy Hash: da5e55ea88c417d2868f2b570093fcf8e31c98e10bcd1a9d5fdaf1561419a235
                                          • Instruction Fuzzy Hash: F501C071900625DBCB04EBA4D841ABE7BA1FF80710F280909F814AB3D2DF709E048BB1
                                          Function 00D4E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4E974
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4E97E
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4E9CF
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4E9EF
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: cee1969b899a5feb84d1d37e43e8af6ff5c3c4df460f0d730c3c1af3dfc112fc
                                          • Instruction ID: 562983c5e698c221a04b330fea540d733898430d006386ec5a44effde7218543
                                          • Opcode Fuzzy Hash: cee1969b899a5feb84d1d37e43e8af6ff5c3c4df460f0d730c3c1af3dfc112fc
                                          • Instruction Fuzzy Hash: 3301D231900225EBCB05FB64D8416BEBBA1FF80311F290549F910AB3D2DF709E008BB5
                                          Function 00D4EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4EA09
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4EA13
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4EA64
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EA84
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: cad7747c740235e97a5015b979de64f7801c15033afffb36eb445604ac447a29
                                          • Instruction ID: 2b33811b37bdcffd6ccf8d6d11c2b3cbb2d4054cd607217a82d818b8b93a5c6b
                                          • Opcode Fuzzy Hash: cad7747c740235e97a5015b979de64f7801c15033afffb36eb445604ac447a29
                                          • Instruction Fuzzy Hash: E701C035900225EBCB04FB6098466AE7B61FF84720F2A0909F800AB3D2DF709E058BB1
                                          Function 00D4EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4EBC8
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4EBD2
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4EC23
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EC43
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: b3d02cc8c11c4853eec8f1efe75df75afb379da5d448cf9985d817360e3c89da
                                          • Instruction ID: 22dc2e94802af95ac707ddfa699fae6b31a7a2ade32578eceab4c2c16584c351
                                          • Opcode Fuzzy Hash: b3d02cc8c11c4853eec8f1efe75df75afb379da5d448cf9985d817360e3c89da
                                          • Instruction Fuzzy Hash: CB01C031900215EBCB14FB6098466BE77B1FF80310F280949F914AB3D2DF70AE008BB1
                                          Function 00D42BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42BBC
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42BC6
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42C17
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42C37
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 0e49d4fd3fbb4a4e10d18ad4becd5222b71ca8c2cf4f05d712ff7f67ea4cdd18
                                          • Instruction ID: e9b4afaee91f4a83488103d5a0b8afc6f8646260bac32952800d7ba6cc482988
                                          • Opcode Fuzzy Hash: 0e49d4fd3fbb4a4e10d18ad4becd5222b71ca8c2cf4f05d712ff7f67ea4cdd18
                                          • Instruction Fuzzy Hash: A901C035900619DBCB18FBA498416BEB7B1EF80310F294809F900AB3D2DF709E04CBB1
                                          Function 00D42CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42CE6
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42CF0
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42D41
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42D61
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 83dbd395df01ed5d334958aac774830644e24d3e8d978e1083ecfdffff3340c8
                                          • Instruction ID: 7f0e75ef02d4c5ff2771fd2c8ef5baea26e9305477baab5d40f01bad30c9f845
                                          • Opcode Fuzzy Hash: 83dbd395df01ed5d334958aac774830644e24d3e8d978e1083ecfdffff3340c8
                                          • Instruction Fuzzy Hash: 9D01A935900219DBCB15BB60A841ABEBBA1EF84710F280509F904AB3D2DFB09E05CBB1
                                          Function 00D4EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D4EC5D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D4EC67
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D4ECB8
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D4ECD8
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 5454a88d9dde1469bba536bb8f770a4b1cd4213edb5af1aa89887b3a3b45d87b
                                          • Instruction ID: c16adda8791c37cbfebe879edadba208d0144bf31ca8c60e1f4aed659b1b8406
                                          • Opcode Fuzzy Hash: 5454a88d9dde1469bba536bb8f770a4b1cd4213edb5af1aa89887b3a3b45d87b
                                          • Instruction Fuzzy Hash: B301C031900215EBCB05FB64D881AAE7B61FF80320F290419F801AB3D1DF749E018BB1
                                          Function 00D42C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42C51
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42C5B
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42CAC
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42CCC
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 0a294f2b451b9df252b217afff0d2e7650d815b1937121a4d110907e05970155
                                          • Instruction ID: 30026536d17c1e9c424e821870cff97cfbf06f71c6564377ecc1fbef231b1dd7
                                          • Opcode Fuzzy Hash: 0a294f2b451b9df252b217afff0d2e7650d815b1937121a4d110907e05970155
                                          • Instruction Fuzzy Hash: A601DE35901219DBCB18EBA4D8816BEBBB1EF80720F690409F910AB3D1DF709E00CBB1
                                          Function 00D42E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42EA5
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42EAF
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42F00
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42F20
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: fc0255cba1a89932eae09363c0508fdcc8bb85ff33df06892c970018943d6043
                                          • Instruction ID: 85aaac30478b830386b49256c67faad26fcda09756db4e1c8e9be63d36635ccc
                                          • Opcode Fuzzy Hash: fc0255cba1a89932eae09363c0508fdcc8bb85ff33df06892c970018943d6043
                                          • Instruction Fuzzy Hash: 94016D35900619DBCB05EB649841ABE7771FF84710FA90559F914AB3D2DF709E048BB1
                                          Function 00D42E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42E10
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42E1A
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42E6B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42E8B
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 17250e62ae3730952934387c02a5d8954c548aca26bc103b5766a6954a363ffa
                                          • Instruction ID: 862e6d5d2b374efb3c09289beed35bf4a7c60e0a44003edad5e3e6517e6a075b
                                          • Opcode Fuzzy Hash: 17250e62ae3730952934387c02a5d8954c548aca26bc103b5766a6954a363ffa
                                          • Instruction Fuzzy Hash: CC01CC36900619DBCB04FB64D841ABEBBA1FF94710F680919F914AB3D2DF709E058BB1
                                          Function 00D42F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00D42F3A
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D42F44
                                            • Part of subcall function 00D38C20: std::_Lockit::_Lockit.LIBCPMT ref: 00D38C50
                                            • Part of subcall function 00D38C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00D38C78
                                          • std::_Facet_Register.LIBCPMT ref: 00D42F95
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00D42FB5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                          • String ID:
                                          • API String ID: 2854358121-0
                                          • Opcode ID: 81b28ed6890f52c0825740dc274e82e77ca2d2ff39a91002a9f9f3e2f978ce88
                                          • Instruction ID: 84669606c1bc5ca9669b9945a855a8867e3cb7bbe084208134f0a98da9f102c1
                                          • Opcode Fuzzy Hash: 81b28ed6890f52c0825740dc274e82e77ca2d2ff39a91002a9f9f3e2f978ce88
                                          • Instruction Fuzzy Hash: C601C031900615DBCB04EBA09841ABEBBB1FF84710F680909F904AB3D2DF709E04CBB1
                                          Function 00D73686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00D73053,?,00000001,?,?,?,00D72198,?,?,00000000), ref: 00D7369D
                                          • GetLastError.KERNEL32(?,00D73053,?,00000001,?,?,?,00D72198,?,?,00000000,?,?,?,00D7271F,?), ref: 00D736A9
                                            • Part of subcall function 00D7366F: CloseHandle.KERNEL32(FFFFFFFE,00D736B9,?,00D73053,?,00000001,?,?,?,00D72198,?,?,00000000,?,?), ref: 00D7367F
                                          • ___initconout.LIBCMT ref: 00D736B9
                                            • Part of subcall function 00D73631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D73660,00D73040,?,?,00D72198,?,?,00000000,?), ref: 00D73644
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00D73053,?,00000001,?,?,?,00D72198,?,?,00000000,?), ref: 00D736CE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: fe6be777031856ba624e7e8a998c3c6b4fb29d7d199ec1b6d7971edd7039f6e7
                                          • Instruction ID: 1647d88535df6b7b068a555393c3008cb149769c7d7ca3d009dc33e090dfd580
                                          • Opcode Fuzzy Hash: fe6be777031856ba624e7e8a998c3c6b4fb29d7d199ec1b6d7971edd7039f6e7
                                          • Instruction Fuzzy Hash: E6F0C936514258BBCF626F95EC09D9E3F66FB087A1B448450FE1DD6330E6328960EBB1
                                          Function 00D52D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • SleepConditionVariableCS.KERNELBASE(?,00D52CBD,00000064), ref: 00D52D43
                                          • LeaveCriticalSection.KERNEL32(00D8DD3C,?,?,00D52CBD,00000064,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52D4D
                                          • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D52CBD,00000064,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52D5E
                                          • EnterCriticalSection.KERNEL32(00D8DD3C,?,00D52CBD,00000064,?,?,?,00D323B6,00D8E638,F8F9577D,?,?,00D73D6D,000000FF), ref: 00D52D65
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                          • String ID:
                                          • API String ID: 3269011525-0
                                          • Opcode ID: 2c19e5d01aa46592f4580c32359b662b7ef6a59eaeb86d320ca75e4d9d874d57
                                          • Instruction ID: baf588b69e96e898516a7a03b6259133bcc094b2ddf8d4e9819c3c4d42492b35
                                          • Opcode Fuzzy Hash: 2c19e5d01aa46592f4580c32359b662b7ef6a59eaeb86d320ca75e4d9d874d57
                                          • Instruction Fuzzy Hash: ADE09232505324BBCB123B40EC08ADE3F3AAF05F11B000411FD09A63F2E66059458BF1
                                          Function 00D3EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D3EC8E
                                            • Part of subcall function 00D3D87C: __EH_prolog3.LIBCMT ref: 00D3D883
                                            • Part of subcall function 00D3D87C: std::_Lockit::_Lockit.LIBCPMT ref: 00D3D88D
                                            • Part of subcall function 00D3D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3D8FE
                                          • _Find_elem.LIBCPMT ref: 00D3EE8A
                                          Strings
                                          • 0123456789ABCDEFabcdef-+Xx, xrefs: 00D3ECF6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: 0123456789ABCDEFabcdef-+Xx
                                          • API String ID: 2544715827-2799312399
                                          • Opcode ID: ee11914fc8670e7a2637c4245231dc0ea6a2be04cd0821f527f620bb348c9d25
                                          • Instruction ID: 446c84ebddea9cf2920bf7df52846888cbca83d9115181f7d79d62180bcb2423
                                          • Opcode Fuzzy Hash: ee11914fc8670e7a2637c4245231dc0ea6a2be04cd0821f527f620bb348c9d25
                                          • Instruction Fuzzy Hash: D6C16A35E042989FDF25DBA8C550BECBBB2AF55300F2840A9E8856B2C7D7709D46CB70
                                          Function 00D462BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D462C8
                                            • Part of subcall function 00D42D74: __EH_prolog3.LIBCMT ref: 00D42D7B
                                            • Part of subcall function 00D42D74: std::_Lockit::_Lockit.LIBCPMT ref: 00D42D85
                                            • Part of subcall function 00D42D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00D42DF6
                                          • _Find_elem.LIBCPMT ref: 00D46502
                                          Strings
                                          • 0123456789ABCDEFabcdef-+Xx, xrefs: 00D4633F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                          • String ID: 0123456789ABCDEFabcdef-+Xx
                                          • API String ID: 2544715827-2799312399
                                          • Opcode ID: 573cee440923d593fe012e1b63828d05d8b0a606c11d1541e89c98f15fcc4381
                                          • Instruction ID: 9c0bc6d499b5099cc446f062e7e4eb57462e0333aeee9c8ad105703774ecbdfb
                                          • Opcode Fuzzy Hash: 573cee440923d593fe012e1b63828d05d8b0a606c11d1541e89c98f15fcc4381
                                          • Instruction Fuzzy Hash: 6CC19870E042588FDF25DF68C4457ADBBB1BF12704F584099D88AAB286DB34DC85DB72
                                          Function 00D46694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4669E
                                            • Part of subcall function 00D3B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00D3B8DD
                                            • Part of subcall function 00D3B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00D3B900
                                            • Part of subcall function 00D3B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B928
                                            • Part of subcall function 00D3B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3B9B7
                                          • _Find_elem.LIBCPMT ref: 00D468D8
                                          Strings
                                          • 0123456789ABCDEFabcdef-+Xx, xrefs: 00D46715
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                          • String ID: 0123456789ABCDEFabcdef-+Xx
                                          • API String ID: 3042121994-2799312399
                                          • Opcode ID: 37f5ee603070b57d554b4b45fe45999aa6d5596040799c89cb03c8767c595315
                                          • Instruction ID: aae83d7d69c53a0d171b98de3f4e1e128752106b2dc7b64c072e076b2a5fbba9
                                          • Opcode Fuzzy Hash: 37f5ee603070b57d554b4b45fe45999aa6d5596040799c89cb03c8767c595315
                                          • Instruction Fuzzy Hash: AEC18670E042588FDF25DF64C8557ACBBB1BF12304F588099D88AAB282DB74DD85DB72
                                          Function 00D51E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 3732870572-1956417402
                                          • Opcode ID: 236e20a3da681e3e03a430f84bf9e8c5f6c851830aaad37846ee2787545a15c3
                                          • Instruction ID: 2d991bed6bba590d09bdffce8e55f77e0164ee965e1369cd9d1c8683fab6cd2e
                                          • Opcode Fuzzy Hash: 236e20a3da681e3e03a430f84bf9e8c5f6c851830aaad37846ee2787545a15c3
                                          • Instruction Fuzzy Hash: 8651F335B04285AADF258E6CC8867BE7BF5AF06353F18405AEC91D7281C3748949CB71
                                          Function 00D3BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00D3BF6E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Concurrency::cancel_current_task
                                          • String ID: false$true
                                          • API String ID: 118556049-2658103896
                                          • Opcode ID: 52e7ba9145c6bffb1dde1a747fcd551af4df028478838fa5313ae255ff3f98ed
                                          • Instruction ID: b7c4a054dfb6c7b2de321460f22481ddf852c21bc51706cfb33e679b207d899a
                                          • Opcode Fuzzy Hash: 52e7ba9145c6bffb1dde1a747fcd551af4df028478838fa5313ae255ff3f98ed
                                          • Instruction Fuzzy Hash: 8E51D5B5D007489FDB10DFA4C841BEEB7B8FF05314F14426AE945AB241E774AA89CBB1
                                          Function 00D370A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \\?\$\\?\UNC\
                                          • API String ID: 0-3019864461
                                          • Opcode ID: ff723756c419bcdd42de32c568cc7f9ac6a149b8c20ad5735b518787e1c94f31
                                          • Instruction ID: 68b745c4dcb5b4ef5fa714e172c12f5ca88e608071ee1569b043721185f4e16b
                                          • Opcode Fuzzy Hash: ff723756c419bcdd42de32c568cc7f9ac6a149b8c20ad5735b518787e1c94f31
                                          • Instruction Fuzzy Hash: 3C51C0B1A14B049BDB24DFA8C885BAEB7F5FF44344F14451DE801A7280DBB4A988CBB4
                                          Function 00D4D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4D501
                                          • _swprintf.LIBCMT ref: 00D4D573
                                            • Part of subcall function 00D4254E: __EH_prolog3.LIBCMT ref: 00D42555
                                            • Part of subcall function 00D4254E: std::_Lockit::_Lockit.LIBCPMT ref: 00D4255F
                                            • Part of subcall function 00D4254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D425D0
                                            • Part of subcall function 00D42FC8: __EH_prolog3.LIBCMT ref: 00D42FCF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 3050236999-1402515088
                                          • Opcode ID: 6235f1bf351532fd3a86f8816baa12c7be3216080542e8ba345e3fc68bb5cecc
                                          • Instruction ID: 3b1fdaa9c78f915e7fb371eec3906cf9b1ebc24d4bdc008dd9b99f9782f3a995
                                          • Opcode Fuzzy Hash: 6235f1bf351532fd3a86f8816baa12c7be3216080542e8ba345e3fc68bb5cecc
                                          • Instruction Fuzzy Hash: 06415971E00309ABCF05EFE4D845AEDBBB5FF08304F208549E846AB295EB759915CFA0
                                          Function 00D4D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D4D7A5
                                          • _swprintf.LIBCMT ref: 00D4D817
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38657
                                            • Part of subcall function 00D38610: std::_Lockit::_Lockit.LIBCPMT ref: 00D38679
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D386A1
                                            • Part of subcall function 00D38610: std::_Lockit::~_Lockit.LIBCPMT ref: 00D3880E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: 97265444bdc2545f13dac829b46fa502fa4c70951b72088e75323691b66bab29
                                          • Instruction ID: 3f8e3c8a06ecc1429cf76f4a1d67da2861aabbb73a80d1cac18281ccacf5d7a3
                                          • Opcode Fuzzy Hash: 97265444bdc2545f13dac829b46fa502fa4c70951b72088e75323691b66bab29
                                          • Instruction Fuzzy Hash: DB416A75E00309ABCF05DFE4D845AEEBBB5FF08300F208459E846AB295EB359915CFA0
                                          Function 00D51887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00D5188E
                                          • _swprintf.LIBCMT ref: 00D51900
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392A0
                                            • Part of subcall function 00D39270: std::_Lockit::_Lockit.LIBCPMT ref: 00D392C2
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D392EA
                                            • Part of subcall function 00D39270: std::_Lockit::~_Lockit.LIBCPMT ref: 00D39422
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                          • String ID: %.0Lf
                                          • API String ID: 1487807907-1402515088
                                          • Opcode ID: cfbf1298961352935115eecac548d1cd332e20de209e0b6e027975c273dc0ac3
                                          • Instruction ID: b83cb3ccdf19b450177a5d725b4fee65b2f87887238c514b030ccbb6f6cd2697
                                          • Opcode Fuzzy Hash: cfbf1298961352935115eecac548d1cd332e20de209e0b6e027975c273dc0ac3
                                          • Instruction Fuzzy Hash: 13418A75E00308ABCF05DFD4D855ADDBBB5FF08300F208549E856AB291EB359919CFA4
                                          Function 00D56059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D5607E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: EncodePointer
                                          • String ID: MOC$RCC
                                          • API String ID: 2118026453-2084237596
                                          • Opcode ID: aecd91ace8c7cf66c2b945d6b7eead029778beac15fee6725833f67b45d005f8
                                          • Instruction ID: af24c1eae4d6bf5a8198385e15a59bfdb09fc101195e583845fe8a181962eb2b
                                          • Opcode Fuzzy Hash: aecd91ace8c7cf66c2b945d6b7eead029778beac15fee6725833f67b45d005f8
                                          • Instruction Fuzzy Hash: F9416671900609EFCF16DF98CC81EAEBBB5EF48305F188159FD18A7252D235D954DB60
                                          Function 00D4DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: b30674f0623f70cecbe72baea5def662a60e769b208936bcb034eb3d556a7b8e
                                          • Instruction ID: ce2cd41e2c4697437ae84392b096e297e99104e3e9847ac656551f19335a3d58
                                          • Opcode Fuzzy Hash: b30674f0623f70cecbe72baea5def662a60e769b208936bcb034eb3d556a7b8e
                                          • Instruction Fuzzy Hash: 7D314471D00209EBDF04EF94E881AEEB7B6FF08305F204429F805A7251EB75AA49CB74
                                          Function 00D519FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: H_prolog3___cftoe
                                          • String ID: !%x
                                          • API String ID: 855520168-1893981228
                                          • Opcode ID: 3a85137eb09a669c6abce7fe7268daa324e43c0658a78180ec6285a0a6181a3f
                                          • Instruction ID: 80e1ecd064a8b657c9996a64097d5c137c4649aa2aa6ee7c5fd6fa699781555c
                                          • Opcode Fuzzy Hash: 3a85137eb09a669c6abce7fe7268daa324e43c0658a78180ec6285a0a6181a3f
                                          • Instruction Fuzzy Hash: D5314736915258AFDF05DF98E881BEEBBB5EF18305F140019FC44A7242D7759A4ACBB0
                                          Function 00D35F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00D35F86
                                          • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,F8F9577D), ref: 00D35FF6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: ConvertFreeLocalString
                                          • String ID: Invalid SID
                                          • API String ID: 3201929900-130637731
                                          • Opcode ID: 7b2e1532f437ca990d182f56748f4bb575241785cea8c1a7c7e02a4b809663da
                                          • Instruction ID: 1df31cd40687213cbe6772ec64f1faa6458778d1ecee7418ec3bef454ee53c80
                                          • Opcode Fuzzy Hash: 7b2e1532f437ca990d182f56748f4bb575241785cea8c1a7c7e02a4b809663da
                                          • Instruction Fuzzy Hash: FC216A74A046099BDB149F58D815BAFBBF8EF44714F144A1EE405A7380D7BAAA448BE0
                                          Function 00D39070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00D3909B
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D390FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                          • String ID: bad locale name
                                          • API String ID: 3988782225-1405518554
                                          • Opcode ID: 8db1144739d390a08302267b7fadf850b92f78b42fd4c97a8a984a7532b35505
                                          • Instruction ID: 8ccb93cc7e57fb4c4aeb3c3cdee3c984187300388cf93a1ff51270b77894e871
                                          • Opcode Fuzzy Hash: 8db1144739d390a08302267b7fadf850b92f78b42fd4c97a8a984a7532b35505
                                          • Instruction Fuzzy Hash: C721AE70805B84EED721CFA8C90474BBFE4EF19710F14869DE49997781D3B9AA088BB1
                                          Function 00D3F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: H_prolog3_
                                          • String ID: false$true
                                          • API String ID: 2427045233-2658103896
                                          • Opcode ID: 90338ef4d8c14848e36d8fb510b47580420c49f49a9c7dd68610f7771d81eae1
                                          • Instruction ID: 4bad50537b7f11791bc35f29f6e165349afafbb79f8c436c67c1b2559525e282
                                          • Opcode Fuzzy Hash: 90338ef4d8c14848e36d8fb510b47580420c49f49a9c7dd68610f7771d81eae1
                                          • Instruction Fuzzy Hash: 98118E75941B85AFCB24EFB4D841B8AB7F4AB05300F04C52AE596DB641EB70E5488B70
                                          Function 00D34070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalFree.KERNEL32(00000000,00D34261,00D74400,000000FF,F8F9577D,00000000,?,00000000,?,?,?,00D74400,000000FF,?,00D33A75,?), ref: 00D34096
                                          • LocalAlloc.KERNEL32(00000040,40000022,F8F9577D,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D34154
                                          • LocalAlloc.KERNEL32(00000040,3FFFFFFF,F8F9577D,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D34177
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D34217
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID:
                                          • API String ID: 2012307162-0
                                          • Opcode ID: fbf81ac5950b863f107e619179915dbc64aa77d0132ca6b5d66c8f1899dd7e9e
                                          • Instruction ID: 0b0d134579dbfc07344ae81fe70d554a806d7ceda44ffadeb3c340ef46d4dc81
                                          • Opcode Fuzzy Hash: fbf81ac5950b863f107e619179915dbc64aa77d0132ca6b5d66c8f1899dd7e9e
                                          • Instruction Fuzzy Hash: 8451A075A006059FDB18DF6CC985AAEBBB5FB48350F14462DF925E7380D734AD40CBA4
                                          Function 00D31D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00D31E01
                                          • LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00D31E21
                                          • LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00D31EA7
                                          • LocalFree.KERNEL32(00000001,F8F9577D,00000000,00000000,00D73C40,000000FF,?,00000000), ref: 00D31F2D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.2222630759.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                                          • Associated: 00000004.00000002.2222604228.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222684372.0000000000D77000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222712538.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000004.00000002.2222736533.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_d30000_MSIC93C.jbxd
                                          Similarity
                                          • API ID: Local$AllocFree
                                          • String ID:
                                          • API String ID: 2012307162-0
                                          • Opcode ID: 43ade357005d6116189ca934e126d04902cdd43ead8d80f278040e4e91a695ef
                                          • Instruction ID: b6c323c71fae0aa56064a9501c4b835d2dc2e8bb8f51eaabe0b74451078f5676
                                          • Opcode Fuzzy Hash: 43ade357005d6116189ca934e126d04902cdd43ead8d80f278040e4e91a695ef
                                          • Instruction Fuzzy Hash: A851E1766042129FC715DF28DC40A6AB7E8FB49360F140A2EFC56E7290DB31D94487B1

                                          Execution Graph

                                          Execution Coverage:1.6%
                                          Dynamic/Decrypted Code Coverage:98.2%
                                          Signature Coverage:11.8%
                                          Total number of Nodes:718
                                          Total number of Limit Nodes:18
                                          execution_graph 81345 7ffd93741100 81346 7ffd93741108 81345->81346 81347 7ffd93741114 __scrt_dllmain_crt_thread_attach 81346->81347 81348 7ffd9374111d 81347->81348 81349 7ffd93741121 81347->81349 81349->81348 81351 7ffd9374286c 7 API calls 2 library calls 81349->81351 81351->81348 81352 7ffd93749784 81353 7ffd93749795 __free_lconv_mon 81352->81353 81354 7ffd937497e6 81353->81354 81355 7ffd937497ca HeapAlloc 81353->81355 81359 7ffd937487c8 EnterCriticalSection LeaveCriticalSection __free_lconv_mon 81353->81359 81360 7ffd93748230 11 API calls __free_lconv_mon 81354->81360 81355->81353 81356 7ffd937497e4 81355->81356 81359->81353 81360->81356 81361 23dd31b55c0 81366 23dd31b5609 81361->81366 81365 23dd31b5eed 81366->81365 81399 23dd31d4360 81366->81399 81367 23dd31b57d1 81367->81365 81407 23dd31bf3a0 81367->81407 81369 23dd31b5871 81369->81365 81415 23dd31d4ff0 81369->81415 81372 23dd31d4ff0 NtQueueApcThread 81373 23dd31b5eb0 81372->81373 81373->81365 81374 23dd31b5ec5 81373->81374 81375 23dd31d4ff0 NtQueueApcThread 81373->81375 81374->81365 81376 23dd31d4ff0 NtQueueApcThread 81374->81376 81377 23dd31b5f0e 81375->81377 81378 23dd31b5ee9 81376->81378 81377->81365 81379 23dd31d4ff0 NtQueueApcThread 81377->81379 81378->81365 81380 23dd31d4ff0 NtQueueApcThread 81378->81380 81379->81374 81381 23dd31b5f67 81380->81381 81381->81365 81382 23dd31d4ff0 NtQueueApcThread 81381->81382 81383 23dd31b5f93 81382->81383 81383->81365 81384 23dd31d4ff0 NtQueueApcThread 81383->81384 81385 23dd31b5fbf 81384->81385 81385->81365 81387 23dd31d4ff0 NtQueueApcThread 81385->81387 81388 23dd31b5fd4 81385->81388 81386 23dd31d4ff0 NtQueueApcThread 81389 23dd31b5ff8 81386->81389 81387->81388 81388->81365 81388->81386 81389->81365 81390 23dd31b6033 81389->81390 81392 23dd31d4ff0 NtQueueApcThread 81389->81392 81390->81365 81391 23dd31d4ff0 NtQueueApcThread 81390->81391 81393 23dd31b6057 81391->81393 81392->81390 81393->81365 81394 23dd31d4ff0 NtQueueApcThread 81393->81394 81395 23dd31b60a9 81394->81395 81395->81365 81396 23dd31d4ff0 NtQueueApcThread 81395->81396 81397 23dd31b60d5 81396->81397 81397->81365 81419 23dd31d3a40 NtProtectVirtualMemory 81397->81419 81401 23dd31d43bd 81399->81401 81400 23dd31b5795 81400->81365 81403 23dd31d45f0 81400->81403 81401->81400 81402 23dd31d444e NtCreateThreadEx 81401->81402 81402->81400 81405 23dd31d4621 81403->81405 81404 23dd31d4686 81404->81367 81405->81404 81406 23dd31d4684 NtDuplicateObject 81405->81406 81406->81404 81408 23dd31bf3bd 81407->81408 81409 23dd31bf3f2 CreateToolhelp32Snapshot 81408->81409 81410 23dd31bf418 Thread32First 81409->81410 81411 23dd31bf610 81409->81411 81410->81411 81413 23dd31bf439 81410->81413 81411->81369 81413->81411 81414 23dd31bf5fa NtResumeThread 81413->81414 81420 23dd31d51c0 81413->81420 81414->81413 81417 23dd31d5011 81415->81417 81416 23dd31b5e84 81416->81365 81416->81372 81417->81416 81418 23dd31d506a NtQueueApcThread 81417->81418 81418->81416 81419->81365 81422 23dd31d51e2 81420->81422 81421 23dd31d523e 81421->81413 81422->81421 81423 23dd31d523c NtReadVirtualMemory 81422->81423 81423->81421 81424 23dd31a7830 81425 23dd31a7885 81424->81425 81426 23dd31a788a InternetOpenW 81424->81426 81425->81426 81427 23dd31a7898 InternetConnectW 81426->81427 81433 23dd31a79e4 81426->81433 81428 23dd31a78dd HttpOpenRequestW 81427->81428 81427->81433 81430 23dd31a7931 81428->81430 81428->81433 81429 23dd31a7b0e InternetCloseHandle 81432 23dd31a7b17 81429->81432 81431 23dd31a79cb HttpSendRequestA 81430->81431 81430->81433 81431->81433 81433->81429 81433->81432 81434 23dd31a71b0 81435 23dd31a71c6 81434->81435 81442 23dd31a2950 81435->81442 81437 23dd31a71f5 81438 23dd31d4360 NtCreateThreadEx 81437->81438 81439 23dd31a730e 81438->81439 81440 23dd31d4ff0 NtQueueApcThread 81439->81440 81441 23dd31a732d 81440->81441 81459 23dd31b16a0 81442->81459 81444 23dd31a2959 81631 23dd31b01a0 81444->81631 81446 23dd31b0f99 81446->81437 81447 23dd31a2963 81447->81446 81835 23dd31acce0 81447->81835 81450 23dd31acce0 LdrGetProcedureAddress 81451 23dd31b0f13 81450->81451 81452 23dd31acce0 LdrGetProcedureAddress 81451->81452 81453 23dd31b0f3c 81452->81453 81454 23dd31acce0 LdrGetProcedureAddress 81453->81454 81455 23dd31b0f5b 81454->81455 81456 23dd31acce0 LdrGetProcedureAddress 81455->81456 81457 23dd31b0f7a 81456->81457 81458 23dd31acce0 LdrGetProcedureAddress 81457->81458 81458->81446 81460 23dd31b16a9 81459->81460 81461 23dd31b21e1 81460->81461 81462 23dd31acce0 LdrGetProcedureAddress 81460->81462 81461->81444 81463 23dd31b16c8 81462->81463 81464 23dd31acce0 LdrGetProcedureAddress 81463->81464 81465 23dd31b16e0 81464->81465 81466 23dd31acce0 LdrGetProcedureAddress 81465->81466 81467 23dd31b16f8 81466->81467 81468 23dd31acce0 LdrGetProcedureAddress 81467->81468 81469 23dd31b1710 81468->81469 81470 23dd31acce0 LdrGetProcedureAddress 81469->81470 81471 23dd31b1728 81470->81471 81472 23dd31acce0 LdrGetProcedureAddress 81471->81472 81473 23dd31b1740 81472->81473 81474 23dd31acce0 LdrGetProcedureAddress 81473->81474 81475 23dd31b1758 81474->81475 81476 23dd31acce0 LdrGetProcedureAddress 81475->81476 81477 23dd31b1770 81476->81477 81478 23dd31acce0 LdrGetProcedureAddress 81477->81478 81479 23dd31b1788 81478->81479 81480 23dd31acce0 LdrGetProcedureAddress 81479->81480 81481 23dd31b17a0 81480->81481 81482 23dd31acce0 LdrGetProcedureAddress 81481->81482 81483 23dd31b17b8 81482->81483 81484 23dd31acce0 LdrGetProcedureAddress 81483->81484 81485 23dd31b17d0 81484->81485 81486 23dd31acce0 LdrGetProcedureAddress 81485->81486 81487 23dd31b17e8 81486->81487 81488 23dd31acce0 LdrGetProcedureAddress 81487->81488 81489 23dd31b1800 81488->81489 81490 23dd31acce0 LdrGetProcedureAddress 81489->81490 81491 23dd31b1818 81490->81491 81492 23dd31acce0 LdrGetProcedureAddress 81491->81492 81493 23dd31b1830 81492->81493 81494 23dd31acce0 LdrGetProcedureAddress 81493->81494 81495 23dd31b1848 81494->81495 81496 23dd31acce0 LdrGetProcedureAddress 81495->81496 81497 23dd31b1860 81496->81497 81498 23dd31acce0 LdrGetProcedureAddress 81497->81498 81499 23dd31b1878 81498->81499 81500 23dd31acce0 LdrGetProcedureAddress 81499->81500 81501 23dd31b1890 81500->81501 81502 23dd31acce0 LdrGetProcedureAddress 81501->81502 81503 23dd31b18a8 81502->81503 81504 23dd31acce0 LdrGetProcedureAddress 81503->81504 81505 23dd31b18c0 81504->81505 81506 23dd31acce0 LdrGetProcedureAddress 81505->81506 81507 23dd31b18d8 81506->81507 81508 23dd31acce0 LdrGetProcedureAddress 81507->81508 81509 23dd31b18f0 81508->81509 81510 23dd31acce0 LdrGetProcedureAddress 81509->81510 81511 23dd31b1908 81510->81511 81512 23dd31acce0 LdrGetProcedureAddress 81511->81512 81513 23dd31b1920 81512->81513 81514 23dd31acce0 LdrGetProcedureAddress 81513->81514 81515 23dd31b1938 81514->81515 81516 23dd31acce0 LdrGetProcedureAddress 81515->81516 81517 23dd31b1950 81516->81517 81518 23dd31acce0 LdrGetProcedureAddress 81517->81518 81519 23dd31b1968 81518->81519 81520 23dd31acce0 LdrGetProcedureAddress 81519->81520 81521 23dd31b1980 81520->81521 81522 23dd31acce0 LdrGetProcedureAddress 81521->81522 81523 23dd31b1998 81522->81523 81524 23dd31acce0 LdrGetProcedureAddress 81523->81524 81525 23dd31b19b0 81524->81525 81526 23dd31acce0 LdrGetProcedureAddress 81525->81526 81527 23dd31b19c8 81526->81527 81528 23dd31acce0 LdrGetProcedureAddress 81527->81528 81529 23dd31b19e0 81528->81529 81530 23dd31acce0 LdrGetProcedureAddress 81529->81530 81531 23dd31b19f8 81530->81531 81532 23dd31acce0 LdrGetProcedureAddress 81531->81532 81533 23dd31b1a10 81532->81533 81534 23dd31acce0 LdrGetProcedureAddress 81533->81534 81535 23dd31b1a28 81534->81535 81536 23dd31acce0 LdrGetProcedureAddress 81535->81536 81537 23dd31b1a40 81536->81537 81538 23dd31acce0 LdrGetProcedureAddress 81537->81538 81539 23dd31b1a58 81538->81539 81540 23dd31acce0 LdrGetProcedureAddress 81539->81540 81541 23dd31b1a70 81540->81541 81542 23dd31acce0 LdrGetProcedureAddress 81541->81542 81543 23dd31b1a88 81542->81543 81544 23dd31acce0 LdrGetProcedureAddress 81543->81544 81545 23dd31b1aa0 81544->81545 81546 23dd31acce0 LdrGetProcedureAddress 81545->81546 81547 23dd31b1ab8 81546->81547 81548 23dd31acce0 LdrGetProcedureAddress 81547->81548 81549 23dd31b1ad0 81548->81549 81550 23dd31acce0 LdrGetProcedureAddress 81549->81550 81551 23dd31b1ae8 81550->81551 81552 23dd31acce0 LdrGetProcedureAddress 81551->81552 81553 23dd31b1b00 81552->81553 81554 23dd31acce0 LdrGetProcedureAddress 81553->81554 81555 23dd31b1b18 81554->81555 81556 23dd31acce0 LdrGetProcedureAddress 81555->81556 81557 23dd31b1b30 81556->81557 81558 23dd31acce0 LdrGetProcedureAddress 81557->81558 81559 23dd31b1b48 81558->81559 81560 23dd31acce0 LdrGetProcedureAddress 81559->81560 81561 23dd31b1b60 81560->81561 81562 23dd31acce0 LdrGetProcedureAddress 81561->81562 81563 23dd31b1b78 81562->81563 81564 23dd31acce0 LdrGetProcedureAddress 81563->81564 81565 23dd31b1b90 81564->81565 81566 23dd31acce0 LdrGetProcedureAddress 81565->81566 81567 23dd31b1bc1 81566->81567 81568 23dd31acce0 LdrGetProcedureAddress 81567->81568 81569 23dd31b1bf2 81568->81569 81570 23dd31acce0 LdrGetProcedureAddress 81569->81570 81571 23dd31b1c23 81570->81571 81572 23dd31acce0 LdrGetProcedureAddress 81571->81572 81573 23dd31b1c54 81572->81573 81574 23dd31acce0 LdrGetProcedureAddress 81573->81574 81575 23dd31b1c85 81574->81575 81576 23dd31acce0 LdrGetProcedureAddress 81575->81576 81577 23dd31b1cb6 81576->81577 81578 23dd31acce0 LdrGetProcedureAddress 81577->81578 81579 23dd31b1ce7 81578->81579 81580 23dd31acce0 LdrGetProcedureAddress 81579->81580 81581 23dd31b1d18 81580->81581 81582 23dd31acce0 LdrGetProcedureAddress 81581->81582 81583 23dd31b1d49 81582->81583 81584 23dd31acce0 LdrGetProcedureAddress 81583->81584 81585 23dd31b1d7a 81584->81585 81586 23dd31acce0 LdrGetProcedureAddress 81585->81586 81587 23dd31b1dab 81586->81587 81588 23dd31acce0 LdrGetProcedureAddress 81587->81588 81589 23dd31b1ddc 81588->81589 81590 23dd31acce0 LdrGetProcedureAddress 81589->81590 81591 23dd31b1e0d 81590->81591 81592 23dd31acce0 LdrGetProcedureAddress 81591->81592 81593 23dd31b1e3e 81592->81593 81594 23dd31acce0 LdrGetProcedureAddress 81593->81594 81595 23dd31b1e6f 81594->81595 81596 23dd31acce0 LdrGetProcedureAddress 81595->81596 81597 23dd31b1ea0 81596->81597 81598 23dd31acce0 LdrGetProcedureAddress 81597->81598 81599 23dd31b1ed1 81598->81599 81600 23dd31acce0 LdrGetProcedureAddress 81599->81600 81601 23dd31b1f02 81600->81601 81602 23dd31acce0 LdrGetProcedureAddress 81601->81602 81603 23dd31b1f33 81602->81603 81604 23dd31acce0 LdrGetProcedureAddress 81603->81604 81605 23dd31b1f64 81604->81605 81606 23dd31acce0 LdrGetProcedureAddress 81605->81606 81607 23dd31b1f95 81606->81607 81608 23dd31acce0 LdrGetProcedureAddress 81607->81608 81609 23dd31b1fc6 81608->81609 81610 23dd31acce0 LdrGetProcedureAddress 81609->81610 81611 23dd31b1ff7 81610->81611 81612 23dd31acce0 LdrGetProcedureAddress 81611->81612 81613 23dd31b2028 81612->81613 81614 23dd31acce0 LdrGetProcedureAddress 81613->81614 81615 23dd31b2059 81614->81615 81616 23dd31acce0 LdrGetProcedureAddress 81615->81616 81617 23dd31b208a 81616->81617 81618 23dd31acce0 LdrGetProcedureAddress 81617->81618 81619 23dd31b20bb 81618->81619 81620 23dd31acce0 LdrGetProcedureAddress 81619->81620 81621 23dd31b20ec 81620->81621 81622 23dd31acce0 LdrGetProcedureAddress 81621->81622 81623 23dd31b211d 81622->81623 81624 23dd31acce0 LdrGetProcedureAddress 81623->81624 81625 23dd31b214e 81624->81625 81626 23dd31acce0 LdrGetProcedureAddress 81625->81626 81627 23dd31b217f 81626->81627 81628 23dd31acce0 LdrGetProcedureAddress 81627->81628 81629 23dd31b21b0 81628->81629 81630 23dd31acce0 LdrGetProcedureAddress 81629->81630 81630->81461 81632 23dd31b01ce 81631->81632 81633 23dd31acce0 LdrGetProcedureAddress 81632->81633 81834 23dd31b0e4a 81632->81834 81634 23dd31b0228 81633->81634 81635 23dd31acce0 LdrGetProcedureAddress 81634->81635 81636 23dd31b0243 81635->81636 81637 23dd31acce0 LdrGetProcedureAddress 81636->81637 81638 23dd31b026c 81637->81638 81639 23dd31acce0 LdrGetProcedureAddress 81638->81639 81640 23dd31b028b 81639->81640 81641 23dd31acce0 LdrGetProcedureAddress 81640->81641 81642 23dd31b02aa 81641->81642 81643 23dd31acce0 LdrGetProcedureAddress 81642->81643 81644 23dd31b02c9 81643->81644 81645 23dd31acce0 LdrGetProcedureAddress 81644->81645 81646 23dd31b02e8 81645->81646 81647 23dd31acce0 LdrGetProcedureAddress 81646->81647 81648 23dd31b0307 81647->81648 81649 23dd31acce0 LdrGetProcedureAddress 81648->81649 81650 23dd31b0326 81649->81650 81651 23dd31acce0 LdrGetProcedureAddress 81650->81651 81652 23dd31b0345 81651->81652 81653 23dd31acce0 LdrGetProcedureAddress 81652->81653 81654 23dd31b0364 81653->81654 81655 23dd31acce0 LdrGetProcedureAddress 81654->81655 81656 23dd31b0383 81655->81656 81657 23dd31acce0 LdrGetProcedureAddress 81656->81657 81658 23dd31b03a2 81657->81658 81659 23dd31acce0 LdrGetProcedureAddress 81658->81659 81660 23dd31b03c1 81659->81660 81661 23dd31acce0 LdrGetProcedureAddress 81660->81661 81662 23dd31b03e0 81661->81662 81663 23dd31acce0 LdrGetProcedureAddress 81662->81663 81664 23dd31b03ff 81663->81664 81665 23dd31acce0 LdrGetProcedureAddress 81664->81665 81666 23dd31b041e 81665->81666 81667 23dd31acce0 LdrGetProcedureAddress 81666->81667 81668 23dd31b043d 81667->81668 81669 23dd31acce0 LdrGetProcedureAddress 81668->81669 81670 23dd31b045c 81669->81670 81671 23dd31acce0 LdrGetProcedureAddress 81670->81671 81672 23dd31b047b 81671->81672 81673 23dd31acce0 LdrGetProcedureAddress 81672->81673 81674 23dd31b049a 81673->81674 81675 23dd31acce0 LdrGetProcedureAddress 81674->81675 81676 23dd31b04b9 81675->81676 81677 23dd31acce0 LdrGetProcedureAddress 81676->81677 81678 23dd31b04d8 81677->81678 81679 23dd31acce0 LdrGetProcedureAddress 81678->81679 81680 23dd31b04f7 81679->81680 81681 23dd31acce0 LdrGetProcedureAddress 81680->81681 81682 23dd31b0516 81681->81682 81683 23dd31acce0 LdrGetProcedureAddress 81682->81683 81684 23dd31b0535 81683->81684 81685 23dd31acce0 LdrGetProcedureAddress 81684->81685 81686 23dd31b0554 81685->81686 81687 23dd31acce0 LdrGetProcedureAddress 81686->81687 81688 23dd31b0573 81687->81688 81689 23dd31acce0 LdrGetProcedureAddress 81688->81689 81690 23dd31b0592 81689->81690 81691 23dd31acce0 LdrGetProcedureAddress 81690->81691 81692 23dd31b05b1 81691->81692 81693 23dd31acce0 LdrGetProcedureAddress 81692->81693 81694 23dd31b05d0 81693->81694 81695 23dd31acce0 LdrGetProcedureAddress 81694->81695 81696 23dd31b05ef 81695->81696 81697 23dd31acce0 LdrGetProcedureAddress 81696->81697 81698 23dd31b060e 81697->81698 81699 23dd31acce0 LdrGetProcedureAddress 81698->81699 81700 23dd31b062d 81699->81700 81701 23dd31acce0 LdrGetProcedureAddress 81700->81701 81702 23dd31b064c 81701->81702 81703 23dd31acce0 LdrGetProcedureAddress 81702->81703 81704 23dd31b066b 81703->81704 81705 23dd31acce0 LdrGetProcedureAddress 81704->81705 81706 23dd31b068a 81705->81706 81707 23dd31acce0 LdrGetProcedureAddress 81706->81707 81708 23dd31b06a9 81707->81708 81709 23dd31acce0 LdrGetProcedureAddress 81708->81709 81710 23dd31b06c8 81709->81710 81711 23dd31acce0 LdrGetProcedureAddress 81710->81711 81712 23dd31b06e7 81711->81712 81713 23dd31acce0 LdrGetProcedureAddress 81712->81713 81714 23dd31b0706 81713->81714 81715 23dd31acce0 LdrGetProcedureAddress 81714->81715 81716 23dd31b0725 81715->81716 81717 23dd31acce0 LdrGetProcedureAddress 81716->81717 81718 23dd31b0744 81717->81718 81719 23dd31acce0 LdrGetProcedureAddress 81718->81719 81720 23dd31b0763 81719->81720 81721 23dd31acce0 LdrGetProcedureAddress 81720->81721 81722 23dd31b0782 81721->81722 81723 23dd31acce0 LdrGetProcedureAddress 81722->81723 81724 23dd31b07a1 81723->81724 81725 23dd31acce0 LdrGetProcedureAddress 81724->81725 81726 23dd31b07c0 81725->81726 81727 23dd31acce0 LdrGetProcedureAddress 81726->81727 81728 23dd31b07df 81727->81728 81729 23dd31acce0 LdrGetProcedureAddress 81728->81729 81730 23dd31b07fe 81729->81730 81731 23dd31acce0 LdrGetProcedureAddress 81730->81731 81732 23dd31b081d 81731->81732 81733 23dd31acce0 LdrGetProcedureAddress 81732->81733 81734 23dd31b083c 81733->81734 81735 23dd31acce0 LdrGetProcedureAddress 81734->81735 81736 23dd31b085b 81735->81736 81737 23dd31acce0 LdrGetProcedureAddress 81736->81737 81738 23dd31b087a 81737->81738 81739 23dd31acce0 LdrGetProcedureAddress 81738->81739 81740 23dd31b0899 81739->81740 81741 23dd31acce0 LdrGetProcedureAddress 81740->81741 81742 23dd31b08b8 81741->81742 81743 23dd31acce0 LdrGetProcedureAddress 81742->81743 81744 23dd31b08d7 81743->81744 81745 23dd31acce0 LdrGetProcedureAddress 81744->81745 81746 23dd31b08f6 81745->81746 81747 23dd31acce0 LdrGetProcedureAddress 81746->81747 81748 23dd31b0915 81747->81748 81749 23dd31acce0 LdrGetProcedureAddress 81748->81749 81750 23dd31b0934 81749->81750 81751 23dd31acce0 LdrGetProcedureAddress 81750->81751 81752 23dd31b0953 81751->81752 81753 23dd31acce0 LdrGetProcedureAddress 81752->81753 81754 23dd31b0972 81753->81754 81755 23dd31acce0 LdrGetProcedureAddress 81754->81755 81756 23dd31b0991 81755->81756 81757 23dd31acce0 LdrGetProcedureAddress 81756->81757 81758 23dd31b09b0 81757->81758 81759 23dd31acce0 LdrGetProcedureAddress 81758->81759 81760 23dd31b09cf 81759->81760 81761 23dd31acce0 LdrGetProcedureAddress 81760->81761 81762 23dd31b09ee 81761->81762 81763 23dd31acce0 LdrGetProcedureAddress 81762->81763 81764 23dd31b0a0d 81763->81764 81765 23dd31acce0 LdrGetProcedureAddress 81764->81765 81766 23dd31b0a2c 81765->81766 81767 23dd31acce0 LdrGetProcedureAddress 81766->81767 81768 23dd31b0a4b 81767->81768 81769 23dd31acce0 LdrGetProcedureAddress 81768->81769 81770 23dd31b0a6a 81769->81770 81771 23dd31acce0 LdrGetProcedureAddress 81770->81771 81772 23dd31b0a89 81771->81772 81773 23dd31acce0 LdrGetProcedureAddress 81772->81773 81774 23dd31b0aa8 81773->81774 81775 23dd31acce0 LdrGetProcedureAddress 81774->81775 81776 23dd31b0ac7 81775->81776 81777 23dd31acce0 LdrGetProcedureAddress 81776->81777 81778 23dd31b0ae6 81777->81778 81779 23dd31acce0 LdrGetProcedureAddress 81778->81779 81780 23dd31b0b05 81779->81780 81781 23dd31acce0 LdrGetProcedureAddress 81780->81781 81782 23dd31b0b24 81781->81782 81783 23dd31acce0 LdrGetProcedureAddress 81782->81783 81784 23dd31b0b43 81783->81784 81785 23dd31acce0 LdrGetProcedureAddress 81784->81785 81786 23dd31b0b62 81785->81786 81787 23dd31acce0 LdrGetProcedureAddress 81786->81787 81788 23dd31b0b81 81787->81788 81789 23dd31acce0 LdrGetProcedureAddress 81788->81789 81790 23dd31b0ba0 81789->81790 81791 23dd31acce0 LdrGetProcedureAddress 81790->81791 81792 23dd31b0bbf 81791->81792 81793 23dd31acce0 LdrGetProcedureAddress 81792->81793 81794 23dd31b0bde 81793->81794 81795 23dd31acce0 LdrGetProcedureAddress 81794->81795 81796 23dd31b0bfd 81795->81796 81797 23dd31acce0 LdrGetProcedureAddress 81796->81797 81798 23dd31b0c1c 81797->81798 81799 23dd31acce0 LdrGetProcedureAddress 81798->81799 81800 23dd31b0c3b 81799->81800 81801 23dd31acce0 LdrGetProcedureAddress 81800->81801 81802 23dd31b0c5a 81801->81802 81803 23dd31acce0 LdrGetProcedureAddress 81802->81803 81804 23dd31b0c79 81803->81804 81805 23dd31acce0 LdrGetProcedureAddress 81804->81805 81806 23dd31b0c98 81805->81806 81807 23dd31acce0 LdrGetProcedureAddress 81806->81807 81808 23dd31b0cb7 81807->81808 81809 23dd31acce0 LdrGetProcedureAddress 81808->81809 81810 23dd31b0cd6 81809->81810 81811 23dd31acce0 LdrGetProcedureAddress 81810->81811 81812 23dd31b0cf5 81811->81812 81813 23dd31acce0 LdrGetProcedureAddress 81812->81813 81814 23dd31b0d14 81813->81814 81815 23dd31acce0 LdrGetProcedureAddress 81814->81815 81816 23dd31b0d33 81815->81816 81817 23dd31acce0 LdrGetProcedureAddress 81816->81817 81818 23dd31b0d52 81817->81818 81819 23dd31acce0 LdrGetProcedureAddress 81818->81819 81820 23dd31b0d71 81819->81820 81821 23dd31acce0 LdrGetProcedureAddress 81820->81821 81822 23dd31b0d90 81821->81822 81823 23dd31acce0 LdrGetProcedureAddress 81822->81823 81824 23dd31b0daf 81823->81824 81825 23dd31acce0 LdrGetProcedureAddress 81824->81825 81826 23dd31b0dce 81825->81826 81827 23dd31acce0 LdrGetProcedureAddress 81826->81827 81828 23dd31b0ded 81827->81828 81829 23dd31acce0 LdrGetProcedureAddress 81828->81829 81830 23dd31b0e0c 81829->81830 81831 23dd31acce0 LdrGetProcedureAddress 81830->81831 81832 23dd31b0e2b 81831->81832 81833 23dd31acce0 LdrGetProcedureAddress 81832->81833 81833->81834 81834->81447 81837 23dd31acd1b 81835->81837 81836 23dd31acdbf 81836->81450 81837->81836 81838 23dd31acd9b LdrGetProcedureAddress 81837->81838 81838->81836 81839 23dd31a7bf0 81840 23dd31a7c06 81839->81840 81853 23dd31a2930 81840->81853 81842 23dd31a7c24 81992 23dd31a8ed0 81842->81992 81844 23dd31a7d64 81996 23dd31c4d00 GetUserNameW GetComputerNameExW 81844->81996 81846 23dd31a7f54 81847 23dd31a7da4 81847->81846 82008 23dd31d4740 81847->82008 81851 23dd31a7e3b 81851->81846 81852 23dd31b8c60 CreateFiber DeleteFiber 81851->81852 82012 23dd31b3d90 6 API calls 81851->82012 82013 23dd31a8bc0 8 API calls 81851->82013 81852->81851 82014 23dd31affe0 81853->82014 81859 23dd31a2943 81860 23dd31af5f5 81859->81860 81861 23dd31acce0 LdrGetProcedureAddress 81859->81861 81860->81842 81862 23dd31aee10 81861->81862 81863 23dd31acce0 LdrGetProcedureAddress 81862->81863 81864 23dd31aee2b 81863->81864 81865 23dd31acce0 LdrGetProcedureAddress 81864->81865 81866 23dd31aee54 81865->81866 81867 23dd31acce0 LdrGetProcedureAddress 81866->81867 81868 23dd31aee73 81867->81868 81869 23dd31acce0 LdrGetProcedureAddress 81868->81869 81870 23dd31aee92 81869->81870 81871 23dd31acce0 LdrGetProcedureAddress 81870->81871 81872 23dd31aeeb1 81871->81872 81873 23dd31acce0 LdrGetProcedureAddress 81872->81873 81874 23dd31aeed0 81873->81874 81875 23dd31acce0 LdrGetProcedureAddress 81874->81875 81876 23dd31aeeef 81875->81876 81877 23dd31acce0 LdrGetProcedureAddress 81876->81877 81878 23dd31aef0e 81877->81878 81879 23dd31acce0 LdrGetProcedureAddress 81878->81879 81880 23dd31aef2d 81879->81880 81881 23dd31acce0 LdrGetProcedureAddress 81880->81881 81882 23dd31aef4c 81881->81882 81883 23dd31acce0 LdrGetProcedureAddress 81882->81883 81884 23dd31aef6b 81883->81884 81885 23dd31acce0 LdrGetProcedureAddress 81884->81885 81886 23dd31aef8a 81885->81886 81887 23dd31acce0 LdrGetProcedureAddress 81886->81887 81888 23dd31aefa9 81887->81888 81889 23dd31acce0 LdrGetProcedureAddress 81888->81889 81890 23dd31aefc8 81889->81890 81891 23dd31acce0 LdrGetProcedureAddress 81890->81891 81892 23dd31aefe7 81891->81892 81893 23dd31acce0 LdrGetProcedureAddress 81892->81893 81894 23dd31af006 81893->81894 81895 23dd31acce0 LdrGetProcedureAddress 81894->81895 81896 23dd31af025 81895->81896 81897 23dd31acce0 LdrGetProcedureAddress 81896->81897 81898 23dd31af044 81897->81898 81899 23dd31acce0 LdrGetProcedureAddress 81898->81899 81900 23dd31af063 81899->81900 81901 23dd31acce0 LdrGetProcedureAddress 81900->81901 81902 23dd31af082 81901->81902 81903 23dd31acce0 LdrGetProcedureAddress 81902->81903 81904 23dd31af0a1 81903->81904 81905 23dd31acce0 LdrGetProcedureAddress 81904->81905 81906 23dd31af0c0 81905->81906 81907 23dd31acce0 LdrGetProcedureAddress 81906->81907 81908 23dd31af0df 81907->81908 81909 23dd31acce0 LdrGetProcedureAddress 81908->81909 81910 23dd31af0fe 81909->81910 81911 23dd31acce0 LdrGetProcedureAddress 81910->81911 81912 23dd31af11d 81911->81912 81913 23dd31acce0 LdrGetProcedureAddress 81912->81913 81914 23dd31af13c 81913->81914 81915 23dd31acce0 LdrGetProcedureAddress 81914->81915 81916 23dd31af15b 81915->81916 81917 23dd31acce0 LdrGetProcedureAddress 81916->81917 81918 23dd31af17a 81917->81918 81919 23dd31acce0 LdrGetProcedureAddress 81918->81919 81920 23dd31af199 81919->81920 81921 23dd31acce0 LdrGetProcedureAddress 81920->81921 81922 23dd31af1b8 81921->81922 81923 23dd31acce0 LdrGetProcedureAddress 81922->81923 81924 23dd31af1d7 81923->81924 81925 23dd31acce0 LdrGetProcedureAddress 81924->81925 81926 23dd31af1f6 81925->81926 81927 23dd31acce0 LdrGetProcedureAddress 81926->81927 81928 23dd31af215 81927->81928 81929 23dd31acce0 LdrGetProcedureAddress 81928->81929 81930 23dd31af234 81929->81930 81931 23dd31acce0 LdrGetProcedureAddress 81930->81931 81932 23dd31af253 81931->81932 81933 23dd31acce0 LdrGetProcedureAddress 81932->81933 81934 23dd31af272 81933->81934 81935 23dd31acce0 LdrGetProcedureAddress 81934->81935 81936 23dd31af291 81935->81936 81937 23dd31acce0 LdrGetProcedureAddress 81936->81937 81938 23dd31af2b0 81937->81938 81939 23dd31acce0 LdrGetProcedureAddress 81938->81939 81940 23dd31af2cf 81939->81940 81941 23dd31acce0 LdrGetProcedureAddress 81940->81941 81942 23dd31af2ee 81941->81942 81943 23dd31acce0 LdrGetProcedureAddress 81942->81943 81944 23dd31af30d 81943->81944 81945 23dd31acce0 LdrGetProcedureAddress 81944->81945 81946 23dd31af32c 81945->81946 81947 23dd31acce0 LdrGetProcedureAddress 81946->81947 81948 23dd31af34b 81947->81948 81949 23dd31acce0 LdrGetProcedureAddress 81948->81949 81950 23dd31af36a 81949->81950 81951 23dd31acce0 LdrGetProcedureAddress 81950->81951 81952 23dd31af389 81951->81952 81953 23dd31acce0 LdrGetProcedureAddress 81952->81953 81954 23dd31af3a8 81953->81954 81955 23dd31acce0 LdrGetProcedureAddress 81954->81955 81956 23dd31af3c7 81955->81956 81957 23dd31acce0 LdrGetProcedureAddress 81956->81957 81958 23dd31af3e6 81957->81958 81959 23dd31acce0 LdrGetProcedureAddress 81958->81959 81960 23dd31af405 81959->81960 81961 23dd31acce0 LdrGetProcedureAddress 81960->81961 81962 23dd31af424 81961->81962 81963 23dd31acce0 LdrGetProcedureAddress 81962->81963 81964 23dd31af443 81963->81964 81965 23dd31acce0 LdrGetProcedureAddress 81964->81965 81966 23dd31af462 81965->81966 81967 23dd31acce0 LdrGetProcedureAddress 81966->81967 81968 23dd31af481 81967->81968 81969 23dd31acce0 LdrGetProcedureAddress 81968->81969 81970 23dd31af4a0 81969->81970 81971 23dd31acce0 LdrGetProcedureAddress 81970->81971 81972 23dd31af4bf 81971->81972 81973 23dd31acce0 LdrGetProcedureAddress 81972->81973 81974 23dd31af4de 81973->81974 81975 23dd31acce0 LdrGetProcedureAddress 81974->81975 81976 23dd31af4fd 81975->81976 81977 23dd31acce0 LdrGetProcedureAddress 81976->81977 81978 23dd31af51c 81977->81978 81979 23dd31acce0 LdrGetProcedureAddress 81978->81979 81980 23dd31af53b 81979->81980 81981 23dd31acce0 LdrGetProcedureAddress 81980->81981 81982 23dd31af55a 81981->81982 81983 23dd31acce0 LdrGetProcedureAddress 81982->81983 81984 23dd31af579 81983->81984 81985 23dd31acce0 LdrGetProcedureAddress 81984->81985 81986 23dd31af598 81985->81986 81987 23dd31acce0 LdrGetProcedureAddress 81986->81987 81988 23dd31af5b7 81987->81988 81989 23dd31acce0 LdrGetProcedureAddress 81988->81989 81990 23dd31af5d6 81989->81990 81991 23dd31acce0 LdrGetProcedureAddress 81990->81991 81991->81860 82086 23dd31c4ce0 81992->82086 81995 23dd31a8f71 81995->81844 81997 23dd31c4dc7 GetComputerNameExW 81996->81997 81998 23dd31c4db1 81996->81998 81999 23dd31c4def 81997->81999 81998->81997 82000 23dd31c4df3 GetTokenInformation 81999->82000 82001 23dd31c4e1c 81999->82001 82000->82001 82002 23dd31c4eaa GetNativeSystemInfo 82001->82002 82005 23dd31c4ed3 82002->82005 82003 23dd31c4f8f GetAdaptersInfo 82004 23dd31c4fdd 82003->82004 82007 23dd31c4fbb 82003->82007 82006 23dd31c4fea GetAdaptersInfo 82004->82006 82004->82007 82005->82003 82006->82007 82007->81847 82009 23dd31d4759 82008->82009 82010 23dd31d47af 82009->82010 82011 23dd31d47ad NtFreeVirtualMemory 82009->82011 82010->81851 82011->82010 82012->81851 82013->81851 82016 23dd31afff9 82014->82016 82015 23dd31a2939 82034 23dd31af8a0 82015->82034 82016->82015 82017 23dd31acce0 LdrGetProcedureAddress 82016->82017 82018 23dd31b0072 82017->82018 82019 23dd31acce0 LdrGetProcedureAddress 82018->82019 82020 23dd31b008d 82019->82020 82021 23dd31acce0 LdrGetProcedureAddress 82020->82021 82022 23dd31b00b6 82021->82022 82023 23dd31acce0 LdrGetProcedureAddress 82022->82023 82024 23dd31b00d5 82023->82024 82025 23dd31acce0 LdrGetProcedureAddress 82024->82025 82026 23dd31b00f4 82025->82026 82027 23dd31acce0 LdrGetProcedureAddress 82026->82027 82028 23dd31b0113 82027->82028 82029 23dd31acce0 LdrGetProcedureAddress 82028->82029 82030 23dd31b0132 82029->82030 82031 23dd31acce0 LdrGetProcedureAddress 82030->82031 82032 23dd31b0151 82031->82032 82033 23dd31acce0 LdrGetProcedureAddress 82032->82033 82033->82015 82035 23dd31af8da 82034->82035 82036 23dd31a293e 82035->82036 82037 23dd31acce0 LdrGetProcedureAddress 82035->82037 82042 23dd31b3470 82036->82042 82038 23dd31af900 82037->82038 82039 23dd31acce0 LdrGetProcedureAddress 82038->82039 82040 23dd31af91b 82039->82040 82041 23dd31acce0 LdrGetProcedureAddress 82040->82041 82041->82036 82044 23dd31b3489 82042->82044 82043 23dd31b3493 82043->81859 82044->82043 82045 23dd31acce0 LdrGetProcedureAddress 82044->82045 82046 23dd31b3502 82045->82046 82047 23dd31acce0 LdrGetProcedureAddress 82046->82047 82048 23dd31b351d 82047->82048 82049 23dd31acce0 LdrGetProcedureAddress 82048->82049 82050 23dd31b3546 82049->82050 82051 23dd31acce0 LdrGetProcedureAddress 82050->82051 82052 23dd31b3565 82051->82052 82053 23dd31acce0 LdrGetProcedureAddress 82052->82053 82054 23dd31b3584 82053->82054 82055 23dd31acce0 LdrGetProcedureAddress 82054->82055 82056 23dd31b35a3 82055->82056 82057 23dd31acce0 LdrGetProcedureAddress 82056->82057 82058 23dd31b35c2 82057->82058 82059 23dd31acce0 LdrGetProcedureAddress 82058->82059 82060 23dd31b35e1 82059->82060 82061 23dd31acce0 LdrGetProcedureAddress 82060->82061 82062 23dd31b3600 82061->82062 82063 23dd31acce0 LdrGetProcedureAddress 82062->82063 82064 23dd31b361f 82063->82064 82065 23dd31acce0 LdrGetProcedureAddress 82064->82065 82066 23dd31b363e 82065->82066 82067 23dd31acce0 LdrGetProcedureAddress 82066->82067 82068 23dd31b365d 82067->82068 82069 23dd31acce0 LdrGetProcedureAddress 82068->82069 82070 23dd31b367c 82069->82070 82071 23dd31acce0 LdrGetProcedureAddress 82070->82071 82072 23dd31b369b 82071->82072 82073 23dd31acce0 LdrGetProcedureAddress 82072->82073 82074 23dd31b36ba 82073->82074 82075 23dd31acce0 LdrGetProcedureAddress 82074->82075 82076 23dd31b36d9 82075->82076 82077 23dd31acce0 LdrGetProcedureAddress 82076->82077 82078 23dd31b36f8 82077->82078 82079 23dd31acce0 LdrGetProcedureAddress 82078->82079 82080 23dd31b3717 82079->82080 82081 23dd31acce0 LdrGetProcedureAddress 82080->82081 82082 23dd31b3736 82081->82082 82083 23dd31acce0 LdrGetProcedureAddress 82082->82083 82084 23dd31b3755 82083->82084 82085 23dd31acce0 LdrGetProcedureAddress 82084->82085 82085->82043 82087 23dd31a8eee CreateMutexExA 82086->82087 82087->81995 82088 23dd31d4be0 82090 23dd31d4c02 82088->82090 82089 23dd31d4c5e 82090->82089 82091 23dd31d4c5c NtProtectVirtualMemory 82090->82091 82091->82089

                                          Executed Functions

                                          Function 0000023DD31C4D00 Relevance: 10.8, APIs: 7, Instructions: 282COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 23dd31c4d00-23dd31c4daf GetUserNameW GetComputerNameExW 1 23dd31c4dc7-23dd31c4df1 GetComputerNameExW call 23dd31d4ad0 0->1 2 23dd31c4db1-23dd31c4dc1 call 23dd31cb4c0 0->2 7 23dd31c4e58-23dd31c4e92 call 23dd31d2750 call 23dd31bdfc0 1->7 8 23dd31c4df3-23dd31c4e1a GetTokenInformation 1->8 2->1 22 23dd31c4eaa-23dd31c4ed1 GetNativeSystemInfo 7->22 23 23dd31c4e94-23dd31c4ea5 call 23dd31d3de0 7->23 9 23dd31c4e1c-23dd31c4e28 8->9 10 23dd31c4e4e-23dd31c4e53 call 23dd31d4000 8->10 11 23dd31c4e2a-23dd31c4e39 call 23dd31d3de0 9->11 12 23dd31c4e3e-23dd31c4e49 call 23dd31d3de0 9->12 10->7 11->12 12->10 25 23dd31c4ee8-23dd31c4eec 22->25 26 23dd31c4ed3-23dd31c4ee6 22->26 23->22 28 23dd31c4f17-23dd31c4f2d call 23dd31d3de0 25->28 29 23dd31c4eee-23dd31c4efd 25->29 27 23dd31c4f01-23dd31c4f15 call 23dd31d3de0 26->27 33 23dd31c4f32-23dd31c4f42 27->33 28->33 29->27 35 23dd31c4f89-23dd31c4fb9 GetAdaptersInfo 33->35 36 23dd31c4f44-23dd31c4f84 call 23dd31d3b90 call 23dd31d3de0 call 23dd31d3b90 * 2 33->36 41 23dd31c4fbb-23dd31c4fdc call 23dd31cb4e0 * 2 35->41 42 23dd31c4fdd-23dd31c4fe3 35->42 36->35 42->41 43 23dd31c4fe5-23dd31c4ffd call 23dd31cb4c0 GetAdaptersInfo 42->43 43->41 52 23dd31c4fff-23dd31c500c 43->52 55 23dd31c5012-23dd31c5015 52->55 55->41 56 23dd31c5017-23dd31c5018 55->56 57 23dd31c501f-23dd31c5031 call 23dd31a93e0 56->57 60 23dd31c5045-23dd31c504c 57->60 61 23dd31c5033-23dd31c5043 call 23dd31d3de0 57->61 60->41 63 23dd31c5052-23dd31c5062 call 23dd31d3de0 60->63 61->57 63->55
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
                                          • String ID:
                                          • API String ID: 1596153048-0
                                          • Opcode ID: 53bd537aa1b4620733eb70ff0ede8cbf2f1afdb2ec242c599ba99b4d536de885
                                          • Instruction ID: 23c04acc60c973a50a1bdc7e28f8a2d8fc47e5316a11fbc68a82e4c0221f6480
                                          • Opcode Fuzzy Hash: 53bd537aa1b4620733eb70ff0ede8cbf2f1afdb2ec242c599ba99b4d536de885
                                          • Instruction Fuzzy Hash: E0A18631218B494FEB54AF18EC5A7DAB7E5FB94300F40452DA44AC3291DF7CDA49CB82
                                          Function 0000023DD31BF3A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215processthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateFirstSnapshotThread32Toolhelp32
                                          • String ID: 0
                                          • API String ID: 490256885-4108050209
                                          • Opcode ID: ac050863fd1c388b9e453669c56b0ce2359168e04f01584157f339651d1c4fcd
                                          • Instruction ID: d8235f06c5810cbb1b51b1f5bbaf1147941d438179825ed19cb7b19bae1f6e20
                                          • Opcode Fuzzy Hash: ac050863fd1c388b9e453669c56b0ce2359168e04f01584157f339651d1c4fcd
                                          • Instruction Fuzzy Hash: AD71B232218B498FE794EF29E849B9AF7D1FB89300F50456DA44EC3291DB74E509CB42
                                          Function 0000023DD31ACCE0 Relevance: 1.6, APIs: 1, Instructions: 114libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProcedure
                                          • String ID:
                                          • API String ID: 3653107232-0
                                          • Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                          • Instruction ID: 106744b96a3d316aaf5e48a421d318e68deb22ee4cc00879c4a96772cb44587f
                                          • Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                          • Instruction Fuzzy Hash: 6E31B23211CB4D4BD764AB18EC4A7BAB7E0FB85311F50062EE58AC3251D734E94A87C7
                                          Function 0000023DD31B55C0 Relevance: .9, Instructions: 926COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 384 23dd31b55c0-23dd31b5645 call 23dd31b83e0 call 23dd31cb4c0 * 3 393 23dd31b5657-23dd31b565e 384->393 394 23dd31b5647-23dd31b5652 call 23dd31b8eb0 384->394 396 23dd31b56e9-23dd31b56f1 393->396 397 23dd31b5664-23dd31b566c 393->397 394->393 398 23dd31b5716-23dd31b5738 call 23dd31d4070 396->398 399 23dd31b56f3-23dd31b5710 396->399 400 23dd31b56df 397->400 401 23dd31b566e-23dd31b56c0 call 23dd31a9ff0 * 6 397->401 406 23dd31b614a-23dd31b615c call 23dd31d4000 398->406 407 23dd31b573e-23dd31b5797 call 23dd31d4360 398->407 399->398 400->396 437 23dd31b56c7-23dd31b56da call 23dd31a9ff0 * 2 401->437 438 23dd31b56c2 call 23dd31a9ff0 401->438 416 23dd31b616f-23dd31b6197 call 23dd31b8620 406->416 417 23dd31b615e-23dd31b6160 call 23dd31d5500 406->417 407->406 418 23dd31b579d-23dd31b57d3 call 23dd31d45f0 407->418 424 23dd31b6165-23dd31b616a call 23dd31d4000 417->424 418->406 429 23dd31b57d9-23dd31b57ed call 23dd31d47d0 418->429 424->416 429->406 436 23dd31b57f3-23dd31b586c call 23dd31c44a0 * 2 call 23dd31b81f0 call 23dd31bf3a0 429->436 450 23dd31b5871-23dd31b587f 436->450 437->400 438->437 450->406 451 23dd31b5885-23dd31b596d 450->451 452 23dd31b5a4c-23dd31b5a8e 451->452 453 23dd31b5973-23dd31b5a49 451->453 454 23dd31b5a98-23dd31b5aaa 452->454 455 23dd31b5a90-23dd31b5a91 452->455 453->452 456 23dd31b5aac-23dd31b5aad 454->456 457 23dd31b5ab4-23dd31b5ba0 454->457 455->454 456->457 458 23dd31b5bec-23dd31b5c02 457->458 459 23dd31b5ba2-23dd31b5bea 457->459 460 23dd31b5c08-23dd31b5c1b 458->460 459->460 461 23dd31b5c1d-23dd31b5c90 460->461 462 23dd31b5c93-23dd31b5cd3 460->462 461->462 463 23dd31b5cd5-23dd31b5cd6 462->463 464 23dd31b5cdd-23dd31b5d06 462->464 463->464 465 23dd31b5d08-23dd31b5d6e 464->465 466 23dd31b5d71-23dd31b5e86 call 23dd31d4ff0 464->466 465->466 466->406 469 23dd31b5e8c-23dd31b5eb2 call 23dd31d4ff0 466->469 469->406 472 23dd31b5eb8-23dd31b5ec3 469->472 473 23dd31b5ec5-23dd31b5eeb call 23dd31d4ff0 472->473 474 23dd31b5ef2-23dd31b5f10 call 23dd31d4ff0 472->474 480 23dd31b5eed 473->480 481 23dd31b5f43-23dd31b5f69 call 23dd31d4ff0 473->481 474->406 479 23dd31b5f16-23dd31b5f3c call 23dd31d4ff0 474->479 479->473 486 23dd31b5f3e 479->486 480->406 481->406 487 23dd31b5f6f-23dd31b5f95 call 23dd31d4ff0 481->487 486->406 487->406 490 23dd31b5f9b-23dd31b5fc1 call 23dd31d4ff0 487->490 490->406 493 23dd31b5fc7-23dd31b5fd2 490->493 494 23dd31b5fd4-23dd31b5ffa call 23dd31d4ff0 493->494 495 23dd31b6001-23dd31b601f call 23dd31d4ff0 493->495 500 23dd31b6026-23dd31b6031 494->500 501 23dd31b5ffc 494->501 495->494 502 23dd31b6021 495->502 503 23dd31b6060-23dd31b607e call 23dd31d4ff0 500->503 504 23dd31b6033-23dd31b6059 call 23dd31d4ff0 500->504 501->406 502->406 503->504 509 23dd31b6080 503->509 510 23dd31b6085-23dd31b60ab call 23dd31d4ff0 504->510 511 23dd31b605b 504->511 509->406 510->406 514 23dd31b60b1-23dd31b60d7 call 23dd31d4ff0 510->514 511->406 514->406 517 23dd31b60d9-23dd31b60e7 call 23dd31d3ec0 514->517 517->406 520 23dd31b60e9-23dd31b6145 call 23dd31a2a10 call 23dd31d53f0 call 23dd31a2a10 call 23dd31d3a40 517->520 520->406
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateFirstSnapshotThread32Toolhelp32
                                          • String ID:
                                          • API String ID: 490256885-0
                                          • Opcode ID: bdae03430df69abd2c9d775c583e96b44cfdfdcfb6ad024ecb1a5f206801d552
                                          • Instruction ID: 793390cc1b018d30a8badfe6e65a92a6f170285f57704f52c3062254d52f2d4c
                                          • Opcode Fuzzy Hash: bdae03430df69abd2c9d775c583e96b44cfdfdcfb6ad024ecb1a5f206801d552
                                          • Instruction Fuzzy Hash: A3726331118B0D8FE7A4DF18E889B95B7E0FB98304F11466D944DD72A6DF34E949CB82
                                          Function 0000023DD31A71B0 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 504a02ecd7dd5b9c727ac592882f9f33d8d6d99b3cf7a4fd9ebc18adb0a9304d
                                          • Instruction ID: a678906d60239d3d542f85ea8d36718355f7a0fb1c67671be85a9fa5ce2d1a6d
                                          • Opcode Fuzzy Hash: 504a02ecd7dd5b9c727ac592882f9f33d8d6d99b3cf7a4fd9ebc18adb0a9304d
                                          • Instruction Fuzzy Hash: EB41B6711286498FF358DF28E8497AAB7E1FB48305F50466DE05AC32D2CB7CC946CB81
                                          Function 0000023DD31D4360 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                          • Instruction ID: 3992214502e3eab761648f52ea5cc155bc006ad1ce68ea0a89d2654083a9bdcf
                                          • Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                          • Instruction Fuzzy Hash: DB412C7151CB488FE7749F0CB8467EAB7E0FB99720F00492FD5C982255DB35A5868BC2
                                          Function 0000023DD31D45F0 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                          • Instruction ID: cc226ca6e49736f80de1bf01b7d30fd284a783bac6a85022673b9b465efdbe18
                                          • Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                          • Instruction Fuzzy Hash: 8021807161DB598BE754DB08A8467AAB7E4FB88721F20092FE449C3350DB38D440C783
                                          Function 0000023DD31D51C0 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
                                          • Instruction ID: c3d0d12789f7a3f8f78d89025afed8768751110b29fe300a4e646428ce61b0f2
                                          • Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
                                          • Instruction Fuzzy Hash: 3111E731658B4D8FEB54DF08A84A7A973E4F789315F40441EE889C2251D779E545CB83
                                          Function 0000023DD31D4BE0 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                          • Instruction ID: 80eb26a777bd2c6dadd492c2c23c14747d1a0cfbde289d8a9768fcd930e5abd9
                                          • Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                          • Instruction Fuzzy Hash: 24119431A58B4E8FEB54DF58A84B76973D4F759316F40442EE449C2290DB79E980CB83
                                          Function 0000023DD31B7A50 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
                                          • Instruction ID: 52da93fca5b8ab22807059a9d028ece5a928cc54000639f2036c797ce1d391fa
                                          • Opcode Fuzzy Hash: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
                                          • Instruction Fuzzy Hash: 9211C87211CB4D9BF7A49A38AC4A37577C0FB86314F54061DE989C11C1DBBAA74C8643
                                          Function 0000023DD31D4FF0 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                          • Instruction ID: 8c1c588bd9982189aa26eda1cf5a947aae0ccbc31279e8aad75b9c83fa3b5e14
                                          • Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                          • Instruction Fuzzy Hash: DD11A331618B4A8FEB14AF18B84ABAA77E0F759711F50081EE449C2290D779D980CAD3
                                          Function 0000023DD31D4740 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                          • Instruction ID: 25e7b01b0ba6b6cd8891a366082d83af2932cc0455fafd562dc72284b84e0336
                                          • Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                          • Instruction Fuzzy Hash: B3019631A28B4A4FF748AB18B40B7B677E1F789711F10452EE449C3691DF39DA458A83
                                          Function 0000023DD319D2AD Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000003.2253460696.0000023DD3160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023DD3160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_3_23dd3160000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
                                          • Instruction ID: 2a0827ccd4748a88a4069a38c63b86c4b3658ed92a25208555e7741c9625520b
                                          • Opcode Fuzzy Hash: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
                                          • Instruction Fuzzy Hash: B0F0A470618B448BE744DF1884C963577E1FBD8755F24452EE899C7361CB35D842CB43
                                          Function 0000023DD319D31D Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000003.2253460696.0000023DD3160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023DD3160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_3_23dd3160000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
                                          • Instruction ID: 89991e87a85c4b26feb5595e836eb1a449b4fbc8a1cd4c45699f9ec895cbfa63
                                          • Opcode Fuzzy Hash: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
                                          • Instruction Fuzzy Hash: BBF05470A24F444BD708AF2C888A67577D1F7A8645F54452EA448C7361DB35E5468B43
                                          Function 0000023DD31B8149 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
                                          • Instruction ID: 7041fabcdff435a1ab1139159dfbb47ea3fbafd7680e0ed5c53a73c3748540e2
                                          • Opcode Fuzzy Hash: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
                                          • Instruction Fuzzy Hash: 06D0A97388DB1D8EE7209AA8F8873E8B3D0F781328F40482EC18CC2043D77E804A8706
                                          Function 0000023DD31A7830 Relevance: 7.8, APIs: 5, Instructions: 340networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 67 23dd31a7830-23dd31a7883 68 23dd31a7885-23dd31a7888 67->68 69 23dd31a788a-23dd31a7892 InternetOpenW 67->69 68->69 70 23dd31a7898-23dd31a78d7 InternetConnectW 69->70 71 23dd31a7af9-23dd31a7afd 69->71 70->71 72 23dd31a78dd-23dd31a792b HttpOpenRequestW 70->72 73 23dd31a7aff-23dd31a7b0c 71->73 72->73 74 23dd31a7931-23dd31a793b 72->74 75 23dd31a7b17-23dd31a7b1a 73->75 76 23dd31a7b0e-23dd31a7b11 InternetCloseHandle 73->76 77 23dd31a7990-23dd31a79ab 74->77 78 23dd31a793d-23dd31a7945 74->78 79 23dd31a7b25-23dd31a7b28 75->79 80 23dd31a7b1c-23dd31a7b1d 75->80 76->75 77->73 90 23dd31a79b1-23dd31a79ba 77->90 78->77 81 23dd31a7947-23dd31a798b call 23dd31d2750 * 2 78->81 82 23dd31a7b2a-23dd31a7b2b 79->82 83 23dd31a7b33-23dd31a7b3b 79->83 80->79 81->77 82->83 84 23dd31a7bd0-23dd31a7be3 83->84 85 23dd31a7b41-23dd31a7b4b 83->85 88 23dd31a7b4d-23dd31a7b54 call 23dd31d1230 85->88 89 23dd31a7b62-23dd31a7b73 85->89 88->89 101 23dd31a7b56-23dd31a7b60 call 23dd31cb4e0 88->101 95 23dd31a7b75-23dd31a7b78 89->95 96 23dd31a7b7a-23dd31a7b8a call 23dd31acb60 89->96 93 23dd31a79e6-23dd31a7a0a 90->93 94 23dd31a79bc-23dd31a79de call 23dd31d1270 HttpSendRequestA 90->94 109 23dd31a7a0c 93->109 94->73 108 23dd31a79e4-23dd31a7a16 94->108 95->84 95->96 110 23dd31a7b8c-23dd31a7bb8 call 23dd31aa050 call 23dd31cb4e0 96->110 111 23dd31a7bba-23dd31a7bce call 23dd31d1410 96->111 101->84 118 23dd31a7a18-23dd31a7a1f call 23dd31cb4e0 108->118 119 23dd31a7a24-23dd31a7a3b call 23dd31cb4c0 108->119 109->94 110->84 111->84 111->101 118->119 125 23dd31a7a3f-23dd31a7a5b 119->125 127 23dd31a7ae3-23dd31a7af7 call 23dd31cb4e0 125->127 128 23dd31a7a61-23dd31a7a69 125->128 127->76 128->127 130 23dd31a7a6b-23dd31a7a7e 128->130 130->127 133 23dd31a7a80-23dd31a7a86 130->133 133->127 134 23dd31a7a88-23dd31a7a96 133->134 135 23dd31a7a98-23dd31a7aaa 134->135 136 23dd31a7aac-23dd31a7aaf call 23dd31cb4c0 134->136 138 23dd31a7ab4-23dd31a7ade call 23dd31c44a0 135->138 136->138 138->125
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: Internet$HttpOpenRequest$CloseConnectHandleSend
                                          • String ID:
                                          • API String ID: 1522158186-0
                                          • Opcode ID: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
                                          • Instruction ID: b10340aa4065f54b2c1857725ece8b255fc3e628d3c73aefbb2981271369e4fa
                                          • Opcode Fuzzy Hash: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
                                          • Instruction Fuzzy Hash: 86B1F83121CA4E8FE764DF58EC597A6B3D5FB98305F044629A846C32D1DF78DA06C782
                                          Function 0000023DD31B8C60 Relevance: 3.2, APIs: 2, Instructions: 188COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: Fiber$CreateDelete
                                          • String ID:
                                          • API String ID: 2527733159-0
                                          • Opcode ID: 318d4458220fefe7ecd04c4217b70e3ea4272adf2d4e41289bf899562a1583dc
                                          • Instruction ID: cb6771e1729c6d06b06b3fe6c6f0ed3f4daab72a666105b065737577f7bcc7c5
                                          • Opcode Fuzzy Hash: 318d4458220fefe7ecd04c4217b70e3ea4272adf2d4e41289bf899562a1583dc
                                          • Instruction Fuzzy Hash: 4A51FD326189594FE768AF28AC497A573D1F759711F20032AE89BC31D1DF38ED4687C1
                                          Function 0000023DD31A8ED0 Relevance: 1.9, APIs: 1, Instructions: 410synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677173840.0000023DD31A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023DD31A1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_23dd31a1000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID:
                                          • API String ID: 1964310414-0
                                          • Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                          • Instruction ID: 2c602e587426f51c2dd5953fc709336d83098f4ab8ef3dfeae73beae89c6e886
                                          • Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                          • Instruction Fuzzy Hash: 5BE12171408A0D8FE751EF14E895BE6BBF4F768340F60067BE88AC2165DB38D245CB86
                                          Function 00007FFD93740AE0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                          • String ID:
                                          • API String ID: 680105476-0
                                          • Opcode ID: d8ba32d3aeddf103bc5a018b16ca6ac48feccc558b7e427f7e9957ee7a58d25b
                                          • Instruction ID: 4636e0760d297325103257d653e057512b1942477953035f9cc689465d50217c
                                          • Opcode Fuzzy Hash: d8ba32d3aeddf103bc5a018b16ca6ac48feccc558b7e427f7e9957ee7a58d25b
                                          • Instruction Fuzzy Hash: 97E0EC40F5910B49FD3831F1187D0B5A18F4F15775E181B34D93D2A2C2AD1CB4958650
                                          Function 00007FFD93741100 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFD93741114
                                            • Part of subcall function 00007FFD9374286C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFD93742874
                                            • Part of subcall function 00007FFD9374286C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFD93742879
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                          • String ID:
                                          • API String ID: 1208906642-0
                                          • Opcode ID: e1844762edc638c08c617c9bf97e15cfdb26e133e3ab7bcaa5fe0919b20a78e9
                                          • Instruction ID: 758a5f60bdcdd35020b1e7362226d57f76466e289a6e51416bbdaa3eac4e5daf
                                          • Opcode Fuzzy Hash: e1844762edc638c08c617c9bf97e15cfdb26e133e3ab7bcaa5fe0919b20a78e9
                                          • Instruction Fuzzy Hash: DBE0E260F1D24382FEB837E10A7E2F8368F1F22344F5014B8D85E321C39E5E34162662
                                          Function 00007FFD93749784 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • HeapAlloc.KERNEL32(?,?,00000000,00007FFD9374A7BA,?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD937497D9
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocHeap
                                          • String ID:
                                          • API String ID: 4292702814-0
                                          • Opcode ID: e2d5b7430ce25b2c9267f187cacd0046a4a12b3df5020a07f7f07231c417547b
                                          • Instruction ID: 28ade375718614cc960ddeb7eb1b6da29a929bce07a7e6b46261f6a877faa75c
                                          • Opcode Fuzzy Hash: e2d5b7430ce25b2c9267f187cacd0046a4a12b3df5020a07f7f07231c417547b
                                          • Instruction Fuzzy Hash: 2EF04F44B0960742FE765AE396792B5328B5F46B80F0C0439C80EA62C1EE2CB5814310
                                          Function 0000023DD319CA4D Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000003.2253460696.0000023DD3160000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000023DD3160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_3_23dd3160000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
                                          • Instruction ID: efbe0f74950419a1351f965796f729da0501dffd0587533d1858f4baebdc9311
                                          • Opcode Fuzzy Hash: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
                                          • Instruction Fuzzy Hash: 09012D3160991F4BF799FF6978C47A277C1F794310F545465D859C3249DB28CA468360

                                          Non-executed Functions

                                          Function 00007FFD937522E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                          • String ID: utf8
                                          • API String ID: 3069159798-905460609
                                          • Opcode ID: 5487e5a400001d4f56018c9c310e9b95909492dba264b8e7cd6f344830101e2f
                                          • Instruction ID: b2459abff323cb0ff987850e47dc78626d2a8d26f836713a1fdcf33a0015ae5d
                                          • Opcode Fuzzy Hash: 5487e5a400001d4f56018c9c310e9b95909492dba264b8e7cd6f344830101e2f
                                          • Instruction Fuzzy Hash: 3591AC32B0878286EB789FE1D4612B933A9EF48B80F444535DA4C67786EF3DE952C741
                                          Function 00007FFD93752D3C Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                          • String ID:
                                          • API String ID: 2591520935-0
                                          • Opcode ID: 076d886bfa2acd654b465ba083faac6f3c9cc38e7c0957c6ce594343932ecb80
                                          • Instruction ID: fe96985add7537708d1b04ff2bd277c8dd492fb42536bdcc12156b9c905d9a37
                                          • Opcode Fuzzy Hash: 076d886bfa2acd654b465ba083faac6f3c9cc38e7c0957c6ce594343932ecb80
                                          • Instruction Fuzzy Hash: 31714622F087529AFB689BE0D8646BC33A8BF48748F544535CA1D676D5EF3CA846C350
                                          Function 00007FFD937412C0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                          • String ID:
                                          • API String ID: 3140674995-0
                                          • Opcode ID: 55f9487a3a37d419e32935d06c83ee3204da43ce5e5de20929af22de147d5fc1
                                          • Instruction ID: c795d50d6a4b10ddcc1d802bbf1e7249bfbdb8b0f474c663724fa82842df6e7a
                                          • Opcode Fuzzy Hash: 55f9487a3a37d419e32935d06c83ee3204da43ce5e5de20929af22de147d5fc1
                                          • Instruction Fuzzy Hash: 1F317E72709B818AEB749FA0E8643EE3369FB88744F44403ADA4E57B94EF38D548C700
                                          Function 00007FFD93740290 Relevance: 9.1, APIs: 6, Instructions: 94libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID:
                                          • API String ID: 2238633743-0
                                          • Opcode ID: 1afc37d47e21fe4db280e3a57abc0f00bd42785e735c5657d2df56b21c99e1b5
                                          • Instruction ID: 8257bd302db837ef8888d850cb878d40e94e4a035f22371b4d5c07ac0472227b
                                          • Opcode Fuzzy Hash: 1afc37d47e21fe4db280e3a57abc0f00bd42785e735c5657d2df56b21c99e1b5
                                          • Instruction Fuzzy Hash: 75415352B09B4596EF298FA2D4642397BA9FB48F84F084035CE4E67751EE3CF8528300
                                          Function 00007FFD93746EC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                          • String ID:
                                          • API String ID: 1239891234-0
                                          • Opcode ID: 317b68d8b54ebd0cb2e48c5d5fcba97bb08197c4a9347119987f5a04022b063a
                                          • Instruction ID: d487f07e87313b9d6adbc5d4d678cd0da6dbc8cd00cb634ac32bb7260ebad6d9
                                          • Opcode Fuzzy Hash: 317b68d8b54ebd0cb2e48c5d5fcba97bb08197c4a9347119987f5a04022b063a
                                          • Instruction Fuzzy Hash: 4D316032708B8196DB74CFA5E8542AE73A8FB88754F500136EA9D53B54EF3CD545CB00
                                          Function 00007FFD93757924 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 87582c9bebe7a3e4c7d159f22016cb2b02e1682909312de42912900847b5cbe1
                                          • Instruction ID: 4105d654c96517c39dfa60bfc9c48f5030e25d308ee1742a42e683d961c8c092
                                          • Opcode Fuzzy Hash: 87582c9bebe7a3e4c7d159f22016cb2b02e1682909312de42912900847b5cbe1
                                          • Instruction Fuzzy Hash: 91E06772615B10A5F7009BB4E46479E3774F3417BCF501745AFB426AD9CBB983488344
                                          Function 00007FFD93681CF0 Relevance: 27.2, APIs: 18, Instructions: 178filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$Handle$CloseCreateErrorLast$InformationSizeSleep
                                          • String ID:
                                          • API String ID: 142978218-0
                                          • Opcode ID: 26862680f932b182a8d9d2cc3b4f95d5efc313cd42107615d5aecd2772f46e7c
                                          • Instruction ID: 52ae3920494982c1856372753d54c8f0ad66eb9870b2c25f6cea25a12ad1b580
                                          • Opcode Fuzzy Hash: 26862680f932b182a8d9d2cc3b4f95d5efc313cd42107615d5aecd2772f46e7c
                                          • Instruction Fuzzy Hash: 7B716121B0C64683F6745BA5A46473A72A8BF49BB4F104335EABE57BD4DF7CE8098700
                                          Function 00007FFD93683B50 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 143sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Count64Tick$Sleep
                                          • String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API call with %s database connection pointer$destination database is in use$invalid$misuse$source and destination must be distinct
                                          • API String ID: 417912201-3158697872
                                          • Opcode ID: b081c2a26e7da91c4aeedb44f17af51f8224c98c509d5ffbfbcf2ae96c53074a
                                          • Instruction ID: 32dd9eab0888a0ca1cc1019acddcdad3c936db54cc4241ef137a2dca8b70b719
                                          • Opcode Fuzzy Hash: b081c2a26e7da91c4aeedb44f17af51f8224c98c509d5ffbfbcf2ae96c53074a
                                          • Instruction Fuzzy Hash: 61518065B09B4686FB749B95E96027833A8FB88B88F140439CE5D277A5DF7CF891C340
                                          Function 00007FFD9374AA24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,?,00007FFD9374B12C,?,?,?,?,00007FFD93746402), ref: 00007FFD9374ABA0
                                          • GetProcAddress.KERNEL32(?,?,?,00007FFD9374B12C,?,?,?,?,00007FFD93746402), ref: 00007FFD9374ABAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressFreeLibraryProc
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 3013587201-537541572
                                          • Opcode ID: 7562c84af24565a34be147bf0d63188374f690327f7759320bb3070aed37f4fe
                                          • Instruction ID: 44a85e0e5f0691e655e190c360cff7884cd7d539e149c2aea61ed69af1e77f91
                                          • Opcode Fuzzy Hash: 7562c84af24565a34be147bf0d63188374f690327f7759320bb3070aed37f4fe
                                          • Instruction Fuzzy Hash: 4641F622B29B0252FA76CB96A868575339BBF45BE0F044535DD1DA7784EE3CF805C701
                                          Function 00007FFD93683060 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Count64Tick$Sleep
                                          • String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API called with finalized prepared statement$misuse
                                          • API String ID: 417912201-2356847551
                                          • Opcode ID: 14dbfe15db05f7460b2fb4c622cd54e52d52a6ca8ea0413059ae43ca11291b19
                                          • Instruction ID: 6b04b6f87792cfcae8f37dbc04c932baa1e0b91d5595f7697a16692125affa84
                                          • Opcode Fuzzy Hash: 14dbfe15db05f7460b2fb4c622cd54e52d52a6ca8ea0413059ae43ca11291b19
                                          • Instruction Fuzzy Hash: 4C21B424B0D74647FA749BD698B02793399BF48B80F100439CAAE27795DF7DE8518300
                                          Function 00007FFD937479C0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: _invalid_parameter_noinfo
                                          • String ID: f$p$p
                                          • API String ID: 3215553584-1995029353
                                          • Opcode ID: c9ad3ceda9924f7410024becc4520081b5d7fe8b9201ec39d397413a1bd7d468
                                          • Instruction ID: df1fc29990d31dbdc0a4af1a386e4c1509f4580f65add3c586a2d0525a5b20e3
                                          • Opcode Fuzzy Hash: c9ad3ceda9924f7410024becc4520081b5d7fe8b9201ec39d397413a1bd7d468
                                          • Instruction Fuzzy Hash: 4612F762F1C687A6FB309A94D16C6B9739BFB40750F844136D6AA676C4DF3DF8808B10
                                          Function 00007FFD93745CFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FFD93745EBB,?,?,?,00007FFD93742A40,?,?,?,?,00007FFD93742879), ref: 00007FFD93745D81
                                          • GetLastError.KERNEL32(?,?,?,00007FFD93745EBB,?,?,?,00007FFD93742A40,?,?,?,?,00007FFD93742879), ref: 00007FFD93745D8F
                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FFD93745EBB,?,?,?,00007FFD93742A40,?,?,?,?,00007FFD93742879), ref: 00007FFD93745DB9
                                          • FreeLibrary.KERNEL32(?,?,?,00007FFD93745EBB,?,?,?,00007FFD93742A40,?,?,?,?,00007FFD93742879), ref: 00007FFD93745E27
                                          • GetProcAddress.KERNEL32(?,?,?,00007FFD93745EBB,?,?,?,00007FFD93742A40,?,?,?,?,00007FFD93742879), ref: 00007FFD93745E33
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                          • String ID: api-ms-
                                          • API String ID: 2559590344-2084034818
                                          • Opcode ID: 97cf97467306c0c550e19c554bc7348bfd4a3b55111874371f74137d8fa85d2a
                                          • Instruction ID: 6b1464f03c44babbf468241f19407988bd0a4c5f2c1c8774bc19640c37f138fa
                                          • Opcode Fuzzy Hash: 97cf97467306c0c550e19c554bc7348bfd4a3b55111874371f74137d8fa85d2a
                                          • Instruction Fuzzy Hash: 0231E422B0AB4192EE359B92A868279329DFF48BB0F590535DD2D6B7D4EF3CF4458700
                                          Function 00007FFD9374A524 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Value$ErrorLast
                                          • String ID:
                                          • API String ID: 2506987500-0
                                          • Opcode ID: b9a1ac309250ead7b6ce62fd7431341ae0cb016c43f98512d52d2251d7bf1373
                                          • Instruction ID: fdadae9c7bfab0acaa3a474c746bea6c354ac6b145f5c68bb3f5b6743423198b
                                          • Opcode Fuzzy Hash: b9a1ac309250ead7b6ce62fd7431341ae0cb016c43f98512d52d2251d7bf1373
                                          • Instruction Fuzzy Hash: 78214110F0D24646FAB5A7E596F9139B16B6F447A0F044634D93E37AD6ED2CF4018701
                                          Function 00007FFD936817E0 Relevance: 9.1, APIs: 6, Instructions: 145filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Wow64$CreateFileRedirection$DisableErrorLastRevertSleep
                                          • String ID:
                                          • API String ID: 816130295-0
                                          • Opcode ID: 8bc8b1338c340a8ddbdd9b67acbd75ea5fbde127c461d89fcb9100d212f640d4
                                          • Instruction ID: 1423a1609bf91479e5e0e41ba49f342f9d81537199f25f73ed2c4b70afa158ea
                                          • Opcode Fuzzy Hash: 8bc8b1338c340a8ddbdd9b67acbd75ea5fbde127c461d89fcb9100d212f640d4
                                          • Instruction Fuzzy Hash: DD510672B0869183FB784BA9E42573A6594BB887A0F104639DEBF63BD5CE3DDC458700
                                          Function 00007FFD93681FB0 Relevance: 9.1, APIs: 6, Instructions: 109fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: FileLock
                                          • String ID:
                                          • API String ID: 3169042693-0
                                          • Opcode ID: b36627909b426c5d2d265d94e02e54517e320222c7ed38f17ffb1feb783f61bc
                                          • Instruction ID: 4056b2ed2a09ab73f4e6d7924c02047acc056099032b6d02d36923a4047913c1
                                          • Opcode Fuzzy Hash: b36627909b426c5d2d265d94e02e54517e320222c7ed38f17ffb1feb783f61bc
                                          • Instruction Fuzzy Hash: 04416C32B18B4487EB608F65F49462E72A9FB8CB94F544131EAAC93B58DF3CD481CB00
                                          Function 00007FFD9374A69C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A6AB
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A6E1
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A70E
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A71F
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A730
                                          • SetLastError.KERNEL32(?,?,?,00007FFD93748239,?,?,?,?,00007FFD937497EB,?,?,00000000,00007FFD9374A7BA,?,?,?), ref: 00007FFD9374A74B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Value$ErrorLast
                                          • String ID:
                                          • API String ID: 2506987500-0
                                          • Opcode ID: 659d54af87f3e3197771c75a9b8051b0d31e11a352b3fda74e1bb30c80f9d6c9
                                          • Instruction ID: 4f196c54c9f3d1679d513deb15f5d8f0c4bcaf3a73dce5649a998293dded4fe3
                                          • Opcode Fuzzy Hash: 659d54af87f3e3197771c75a9b8051b0d31e11a352b3fda74e1bb30c80f9d6c9
                                          • Instruction Fuzzy Hash: FF111F24F0D24642FAB5A7E296F9139729B6F447B0F044638D83E376D6EE6CB4018702
                                          Function 00007FFD936D91C0 Relevance: 7.6, APIs: 5, Instructions: 70filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateFile$CloseErrorHandleLastSleep
                                          • String ID:
                                          • API String ID: 4217092948-0
                                          • Opcode ID: a2ff643abf45aec6c4c85093942659c5441a63467c0d701a9e44b994c773c3d4
                                          • Instruction ID: 090e9c5ce1a06add4a68b0431730664a7c1ef7a97876cf2567fe5e94ac18ba8d
                                          • Opcode Fuzzy Hash: a2ff643abf45aec6c4c85093942659c5441a63467c0d701a9e44b994c773c3d4
                                          • Instruction Fuzzy Hash: CF21D221B1874182F7B04BA1A96472A75D5BB85BF4F140334EEB913BD4CF3CD4458704
                                          Function 00007FFD9374A764 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FlsGetValue.KERNEL32(?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD9374A783
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD9374A7A2
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD9374A7CA
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD9374A7DB
                                          • FlsSetValue.KERNEL32(?,?,?,00007FFD93746B7E,?,?,?,00007FFD93746BC7,?,?,00000000,00007FFD93749A3B), ref: 00007FFD9374A7EC
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID:
                                          • API String ID: 3702945584-0
                                          • Opcode ID: 90ec7c1a636f1d95c84cb412225ef5d14ba7aca8b717b7e8385991f0027740e3
                                          • Instruction ID: 47e63d264beea4dc2eb99f125c92ee997d7b39ed3aed14b6709a55ca5bef051b
                                          • Opcode Fuzzy Hash: 90ec7c1a636f1d95c84cb412225ef5d14ba7aca8b717b7e8385991f0027740e3
                                          • Instruction Fuzzy Hash: 55116310F0D24642FAB597A696E9139319F6F443A0F044738D83D366C6ED2CB4018601
                                          Function 00007FFD9374A5F8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Value
                                          • String ID:
                                          • API String ID: 3702945584-0
                                          • Opcode ID: ea511fab9fff80f39c8c8f765a17b1fe5af6f23b8e7e1f80ec0b2e79d8b852b7
                                          • Instruction ID: 95e08a8dfb2a37f597b03fe2796d322cad1eb86fd735b6bcaceec7de1505b7f2
                                          • Opcode Fuzzy Hash: ea511fab9fff80f39c8c8f765a17b1fe5af6f23b8e7e1f80ec0b2e79d8b852b7
                                          • Instruction Fuzzy Hash: C6110650F0920B46FEB9A6E654BD679328F5F55360F180A38D83E3A6D6ED2CB4018603
                                          Function 00007FFD93683E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Count64Tick$Sleep
                                          • String ID: e
                                          • API String ID: 417912201-4024072794
                                          • Opcode ID: d8d85095fabac17001ec52283b05e35ec8faecd96f452eb79881bf3bb05c31bf
                                          • Instruction ID: 66aad9f121e0264ad0b2eb37c45b4e36ad6375236a63229137c8743cb5b9bfa8
                                          • Opcode Fuzzy Hash: d8d85095fabac17001ec52283b05e35ec8faecd96f452eb79881bf3bb05c31bf
                                          • Instruction Fuzzy Hash: EA414D26B0964287FB758BA9D46433937B9EF88B54F244035CA2D276A4DF7CE882C740
                                          Function 00007FFD93683980 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: Count64Tick$Sleep
                                          • String ID: unknown database: %s
                                          • API String ID: 417912201-159662586
                                          • Opcode ID: f041a6b858bdea5b80568aa1f82bf390a6326fd5199faca200ed2a87d417fd01
                                          • Instruction ID: 8fef723db398471b14cf92e20d1a6e5c9d17dd98652ff29cb34dc3c6bb1f71d0
                                          • Opcode Fuzzy Hash: f041a6b858bdea5b80568aa1f82bf390a6326fd5199faca200ed2a87d417fd01
                                          • Instruction Fuzzy Hash: 7141B326B0878247FB748F9698603B97698FB48B94F244139CD6E67794DFBCE8428700
                                          Function 00007FFD93740EB0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                          • String ID:
                                          • API String ID: 2933794660-0
                                          • Opcode ID: 254015043cd6163a033e16cf8cead884c9bc0520b6899ec2c18d6ce2124c9aa3
                                          • Instruction ID: 65f9578fae55574a12fc6cef395f33cb67f392eac0c832eda111c2ae53d31e3e
                                          • Opcode Fuzzy Hash: 254015043cd6163a033e16cf8cead884c9bc0520b6899ec2c18d6ce2124c9aa3
                                          • Instruction Fuzzy Hash: 1B113022B14F099AEB10CFA0E8652B833A8FB19758F440E35DA6D977A4EF78D555C340
                                          Function 00007FFD936DCAC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: new[]
                                          • String ID: %s%c%s$\
                                          • API String ID: 4059295235-3534329225
                                          • Opcode ID: a4ae827f49f27f6dd31bf8e6d12bc8a602828c457c4dbade2a7348c5239b154d
                                          • Instruction ID: b1f73cb89685a4f28e0427a24db33caabd8d14c90746c84f2669e2a9ec9e598c
                                          • Opcode Fuzzy Hash: a4ae827f49f27f6dd31bf8e6d12bc8a602828c457c4dbade2a7348c5239b154d
                                          • Instruction Fuzzy Hash: F4410411F4D68A41FF75A7E2AD3427967F8AF49B84F088131DD6D27692DE3CE8818341
                                          Function 00007FFD93742724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFD93740EAF), ref: 00007FFD93742774
                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFD93740EAF), ref: 00007FFD937427B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.4677729492.00007FFD93681000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFD93680000, based on PE: true
                                          • Associated: 00000006.00000002.4677713163.00007FFD93680000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677806019.00007FFD93758000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677831580.00007FFD9377B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677855743.00007FFD9377C000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677872310.00007FFD9377E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.4677888453.00007FFD93780000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_7ffd93680000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionFileHeaderRaise
                                          • String ID: csm
                                          • API String ID: 2573137834-1018135373
                                          • Opcode ID: 803400b020b35e7b7cee79a36dcbfeac4c00b13c1ec3e981fe52a929148dd7ad
                                          • Instruction ID: 5bbbc8f55732936de00e903dc68e86341cea7f043c0f2dc6adefa725d1ae596d
                                          • Opcode Fuzzy Hash: 803400b020b35e7b7cee79a36dcbfeac4c00b13c1ec3e981fe52a929148dd7ad
                                          • Instruction Fuzzy Hash: E9112B32718B8182EB258F55E55426977E9FB88B94F584234EB8C17758DF3CD961CB00